pegasus/doc/PegasusSSLGuidelines.htm - diff

Return to PegasusSSLGuidelines.htm CVS log

Up to [Pegasus] / pegasus / doc

Diff for /pegasus/doc/PegasusSSLGuidelines.htm between version 1.4.4.1 and 1.4.4.2

version 1.4.4.1, 2006/11/23 06:22:36

version 1.4.4.2, 2006/12/19 10:49:51

Line 1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns:v="urn:schemas-microsoft-com:vml"

xmlns:o="urn:schemas-microsoft-com:office:office"

xmlns:w="urn:schemas-microsoft-com:office:word"

xmlns:st1="urn:schemas-microsoft-com:office:smarttags"

xmlns="http://www.w3.org/TR/REC-html40" xmlns:o>

<head>

<!--[if !mso]>

<style>

v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style>

<![endif]-->

<title>OpenPegasus SSL Guidelines</title>

<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"

name="date"/>

<!--[if gte mso 9]><xml>

<o:DocumentProperties>

<o:Author>IBM_USER</o:Author>

<o:LastAuthor>IBM_USER</o:LastAuthor>

<o:Revision>2</o:Revision>

<o:TotalTime>6</o:TotalTime>

<o:Created>2006-12-19T07:20:00Z</o:Created>

<o:LastSaved>2006-12-19T07:26:00Z</o:LastSaved>

<o:Pages>1</o:Pages>

<o:Words>5126</o:Words>

<o:Characters>29220</o:Characters>

<o:Company>IBM</o:Company>

<o:Lines>243</o:Lines>

<o:Paragraphs>68</o:Paragraphs>

<o:CharactersWithSpaces>34278</o:CharactersWithSpaces>

<o:Version>10.3501</o:Version>

</o:DocumentProperties>

</xml><![endif]--><!--[if gte mso 9]><xml>

<w:WordDocument>

<w:SpellingState>Clean</w:SpellingState>

<w:GrammarState>Clean</w:GrammarState>

<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>

</w:WordDocument>

</xml><![endif]--><!--[if !mso]><object

classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id=ieooui></object>

<style>

st1\:*{behavior:url(#ieooui) }

</style>

<![endif]-->

<style>

<!--

/* Font Definitions */

@font-face

{font-family:Courier;

panose-1:2 7 4 9 2 2 5 2 4 4;

mso-font-charset:0;

mso-generic-font-family:modern;

mso-font-format:other;

mso-font-pitch:fixed;

mso-font-signature:3 0 0 0 1 0;}

@font-face

{font-family:Wingdings;

panose-1:5 0 0 0 0 0 0 0 0 0;

mso-font-charset:2;

mso-generic-font-family:auto;

mso-font-pitch:variable;

mso-font-signature:0 268435456 0 0 -2147483648 0;}

@font-face

{font-family:Times;

panose-1:2 2 6 3 5 4 5 2 3 4;

mso-font-charset:0;

mso-generic-font-family:roman;

mso-font-pitch:variable;

mso-font-signature:536902279 -2147483648 8 0 511 0;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

{mso-style-parent:"";

margin:0in;

margin-bottom:.0001pt;

mso-pagination:widow-orphan;

font-size:12.0pt;

font-family:"Times New Roman";

mso-fareast-font-family:"Times New Roman";}

{mso-margin-top-alt:auto;

margin-right:0in;

mso-margin-bottom-alt:auto;

margin-left:0in;

mso-pagination:widow-orphan;

mso-outline-level:2;

font-size:18.0pt;

font-family:"Times New Roman";

font-weight:bold;}

{mso-margin-top-alt:auto;

margin-right:0in;

mso-margin-bottom-alt:auto;

margin-left:0in;

mso-pagination:widow-orphan;

mso-outline-level:3;

font-size:13.5pt;

font-family:"Times New Roman";

font-weight:bold;}

{mso-margin-top-alt:auto;

margin-right:0in;

mso-margin-bottom-alt:auto;

margin-left:0in;

mso-pagination:widow-orphan;

mso-outline-level:4;

font-size:12.0pt;

font-family:"Times New Roman";

font-weight:bold;}

a:link, span.MsoHyperlink

{color:blue;

text-decoration:underline;

text-underline:single;}

a:visited, span.MsoHyperlinkFollowed

{color:blue;

text-decoration:underline;

text-underline:single;}

{mso-margin-top-alt:auto;

margin-right:0in;

mso-margin-bottom-alt:auto;

margin-left:0in;

mso-pagination:widow-orphan;

font-size:12.0pt;

font-family:"Times New Roman";

mso-fareast-font-family:"Times New Roman";}

span.spelle

{mso-style-name:spelle;}

span.SpellE

{mso-style-name:"";

mso-spl-e:yes;}

span.GramE

{mso-style-name:"";

mso-gram-e:yes;}

@page Section1

{size:8.5in 11.0in;

margin:1.0in 1.25in 1.0in 1.25in;

mso-header-margin:.5in;

mso-footer-margin:.5in;

mso-paper-source:0;}

div.Section1

{page:Section1;}

/* List Definitions */

@list l0

{mso-list-id:51972189;

mso-list-template-ids:81668992;}

@list l0:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l1

{mso-list-id:257178838;

mso-list-template-ids:1636469146;}

@list l1:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l2

{mso-list-id:335961387;

mso-list-template-ids:303987346;}

@list l2:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l3

{mso-list-id:432287186;

mso-list-template-ids:401260786;}

@list l3:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l4

{mso-list-id:448670368;

mso-list-template-ids:342922132;}

@list l4:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l5

{mso-list-id:605886313;

mso-list-template-ids:2101529026;}

@list l5:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l6

{mso-list-id:610279438;

mso-list-template-ids:-795200846;}

@list l6:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l7

{mso-list-id:620840603;

mso-list-template-ids:-1801667564;}

@list l7:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l8

{mso-list-id:633027112;

mso-list-template-ids:-1360881254;}

@list l8:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l9

{mso-list-id:902104985;

mso-list-template-ids:750025012;}

@list l9:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l10

{mso-list-id:958562085;

mso-list-template-ids:-55920690;}

@list l10:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l11

{mso-list-id:1106390704;

mso-list-template-ids:-953544102;}

@list l11:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l11:level2

{mso-level-number-format:bullet;

mso-level-text:o;

mso-level-tab-stop:1.0in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:"Courier New";

mso-bidi-font-family:"Times New Roman";}

@list l11:level3

{mso-level-number-format:bullet;

mso-level-text:\F0A7;

mso-level-tab-stop:1.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Wingdings;}

@list l12

{mso-list-id:1409960379;

mso-list-template-ids:-1094543752;}

@list l12:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l13

{mso-list-id:1721326241;

mso-list-template-ids:644010464;}

@list l13:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l14

{mso-list-id:1731073149;

mso-list-template-ids:-2060307636;}

@list l14:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

@list l15

{mso-list-id:1950238906;

mso-list-template-ids:-1705468504;}

@list l15:level1

{mso-level-number-format:bullet;

mso-level-text:\F0B7;

mso-level-tab-stop:.5in;

mso-level-number-position:left;

text-indent:-.25in;

mso-ansi-font-size:10.0pt;

font-family:Symbol;}

{margin-bottom:0in;}

-->

</style>

<!--[if gte mso 10]>

<style>

/* Style Definitions */

table.MsoNormalTable

{mso-style-name:"Table Normal";

mso-tstyle-rowband-size:0;

mso-tstyle-colband-size:0;

mso-style-noshow:yes;

mso-style-parent:"";

mso-padding-alt:0in 5.4pt 0in 5.4pt;

mso-para-margin:0in;

mso-para-margin-bottom:.0001pt;

mso-pagination:widow-orphan;

font-size:10.0pt;

