Configure the Mutual Authentication behavior

This behavior affects how clients can authenticate themselves to edge servers and how control groups are authorized to access topics. When added, this behavior allows users to authenticate their requests with valid client certificates. It also lets you extract client identifiers or access authorization groups from client certificates and store them as variables for further regex, substring, and hash transformations.

👍

Use this procedure only if you want to use Mutual Authentication as your authentication method.

  1. In the Property Configuration Settings section, click Add Behavior.

  2. Search for and select the Mutual Authorization behavior.

  3. Click Insert Behavior.

  4. Find your newly added behavior in the Behaviors section.

  5. From Extract from Certificate Field, select the name of the field or attribute in the client certificate that you want to extract a variable from.

  6. In Store as Variable, define how to store the value extracted from the client certificate.

Variable hash transformation

Together with the mutual authentication behavior, this behavior affects how clients can authenticate themselves to edge servers and how groups within namespaces are authorized to access topics. It transforms a source string of the value extracted from the client certificate and stored as a variable, either client Id or Authorized Group(s). It lets you generate a hash value based on the selected hash algorithm.

  1. In the Property Configuration Settings section, click Add Behavior.

  2. Search for and select the Variable Hash Transformation behavior.

  3. Click Insert Behavior.

  4. Find your newly added behavior in the Behaviors section.

  5. Select the hash Algorithm.

  6. Enter your Secret Key.

📘

Ideally, it should be long enough to provide an adequate security.

Example

In this example, Client ID is stored in a fingerprint sha1 field of the certificate.

The value of the fingerprint sha1 field is d1908c78aac916de0e0836dc01c45075297029d5 and the selected hashing algorithm is SHA-256.

It's transformed using the Variable Hash Transformation behavior. Secret Key is a4b784749ar5tx4.

After the transformation, the extracted value is 2f3d6dd4a470963f321d55aee62e3af4b530e5cbbaf124b863e943fd71df3d64.

variable-hash-transformation-example

Variable regex transformation

Together with the mutual authentication behavior, this behavior affects how clients can authenticate themselves to edge servers and how groups within namespaces are authorized to access topics. It transforms a source string of the value extracted from the client certificate and stored as a variable, either client Id or Authorized Group(s). It lets you define a result string based on a regular expression search pattern.

  1. In the Property Configuration Settings section, click Add Behavior.

  2. Search for and select the Variable Regex Transformation behavior.

  3. Click Insert Behavior.

  4. Find your newly added behavior in the Behaviors section.

  5. Enter Regex Pattern.

Variable substring transformation

Together with the mutual authentication behavior, this behavior affects how clients can authenticate themselves to edge servers and how groups within namespaces are authorized to access topics. It transforms a source string of the value extracted from the client certificate and stored as a variable, either client Id or Authorized Group(s). It lets you define a result substring from a source string.

  1. In the Property Configuration Settings section, click Add Behavior.

  2. Search for and select the Variable Substring Transformation behavior.

  3. Click Insert Behavior.

  4. Find your newly added behavior in the Behaviors section.

  5. In Start, select the first character of your string. Use zero-based indexing.

📘

To start extracting from the first character, you can leave this field empty.

  1. In End, select the last character of your string. Use zero-based indexing.

📘

To stop extracting at the last character, you can leave this field empty.

Example

In this example, Authorized Group(s) are stored in a serial number field of the certificate. The whole field contains more information but we need only the first 6 digits.

In this certificate, the field serial number has a following value: 12345678910111213.

variable-substring-transformation-example

The resulting value for Authorized Group(s) is 12345.