Skip to content

Allow sources to authenticate using client certificates #411

Description

@nilmerg

Over HTTPS, sources should be able to use a certificate instead of a username and password. When configuring the source, you will need to specify the expected Common Name (CN) of the certificate. A global configuration decides how certificates should be validated (single CA certificate, path to a bundle).

Not all sources are to be forced to provide client certificates, such must be optional. At least one way must be configured, username+password or certificate CN.

Database

The source table gets a new column:

  • client_certificate_cn varchar(64) DEFAULT NULL

Configuration

A global configuration is introduced to configure how client certificates are to be verified.

ICINGA_NOTIFICATIONS_LISTENER_CA

#430 introduced a configuration option client_auth. It should be dropped and the listener should default to VerifyClientCertIfGiven in case a CA has been configured.

Maintenance

As in #388 this is up to the administrator which is why the reference to the CA certificate or bundle can only be a path to ease rotating it automatically.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Fields

No fields configured for Task.

Projects

Status
In progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions