version 1.2.12.1, 2006/03/24 18:52:12
|
version 1.6.8.2, 2013/09/14 23:08:13
|
|
|
<li><a href="#CONFIGURE">Configuring Pegasus for SSL</a> </li> | <li><a href="#CONFIGURE">Configuring Pegasus for SSL</a> </li> |
<li><a href="#DESIGN">SSL Design Question List</a> </li> | <li><a href="#DESIGN">SSL Design Question List</a> </li> |
<li><a href="#TRUSTSTORE">Truststore Management</a> </li> | <li><a href="#TRUSTSTORE">Truststore Management</a> </li> |
<li><a href="#CLI">ssltrustmgr CLI</a> </li> |
<li><a href="#CLI">cimtrust & cimcrl CLI</a> </li> |
<li><a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a> </li> | <li><a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a> </li> |
<li><a href="#AUTH">SSL Authorization</a> </li> | <li><a href="#AUTH">SSL Authorization</a> </li> |
<li><a href="#EXT">Critical Extension Handling</a> </li> | <li><a href="#EXT">Critical Extension Handling</a> </li> |
|
|
<li>PEP#060 - SSL support in CIM/XML indication delivery</li> | <li>PEP#060 - SSL support in CIM/XML indication delivery</li> |
<li>PEP#074 - SSLContext and Certificate verification interface | <li>PEP#074 - SSLContext and Certificate verification interface |
enhancement</li> | enhancement</li> |
<li>PEP#155 - Support for Client SSL Certificate Verification in CIM |
|
Server for CIMExport requests</li> |
|
<li>PEP#165 - SSL Client Verification</li> | <li>PEP#165 - SSL Client Verification</li> |
<li>PEP#187 - SSL Certificate Management Enhancements</li> | <li>PEP#187 - SSL Certificate Management Enhancements</li> |
<li>PEP#200 - Recommended OpenPegasus 2.5 Build and Configuration | <li>PEP#200 - Recommended OpenPegasus 2.5 Build and Configuration |
|
|
</tr> | </tr> |
<tr> | <tr> |
<td>Truststore</td> | <td>Truststore</td> |
<td>sslTrustStore, exportSSLTruststore</td> |
<td>sslTrustStore</td> |
<td>rwxr-xr-x</td> | <td>rwxr-xr-x</td> |
</tr> | </tr> |
<tr> | <tr> |
|
|
<ul> | <ul> |
<li>The sslKeyFilePath and the sslCertificateFilePath are readable by | <li>The sslKeyFilePath and the sslCertificateFilePath are readable by |
the CIMOM.</li> | the CIMOM.</li> |
<li>The sslTrustStore, exportSSLTrustStore, and crlStore are readable |
<li>The sslTrustStore and crlStore are readable |
by the CIMOM if they are a single file.</li> | by the CIMOM if they are a single file.</li> |
<li>The sslTrustStore, exportSSLTrustStore, and crlStore are readable |
<li>The sslTrustStore and crlStore are readable |
and writable by the CIMOM if they are a directory.</li> | and writable by the CIMOM if they are a directory.</li> |
</ul> | </ul> |
<p> | <p> |
|
|
</p> | </p> |
<p><b>sslClientVerificationMode</b><br> | <p><b>sslClientVerificationMode</b><br> |
This setting controls how the cimserver (i.e. the HTTPS port) is | This setting controls how the cimserver (i.e. the HTTPS port) is |
configured. It does not control the configuration of the export |
configured. There are three possible settings: disabled, required, |
connection. There are three possible settings: disabled, required, |
|
optional. There is no "right" setting for this property. The default is | optional. There is no "right" setting for this property. The default is |
disabled and it is fine to leave the setting as disabled if you are | disabled and it is fine to leave the setting as disabled if you are |
going to use basic authentication to authenticate all client requests. | going to use basic authentication to authenticate all client requests. |
|
|
This setting controls the truststore for the cimserver's HTTPS | This setting controls the truststore for the cimserver's HTTPS |
connection. It can be | connection. It can be |
either a directory or a single root CA file. When set to a directory, | either a directory or a single root CA file. When set to a directory, |
it is recommended that you use the ssltrustmgr CLI to populate the |
it is recommended that you use the cimtrust CLI to populate the |
truststore as there are strict naming requirements for trusted | truststore as there are strict naming requirements for trusted |
certificate files. See the <a href="#CLI">ssltrustmgr CLI</a> |
certificate files. See the <a href="#CLI">cimtrust & cimcrl CLI</a> |
section for further information. | section for further information. |
</p> | </p> |
<p><b>sslTrustStoreUserName</b><br> | <p><b>sslTrustStoreUserName</b><br> |
|
|
will be propagated to providers. If applications desire for there to be | will be propagated to providers. If applications desire for there to be |
a one-to-one correspondence between users and certificates, it is | a one-to-one correspondence between users and certificates, it is |
recommended that each certificate be registered individually using the | recommended that each certificate be registered individually using the |
<a href="#CLI">ssltrustmgr CLI</a>. </p> |
<a href="#CLI">cimtrust CLI</a>. </p> |
<p> <b>crlStore</b><br> | <p> <b>crlStore</b><br> |
This is where the CRL (Certificate Revocation List) store resides. | This is where the CRL (Certificate Revocation List) store resides. |
There is only one CRL store for all truststores. Currently, only two |
It is important to note that certificates are |
truststores are supported (cimserver and export) and these both share |
|
the same CRL store. It is important to note that certificates are |
|
checked first against the CRL (if specified) and then against the | checked first against the CRL (if specified) and then against the |
truststore. The <a href="#CLI">ssltrustmgr CLI</a> should be used for |
server truststore. The <a href="#CLI">cimcrl CLI</a> should be used for |
CRL management. </p> | CRL management. </p> |
<p><b>enableSSLExportClientVerification</b><br> |
<p><b>sslCipherSuite</b><br> |
This setting controls whether an ADDITIONAL port is used to listen for |
This setting specifies the cipher list used by the server during the |
incoming indications. This port is used only as a CIM indication |
SSL handshake phase. If not specified, the "DEFAULT" OpenSSL cipher |
listener |
list is used. The cipher list should be mentioned between single |
and only supports HTTPS. The port number of the export connection is |
quotes since it can contain special characters like .+, !, -. The |
currently not configurable; the port is determined by looking |
cipher lists can be found at <a |
in /etc/services for the service name wbem-exp-https. |
href="http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT">http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT</a> |
The export port is primarily used as a way to authenticate client |
</p> |
indication requests. Because indications are generated by providers |
<p><b>sslBackwardCompatibility</b><br> |
and do not have a username/password associated with them, traditional |
This setting specifies whether the ssl supports SSLv3 and versions of TLS |
basic authentication cannot be sent in the export request. To work |
lesser than 1.2. Ideally for security Compilance purposes it is by default |
around this, a truststore can be configured to authenticate incoming |
set to false. |
requests. This truststore is configured like the "required" |
</p> |
setting of sslClientVerificationMode. |
|
</p> |
|
<p><b>exportSSLTrustStore</b><br> |
|
This setting controls the truststore for the export connection. It may |
|
be the same as the sslTrustStore. Additionally, it can be |
|
either a directory or a single root CA file. When set to a directory, |
|
it is recommended that you use the <a href="#CLI">ssltrustmgr CLI</a> |
|
to populate the truststore as there are strict naming requirements for |
|
trusted certificate files. </p> |
|
<h4>Configuration Limitations</h4> | <h4>Configuration Limitations</h4> |
The following are configuration limitations: | The following are configuration limitations: |
<ul> | <ul> |
|
|
password needed to unencrypt it. Therefore, the best way to secure the | password needed to unencrypt it. Therefore, the best way to secure the |
file is to follow the file permissions settings specified in <a | file is to follow the file permissions settings specified in <a |
href="#CERTS">Creating SSL Certificates.</a></li> | href="#CERTS">Creating SSL Certificates.</a></li> |
<li>There is no property to specify supported cipher lists at this |
|
time. Pegasus uses the default OpenSSL cipher list. The cipher lists |
|
can be found at <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> |
|
and <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a></li> |
|
<li>The verification depth cannot be specified. Pegasus uses the | <li>The verification depth cannot be specified. Pegasus uses the |
default OpenSSL depth of 9. This means the OpenSSL will only accept | default OpenSSL depth of 9. This means the OpenSSL will only accept |
client certificate chains up to 9 levels deep.</li> | client certificate chains up to 9 levels deep.</li> |
|
|
Yes, especially if you are sending passwords with requests. The HTTP | Yes, especially if you are sending passwords with requests. The HTTP |
port can be disabled for additional security if desired. | port can be disabled for additional security if desired. |
<br> | <br> |
<b>Should I enable the export port?</b><br> |
|
Currently, the export connection provides the only way to authenticate |
|
incoming CIM indication requests. Because basic authentication cannot |
|
be used with these requests, the export connection should be enabled if |
|
there is a concern over rogue client export requests. Otherwise, the |
|
export requests can still be sent over HTTPS using the standard port; |
|
the information will be encrypted but the client's identity will not be |
|
validated. |
|
<br> |
|
<b>Should I configure the CIMOM to use a truststore?</b><br> | <b>Should I configure the CIMOM to use a truststore?</b><br> |
This depends on the infrastructure of the application. If all clients | This depends on the infrastructure of the application. If all clients |
are using basic authentication over the secure port | are using basic authentication over the secure port |
|
|
