Authentication with Digital Certificates/SSL

Presto Administration : Presto Security : Authentication with Digital Certificates/SSL

Configure the Presto REST API to Use Certificate Authentication

Configure Additional Certificate Validation

There are two aspects of authentication for Presto that you can configure for digital certificates: 1) whether Presto accepts certificates for user authentication and 2) what information Presto uses from the certificates to perform authentication.

Certificate authentication in Presto uses Personal Digital Certificates (PDC) from a client. The default authentication process when Presto receives a certificate looks for a user ID in the CN portion of the certificate's subjectDN. This user ID is authenticated against the User Repository.

If it is a valid user ID, this ends authentication. Presto continues with authorization for the request. If the user ID is not valid, the request is rejected.

To enable authentication based on digital certificates

1. Configure the Presto Server to use mutual SSL. See Configure Presto for SSL and Digital Certificates for instructions.

2. Using any text or XML editor, edit the applicationContext-security.xml file in the web-apps-home/presto/WEB-INF/classes directory and:

a. Remove the comment markers from the <import> statement for the applicationContext-security-authn-x509.xml file.

The configuration would look something like this:

b. Save your changes to this file.

3. If needed, change the default certificate authentication behavior with one or more of these options:

Configure Alternate User ID Extraction to change where Presto obtains the user ID.

Configure Dynamic User Support to enable Presto to accept certificates for user IDs not found in the User Repository.

Configure Additional Certificate Validation beyond simple user IDs.

4. Enable certificate authentication for the Presto REST API. See Configure the Presto REST API to Use Certificate Authentication for instructions.

5. If needed, enable certificate caching for the Presto Server.

By default, the Presto Server does not cache user certificates. This ensures that any changes to user identification or authorization are detected as soon as possible but can impact performance. To turn caching on:

a. Using any text or XML editor, edit the applicationContext-security-authn-x509.xml file in the web-apps-home/presto/WEB-INF/classes directory.

b. Find the x509AutheticationProvider bean.

c. Add <property name="certificateCachingEnabled" value="true" /> to the list of properties for this bean.

d. Save your changes to this file.

6. To apply these changes, restart the Presto Server.

Contact Support | Community | Feedback