11.8 Configuring Client Authentication

Client authentication is the verification of a client by the Oracle Traffic Director virtual server or TCP proxy, based on the certificate that the client provides.

Client authentication is not enabled by default. You can configure the Oracle Traffic Director listeners to require clients to provide a certificate, by using either the administration console or the CLI.

Note:

The CLI examples in this section are shown in shell mode (tadm>). For information about invoking the CLI shell, see Section 2.3.1, "Accessing the Command-Line Interface."

Configuring Client Authentication Using the Administration Console

To enable client authentication for a listener by using the administration console, do the following:

  1. Log in to the administration console, as described in Section 2.3.2, "Accessing the Administration Console."

  2. Click the Configurations button that is situated at the upper left corner of the page.

    A list of the available configurations is displayed.

  3. Select the configuration for which you want to enable client authentication for listeners.

  4. In the navigation pane, expand Listeners, and select the listener for which you want to configure client authentication.

    The Listener Settings page is displayed.

  5. Go to the Advanced Settings section of the page and scroll down to the SSL/TLS subsection.

  6. Select the required Client Authentication mode.

    • Required: The server requests the client for a certificate; if the client does not provide a certificate, the connection is closed.

    • Optional: The server requests the client for a certificate, but does not require it. The connection is established even if the client does not provide a certificate.

    • False (default): Client authentication is disabled.

  7. Specify the Authentication Timeout and Maximum Authentication Data parameters.

    On-screen help and prompts are provided for all of the parameters.

    When you change the value in a field or tab out of a text field that you changed, the Save button near the upper right corner of the page is enabled.

    At any time, you can discard the changes by clicking the Reset button.

  8. After making the required changes, click Save.

    • A message, confirming that the updated listener was saved, is displayed in the Console Messages pane.

    • In addition, the Deployment Pending message is displayed at the top of the main pane. You can either deploy the updated configuration immediately by clicking Deploy Changes, or you can do so later after making further changes as described in Section 4.3, "Deploying a Configuration."

Configuring Client Authentication Using the CLI

To enable client authentication for an HTTP or TCP listener, run the set-ssl-prop command.

For example, the following command makes client authentication mandatory for the listener http-listener-1, with 60 seconds as the authentication time-out duration and 262144 bytes as the maximum length of authentication data that can be buffered.

tadm> set-ssl-prop --config=soa --http-listener=http-listener-1
 client-auth=required max-client-auth-data=262144 client-auth-timeout=60
OTD-70201 Command 'set-ssl-prop' ran successfully.

For the updated configuration to take effect, you should deploy it to the Oracle Traffic Director instances by using the deploy-config command.

For more information about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.