Configuring MarkLogic HTTPS Application Servers with SSL client authentication for a Trusted CA Certificate without a named Organization field in the Subject
28 January 2016 07:42 AM
MarkLogic Server organizes Trusted Certificate Authorities (CA) by Organization Name. Trusted Certificate Authorities are the issuers of digital certificates, which in turn are used to certify the public key on behalf of the named subject as given in the certificate. These certificates are used in the authentication process by:
Consider the following example:
In this example, From viewing the Trusted CA Subject field, the CA Certificate name will be listed with the organisation name of "MarkLogic Corporation" (O=MarkLogic Corporation) in MarkLogic's list of Certificate Authorities.
You can view the full list of currently configured Trusted Certificate Authorities by logging into the MarkLogic administration Application Server (on port 8001) and viewing the status page: Configure -> Security -> Certificate Authorities
Trusted CA Certificate without Organization name (O=)
In some cases, there are legitimate Trusted CA Certificates which do not contain any further information about the Organization responsible for the certificate.
The example below shows a sample self signed root CA (DemoLab CA) which highlights this scenario:
If this Certificate were to be loaded into the MarkLogic, no name would appear under the list of <em>Certificate Authorities</em>in the list provided through the administration Application Server at Configure -> Security -> Certificate Authorities
In the case of the above example, it would be difficult to use the certificate validated by DemoLab CA (and to use DemoLab CA as our Trusted Certificate Authority) as MarkLogic will only list certificates that are associated with an Organization.
To workaround this issue, we can configure MarkLogic to use the certificate through some scripting with Query Console.
1) Loading the CA using Query Console
Start by using a call to pki:insert-trusted-certificates to load the Trusted CA into MarkLogic. The sample Query Console code below demonstrates this process (Please ensure this query is executed against the Security database)
Make a note of value of the id returned by MarkLogic. It will return an unsigned long (xs:unsignedLong) which is the id value that can be used later to retrieve that certificate
2) Attach Trusted CA with "SSL Client Certificate Authorities" using Query Console
The next step is to associate the certificate that we just inserted from our filesystem (DemoLabCA.pem) with a given MarkLogic Application Server. Once this is done, any client connecting to that application server over SSL will be presented with the cerificate and DemoLab CA will be used to match the certificate using the Common Name value (Common Name eq "DemoLab CA")
3) Verify attached Trusted CA for Client Cetificate Authorities
Executing the above code should return the same identifier (for the Trusted CA) as returned as result of the code executed in step 1. Additionally, we can see that our Application Server (DemoAppServer) is now configured to expect an SSL Client Certificate Authority signed by DemoLab CA.