If you anticipate getting requests from a heterogeneous set of clients, | If you anticipate getting requests from a heterogeneous set of clients, |
then it probably makes sense to use the directory option to allow | then it probably makes sense to use the directory option to allow |
flexibility in the future. In the latter scenario, the same single root | flexibility in the future. In the latter scenario, the same single root |
CA file can still be used with the additional step of using ssltrustmgr |
CA file can still be used with the additional step of using cimtrust |
to register it. | to register it. |
It's important to note that when registering a root CA, only one user | It's important to note that when registering a root CA, only one user |
can be associated with ALL certificates under that CA. Following the | can be associated with ALL certificates under that CA. Following the |
|
|
does not check CRL validity dates during startup. Therefore, it is the | does not check CRL validity dates during startup. Therefore, it is the |
responsibility of the administrator | responsibility of the administrator |
to regularly download or acquire the CRL and import it into the CRL | to regularly download or acquire the CRL and import it into the CRL |
store using the <a href="#CLI">ssltrustmgr CLI</a>. |
store using the <a href="#CLI">cimcrl CLI</a>. |
<font style="color: rgb(0, 0, 0);" color="MAGENTA">CRLs are not checked | <font style="color: rgb(0, 0, 0);" color="MAGENTA">CRLs are not checked |
for expiration during the SSL callback. This means that if a CRL for a | for expiration during the SSL callback. This means that if a CRL for a |
particular issuer has expired, | particular issuer has expired, |
|
|
If using self-signed certificates, however, a CRL is most likely not | If using self-signed certificates, however, a CRL is most likely not |
needed (You can create a self-signed CRL but it is not really | needed (You can create a self-signed CRL but it is not really |
necessary). Because of this, the certificate deletion option available | necessary). Because of this, the certificate deletion option available |
via ssltrustmgr is primarily intended for self-signed certificates. |
via cimtrust is primarily intended for self-signed certificates. |
Technically, CRL's are the correct way to revoke compromised or invalid | Technically, CRL's are the correct way to revoke compromised or invalid |
certificates. | certificates. |
<br> | <br> |
|
|
<p>See the <a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a> | <p>See the <a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a> |
section below on how to setup the client's truststore. | section below on how to setup the client's truststore. |
</p> | </p> |
<h3><a name="CLI">ssltrustmgr CLI</a></h3> |
<h3><a name="CLI">cimtrust & cimcrl CLI</a></h3> |
Pegasus 2.5 comes with a new CLI, ssltrustmgr, that should be used to |
cimtrust CLI may be used to add, remove or list X509 certificates in a |
manage the cimserver's truststore, the export truststore, and the CRL |
PEM format truststore. cimcrl CLI may be used to add, remove or list |
store. |
X509 Certificate Revocation Lists in a PEM format CRL store. |
The CLI interfaces with a certificate control provider that runs as |
|
|
The CLIs interface with a Certificate control provider that runs as |
part of Pegasus's core. It operates on the PG_SSLCertificate and | part of Pegasus's core. It operates on the PG_SSLCertificate and |
PG_SSLCertificateRevocationList |
PG_SSLCertificateRevocationList classes in root/PG_Internal. |
classes in root/pg_internal. |
It is recommended that the CLIs be used in place of manual |
It is recommended that this CLI be used in place of manual |
|
configuration for several reasons: | configuration for several reasons: |
<ul> | <ul> |
<li>OpenSSL places strict naming restrictions on certificates and | <li>OpenSSL places strict naming restrictions on certificates and |
|
|
<li>Certificate instances are stored in the repository along with the | <li>Certificate instances are stored in the repository along with the |
corresponding username. If the certificate is not properly registered, | corresponding username. If the certificate is not properly registered, |
the username mapping will fail.<font color="MAGENTA"> <span | the username mapping will fail.<font color="MAGENTA"> <span |
style="color: rgb(0, 0, 0);">As of 2.5.1, ssltrustmgr supports the |
style="color: rgb(0, 0, 0);">cimtrust CLI supports the |
ability to register a certificate without a username for root | ability to register a certificate without a username for root |
certificates and intermediate certificates, since these certificates | certificates and intermediate certificates, since these certificates |
represent a collection of users. In this scenario, each leaf | represent a collection of users. In this scenario, each leaf |
certificate must be registered to an individual user. See the | certificate must be registered to an individual user. See the |