font-family:"Times New Roman";}

</style>

<![endif]-->

</head>

<body>

<h2>OpenPegasus 2.6 SSL Guidelines</h2>

Version: 1.1

Created: July 20, 2005

Updated: November 23, 2006

<ul>

<li>

<h2>OpenPegasus 2.6 SSL Guidelines</h2>

<a href="#OVERVIEW">Overview</a>

<li>

Version: 1.2

<a href="#RELATED">Related Information</a>

Created: <st1:date Year="2005" Day="20" Month="7">July 20, 2005</st1:date>

<li>

<a href="#BUILDING">Building Pegasus with SSL</a>

Updated: <st1:date Year="2006" Day="19"

<li>

Month="12">December 19, 2006</st1:date>

<a href="#CERTS">Creating SSL Certificates</a>

<li>

<a href="#CONFIGURE">Configuring Pegasus for SSL</a>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#OVERVIEW">Overview</a>

<a href="#DESIGN">SSL Design Question List</a>

</li>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<a href="#TRUSTSTORE">Truststore Management</a>

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#RELATED">Related

<li>

Information</a> </li>

<a href="#CLI">cimtrust & cimcrl CLI</a>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#BUILDING">Building

<a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a>

Pegasus with SSL</a> </li>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<a href="#AUTH">SSL Authorization</a>

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CERTS">Creating SSL

<li>

Certificates</a> </li>

<a href="#EXT">Critical Extension Handling</a>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CONFIGURE">Configuring

<a href="#RESOURCES">Resources</a>

Pegasus for SSL</a> </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#DESIGN">SSL Design

Question List</a> </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#TRUSTSTORE"><span

class=SpellE>Truststore Management</a> </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CLI"><span

class=SpellE>cimtrust & cimcrl CLI</a>

</li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CLIENT">Configuring

the Pegasus CIM Client for SSL</a> </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#AUTH">SSL

Authorization</a> </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#EXT">Critical

Extension Handling</a> </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#RESOURCES">Resources</a>

</li>

</ul>

<h3><a name="OVERVIEW">Overview</a></h3>

<h3><a name=OVERVIEW>Overview</a></h3>

The following document serves as a guide on how to build and configure Pegasus

for SSL support. It also discusses how to utilize a certificate-based

The following document serves as a guide on how to build and configure

infrastructure and configure the Pegasus CIM client.

Pegasus for SSL support. It also discusses how to utilize a certificate-based

infrastructure and configure the Pegasus CIM client.

This guide requires a basic understanding of SSL, OpenSSL, and basic

authentication. This guide is intended to help developers and administrators

This guide requires a basic understanding of SSL, OpenSSL,

make the right decisions about how to use SSL for their particular application.

and basic authentication. This guide is intended to help developers and

It is not intended to be a primary source of education on SSL. If you are not

administrators make the right decisions about how to use SSL for their

familiar with these technologies, consult the sources in the <a href="#RESOURCES">Resources</a>

particular application. It is not intended to be a primary source of education

section at the bottom.

on SSL. If you are not familiar with these technologies,

consult the sources in the <a href="#RESOURCES">Resources</a> section at the

bottom.

Note: In this document, the term "trust" refers only to authentication. It does

not imply full trust in the traditional sense, because it does not take into

Note: In this document, the term "trust" refers only to

account authorization checks. It remains the responsibility of providers and

authentication. It does not imply full trust in the traditional sense, because

clients to perform authorization, and therefore establish real trust. Likewise,

it does not take into account authorization checks. It remains the

the term "Trust Store" can be misleading since the "store" is only a source of

responsibility of providers and clients to perform authorization, and therefore

authentication credentials. Please bear this in mind when documenting

establish real trust. Likewise, the term "Trust Store" can be

recommended deployments or building clients or providers.

misleading since the "store" is only a source of authentication

credentials. Please bear this in mind when documenting recommended deployments

<h3><a name="RELATED">Related Information</a></h3>

or building clients or providers.

