ob_ssl_invited_common_names specifies the identity of an application running under the current tenant. The identity comes from the cn (common name) field of the subject of the client certificate in two-way Secure Sockets Layer (SSL) authentication.
| Attribute | Description |
|---|---|
| Type | String |
| Default value | NONE |
| Value range | None |
| Effective upon OBServer node restart | No |
After the server verifies the username and password, it checks the following three conditions. If all of the three conditions are met, the logon is denied.
SSL authentication is enabled for the client, and two-way authentication is used for the certificate authority (CA), certificate, or secret key of the client.
An application allowlist is configured on the server, and the allowlist is not empty.
The
cnfield of the subject of the client certificate is not included in the allowlist.
If none of these three conditions are met, the allowlist check fails and is ignored.
Here is an example:
obclient> ALTER SYSTEM SET ob_ssl_invited_common_names = 'ALIPAY';