Authorization section for more information on username validation.</span></font> | Authorization section for more information on username validation.</span></font> |
</li> | </li> |
<li><font color="MAGENTA"><span style="color: rgb(0, 0, 0);">The CLI, |
<li><font color="MAGENTA"><span style="color: rgb(0, 0, 0);">The CLIs, |
or more correctly the provider it operates on, supports dynamic |
or more correctly the provider they operate on, supports dynamic |
deletion of certificates by resetting the cimserver's SSL context.</span> | deletion of certificates by resetting the cimserver's SSL context.</span> |
</font> Normally, you would need to stop and start the cimserver to | </font> Normally, you would need to stop and start the cimserver to |
accomplish this.</li> | accomplish this.</li> |
<li>The CLI, or more correctly the provider it operates on, performs |
<li>The CLIs, or more correctly the provider they operate on, performs |
a ton of error checking you would not get by manually configuring the | a ton of error checking you would not get by manually configuring the |
stores. This alerts the administrator to various error conditions (e.g. | stores. This alerts the administrator to various error conditions (e.g. |
the certificate expired) associated with a certificate or CRL.</li> | the certificate expired) associated with a certificate or CRL.</li> |
</ul> | </ul> |
The CIMOM must be up and running while executing ssltrustmgr. The |
The CIMOM must be up and running while executing cimtrust/cimcrl CLI. The |
ssltrustmgr manpage provides more information on commands and syntax. |
cimtrust and cimcrl manpages provide more information on commands and syntax. |
<h3><a name="CLIENT">Configuring the Pegasus CIM Client for SSL</a></h3> | <h3><a name="CLIENT">Configuring the Pegasus CIM Client for SSL</a></h3> |
<p> A Pegasus CIM client can be configured to use SSL by using a | <p> A Pegasus CIM client can be configured to use SSL by using a |
constructor that takes an SSLContext. The construction of the | constructor that takes an SSLContext. The construction of the |
SSLContext is really what controls the behavior of the client during | SSLContext is really what controls the behavior of the client during |
the SSL handshake. Without going into minute details about what happens | the SSL handshake. Without going into minute details about what happens |
under the covers, here is a description of the various SSLContext | under the covers, here is a description of the various SSLContext |
constructor parameters. The descriptions are written from a client |
constructor parameters. </p> |
perspective even though the same constructors are utilized by the |
|
cimserver HTTPS port and export port. </p> |
|
<p> Here's a code snippet that shows how to call a client constructor | <p> Here's a code snippet that shows how to call a client constructor |
that connects to a server over SSL and can present its own trusted | that connects to a server over SSL and can present its own trusted |
certificate if the server requests it. In this scenario, the client | certificate if the server requests it. In this scenario, the client |
|
|
</p> | </p> |
<ul> | <ul> |
<font face="courier"> client.connect( hostname, port, <b>SSLContext(trustStore, | <font face="courier"> client.connect( hostname, port, <b>SSLContext(trustStore, |
certPath, keyPath, verifyCert, randomFile),</b> username, password); </font> |
certPath, keyPath, verifyCert, randomFile, cipherSuite),</b> username, password); </font> |
</ul> | </ul> |
<p></p> | <p></p> |
<p> Here's a code snippet that shows how to call a client constructor | <p> Here's a code snippet that shows how to call a client constructor |
|
|
does not perform by default.</li> | does not perform by default.</li> |
<li><b>randomFile</b> -- A file to seed the pseudo random number | <li><b>randomFile</b> -- A file to seed the pseudo random number |
generator (PRNG).</li> | generator (PRNG).</li> |
|
<li><b>cipherSuite</b> -- This specifies the cipher list used by the |
|
client during the SSL handshake phase. This is an experimental |
|
interface.</li> |
</ul> | </ul> |
<p>Here are some general guidelines on implementing peer verification | <p>Here are some general guidelines on implementing peer verification |
for the client: | for the client: |
|
|
truststore and (optionally) a user-specified callback function.</li> | truststore and (optionally) a user-specified callback function.</li> |
<li>The client should employ a truststore in order to properly verify | <li>The client should employ a truststore in order to properly verify |
the server. The truststore should contain a file or directory of | the server. The truststore should contain a file or directory of |
trusted CA certificates. The ssltrustmgr CLI cannot be used to |
trusted CA certificates. The cimtrust CLI cannot be used to |
configure client truststores. The trusted certificate(s) should be | configure client truststores. The trusted certificate(s) should be |
placed in a protected file or directory specified by the trustStore | placed in a protected file or directory specified by the trustStore |