A significant portion of the information in this document is taken from various

PEP's. This document attempts to bring all of this information together in a

<h3><a name=RELATED>Related Information</a></h3>

cohesive and simplified format.

A significant portion of the information in this document is

<ul>

taken from various PEP's.

<li>

This document attempts to bring all of this information together in a cohesive

PEP#035 - Add support for /dev/random in SSLContext

and simplified format.

<li>

PEP#060 - SSL support in CIM/XML indication delivery

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

PEP#074 - SSLContext and Certificate verification interface enhancement

mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#035 - Add support for

<li>

/dev/random in SSLContext </li>

PEP#165 - SSL Client Verification

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#060 - SSL support in

PEP#187 - SSL Certificate Management Enhancements

CIM/XML indication delivery </li>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

PEP#200 - Recommended OpenPegasus 2.5 Build and Configuration Options for

mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#074 - <span

class=SpellE>SSLContext and Certificate verification interface

enhancement </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#165 - SSL Client

Verification </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#187 - SSL Certificate

Management Enhancements </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#200 - Recommended <span

class=SpellE>OpenPegasus 2.5 Build and Configuration Options for

Selected Platforms</li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#268 � SSL Client Certificate

Propagation</li>

</ul>

<h3><a name="BUILDING">Building Pegasus with SSL</a></h3>

<h3><a name=BUILDING>Building Pegasus with SSL</a></h3>

To build Pegasus with HTTPS support, you will need to build against the <a href="http://www.openssl.org">

To build Pegasus with HTTPS support, you will need to build against the <a

OpenSSL package</a>. The SSL

href="http://www.openssl.org">OpenSSL package</a>. <span

support outlined here has been tested against recent releases of the major

style='color:black'>The SSL support outlined here has been tested against

versions 0.9.7X and 0.9.8X (most notably, 0.9.7d). Because some versions of

recent releases of the major versions 0.9.7X and 0.9.8X (most notably, 0.9.7d).

0.9.6X do not contain full support for the security functions that Pegasus

Because some versions of 0.9.6X do not contain full support for the security

utilizes (for example, certificate-based authentication is not fully supported

functions that Pegasus utilizes (for example, certificate-based authentication

by some versions of 0.9.6X), Pegasus does not officially support major version

is not fully supported by some versions of 0.9.6X), Pegasus does not officially

0.9.6. See Bugzilla 4048 for more information. Because this is an

support major version 0.9.6. See Bugzilla 4048 for

open source project, the SSL support has been tested with many versions of

more information. Because this is an open source project, the SSL

OpenSSL, but we cannot guarantee it has been tested with every version on every

support has been tested with many versions of OpenSSL,

platform. A list of recent OpenSSL releases, and important-to-review security

but we cannot guarantee it has been tested with every version on every

advisories and fixes, can be found on the <a href="http://www.openssl.org/news">OpenSSL

platform. A list of recent OpenSSL releases, and

News page</a>.

important-to-review security advisories and fixes, can be found on the <a

href="http://www.openssl.org/news">OpenSSL News page</a>.

After grabbing the OpenSSL source tarball, you need to set the following

environment variables before building Pegasus:

After grabbing the OpenSSL source <span

class=SpellE>tarball, you need to set the following environment

<ul>

variables before building Pegasus:

<li>

PEGASUS_HAS_SSL=1

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

OPENSSL_HOME=<location of the SDK package> This directory must contain

mso-list:l14 level1 lfo3;tab-stops:list .5in'>PEGASUS_HAS_SSL=1 </li>

the OpenSSL include directory, $(OPENSSL_HOME)/include, and the OpenSSL library

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

directory, $(OPENSSL_HOME)/lib.

