MarkLogic Certificate based User Authentication
11 July 2017 07:12 PM
MarkLogic 9 introduces Certificate based User Authentication, which allows users to Log into MarkLogic Server without being required to enter user name/password. In previous versions, Certificates were only utilized to restrict client access to MarkLogic Server with the Digest/Basic User Authentication Scheme. Certificate based User Authentication configuration can be achieved using Internal User or External Name based user configurations.
Certificate Authentication: Internal User vs External Name based Authentication:
The difference between Internal User or External Name based authentication lies in the existence of the Certificate CN field based User (
User Certificate Example:
There are few common steps/examples listed to add to clarity. For our example setup, the certificate presented by the App Server User (
CA Certificate (User Cert Signer) Import from Admin GUI
In order to allow MarkLogic Server to accept the Certificate presented by a user, MarkLogic Server needs Certificate Authority (CA) to sign the User Certificate installed into MarkLogic. We can install CA Certificate (below) used to sign
CA Certificate Import into MarkLogic from Query Console
We can also import above Certificate Authority with xquery call pki:insert-trusted-certificates to load the Trusted CA into MarkLogic. The sample Query Console code below demonstrates this process.
(Please ensure this query is executed against the Security database)
Certificate Template & Template CA import into Client (Browser/SSL Client)
To enable SSL App Server, we will either
1) Create Certificate Template to utilize Self Signed Certificate.
or, 2) Import pre-signed Certificate Certificate into MarkLogic
In both of the above cases, we will need to import CA used to sign Certificate used by MarkLogic SSL AppServer into Client Browser/SSL Client (below example clients).
Once template is created, we will link our Template with our App Server to enable SSL based App Server.
Certificate Authentication: CN as Internal User vs External Name based Internal User
Difference between above two lies in if Certificate CN field User (
1.) Certificate Authentication: Certificate CN field value as MarkLogic Security Database Internal User
Steps to configure Certificate based User Authentication for our User
a.) Create User "
b.) On the AppServer page, we will set Authentication schema to "Certificate" with Internal Security to "true". Also, unless you want to have some Users Authenticated as External User as well, you should leave External Security object to "none".
c.) AppServer would also select CA that will be used to sign Client/User Certificate as accepted Certificate Authorities (please see section: CA Certificate earlier for our example).
Once Configured, accessing above App Server with Browser with User Certificate (demoUser1) installed will be able to log into MarkLogic with internal demoUser1 (Note- We will also need to assign necessary Roles to Internal User to access resource as needed).
2.) Certificate Authentication: User Certificate Subject field value as External Name for Internal User
Steps to configure Certificate based User Authentication for our User demoUser1 as MarkLogic External Name for Internal User "newUser1".
a.) Create User "newUser1" with necessary roles in MarkLogic Security (Internal User), and Configure User Certificate Subject field as External Name to User.
b.) Create an External Security object with Certificate based Authentication.
c.) On External Security Object Configuration itself, select CA that will be used to sign Client/User Certificate as accepted Certificate Authorities (please see section: CA Certificate earlier for our example).
Please Note - below Configuration is different then configuring Client CA on App Server (required for Internal User).
d.) For External Name (Cert Subject field) based linkage to Internal User, App Server needs to point to our External Security Object.