parameter. Keep in mind that the SSL context generally has to be | parameter. Keep in mind that the SSL context generally has to be |
|
|
<ul> | <ul> |
<li>The verification depth cannot be specified. Pegasus uses the | <li>The verification depth cannot be specified. Pegasus uses the |
default OpenSSL depth of 9.</li> | default OpenSSL depth of 9.</li> |
<li>The cipher list cannot be specified. Pegasus uses the default |
|
OpenSSL cipher list. The cipher lists can be found at <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> |
|
and <a |
|
href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a></li> |
|
<li>No hostname checking is performed to ensure that the subject | <li>No hostname checking is performed to ensure that the subject |
field of the distinguished name (DN) matches the hostname. If desired, | field of the distinguished name (DN) matches the hostname. If desired, |
a user-specified callback should be configured to perform this check or | a user-specified callback should be configured to perform this check or |
|
|
If a certificate fails, the connection can be terminated immediately, | If a certificate fails, the connection can be terminated immediately, |
resulting in a connection exception. This scenario will occur if the | resulting in a connection exception. This scenario will occur if the |
sslClientVerification property is set to "required" and no certificate | sslClientVerification property is set to "required" and no certificate |
or an untrusted certificate is sent. The export connection will also |
or an untrusted certificate is sent. </p> |
terminate the connection if an untrusted certificate is presented. Once |
|
a certificate is verified, no further <i><b>authentication</b></i> is |
|
attempted. This effectively results in any basic or local |
|
authentication headers being ignored. </p> |
|
<p> Further <i><b>authorization</b></i> checks must be performed when | <p> Further <i><b>authorization</b></i> checks must be performed when |
validating the user that is mapped to the certificate. First, the user | validating the user that is mapped to the certificate. First, the user |
that is registered to the certificate is validated as a valid system | that is registered to the certificate is validated as a valid system |
|
|
<a href="http://www.faqs.org/rfcs/rfc2617.html">http://www.faqs.org/rfcs/rfc2617.html</a> | <a href="http://www.faqs.org/rfcs/rfc2617.html">http://www.faqs.org/rfcs/rfc2617.html</a> |
</p> | </p> |
<hr> | <hr> |
<p><i><font size="2">Copyright (c) 2005 EMC Corporation; |
<p>Licensed to The Open Group (TOG) under one or more contributor license |
Hewlett-Packard Development Company, L.P.; IBM Corp.; The Open Group; |
agreements. Refer to the OpenPegasusNOTICE.txt file distributed with |
VERITAS Software Corporation</font><br> |
this work for additional information regarding copyright ownership. |
<br> |
Each contributor licenses this file to you under the OpenPegasus Open |
<font size="1">Permission is hereby granted, free of charge, to any |
Source License; you may not use this file except in compliance with the |
person obtaining a copy of this software and associated |
License.</p> |
documentation files (the "Software"), to deal in the Software without |
<p>Permission is hereby granted, free of charge, to any person obtaining a |
restriction, including without limitation the rights to use, copy, |
copy of this software and associated documentation files (the "Software"), |
modify, merge, publish, distribute, sublicense, and/or sell copies of |
to deal in the Software without restriction, including without limitation |
the Software, and to permit persons to whom the Software is furnished |
the rights to use, copy, modify, merge, publish, distribute, sublicense, |
to do so, subject to the following conditions:</font><br> |
and/or sell copies of the Software, and to permit persons to whom the |
<font size="2"><br> |
Software is furnished to do so, subject to the following conditions:</p> |
</font> |
<p>The above copyright notice and this permission notice shall be included |
<font size="1">THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE |
in all copies or substantial portions of the Software.</p> |
SHALL BE INCLUDED IN ALL COPIES OR SUBSTANTIAL PORTIONS OF THE |
<p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
SOFTWARE. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF |
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE |
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. |
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY |
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE |
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION |
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE |
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION |
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p> |
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</font></i></p> |
|
<hr> | <hr> |
</body> | </body> |
</html> | </html> |