mso-list:l14 level1 lfo3;tab-stops:list .5in'>OPENSSL_HOME=<location of

<li>

the SDK package> This directory must contain

OPENSSL_BIN=<location of the binary package> This only needs to be set if

the OpenSSL include directory,

the OpenSSL binaries are not in $(OPENSSL_HOME)/bin.</li>

$(OPENSSL_HOME)/include, and the OpenSSL library

</ul>

directory, $(OPENSSL_HOME)/lib. </li>

Note that Pegasus supports SSLv3 and TLSv1 by default. It does NOT support

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

SSLv2. To turn on SSLv2 support, enable the additional environment variable:

mso-list:l14 level1 lfo3;tab-stops:list .5in'>OPENSSL_BIN=<location of

<ul>

the binary package> This only needs to be set

<li>

if the OpenSSL binaries are not in

PEGASUS_ENABLE_SSLV2=1

$(OPENSSL_HOME)/bin.</li>

</li>

</ul>

It is not recommended to enable this protocol, as there have been many security

Note that Pegasus supports SSLv3 and TLSv1 by default. It

weaknesses associated with it. Unless you are dealing with very outdated

does NOT support SSLv2. To turn on SSLv2 support, enable the additional

clients, you probably do not need to enable it.

environment variable:

After setting these variables, proceed as normal with the build instructions in

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

the readme file.

mso-list:l9 level1 lfo4;tab-stops:list .5in'>PEGASUS_ENABLE_SSLV2=1 </li>

</ul>

<h3><a name="CERTS">Creating SSL Certificates</a></h3>

There are two options for creating the CIMOM's certificate:

It is not recommended to enable this protocol, as there have been many

<ul>

security weaknesses associated with it. Unless you are dealing with very

<li>

outdated clients, you probably do not need to enable it.

Self-signed certificate

<li>

After setting these variables, proceed as normal with the build instructions

Certificate issued by a third-party certificate authority</li>

in the readme file.

<h3><a name=CERTS>Creating SSL Certificates</a></h3>

There are two options for creating the CIMOM's

certificate:

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l5 level1 lfo5;tab-stops:list .5in'>Self-signed certificate </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l5 level1 lfo5;tab-stops:list .5in'>Certificate issued by a

third-party certificate authority</li>

</ul>

To generate a self-signed certificate, you must create a private key, a

To generate a self-signed certificate, you must create a private key, a

certificate signing request (CSR), and finally the public x509 certificate. You

also need an SSL configuration file that defines the parameters of the

Distinguished Name (DN). You can use the one that comes with Pegasus, ssl.cnf

Distinguished Name (DN). You can use the one that comes with Pegasus, <span

in the root directory, or generate your own. For a self-signed certificate, the

class=SpellE>ssl.cnf in the root directory, or generate your own. For a

subject is the same as the issuer. Execute the following commands to create a

self-signed certificate, the subject is the same as the issuer. Execute the

self-signed certificate. The PEGASUS_ROOT and PEGASUS_HOME have to be set to

following commands to create a self-signed certificate. The PEGASUS_ROOT and

your respective installation and source directory. You will also need an

PEGASUS_HOME have to be set to your respective installation and source

OpenSSL configuration file. There is a sample configuration file that comes

directory. You will also need an OpenSSL

with the OpenSSL package.

configuration file. There is a sample configuration file that comes with the <span

class=SpellE>OpenSSL package.

<ul>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

To generate a private key, execute the following:

mso-list:l12 level1 lfo6;tab-stops:list .5in'>To generate a private key,

openssl genrsa -out myserver.key 1024

execute the following:

Set the "sslKeyFilePath" configuration property to point to this key file.

openssl<span

<li>

style='font-family:Courier;color:#009900'> genrsa

To generate a certificate signing request, execute the following:

-out myserver.key 1024

openssl req -config openssl.cnf -new -key

Set the "sslKeyFilePath" configuration

myserver.key -out myserver.csr

property to point to this key file. </li>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

At this point, the certificate signing request can be sent out to a third-party

mso-list:l12 level1 lfo6;tab-stops:list .5in'>To generate a certificate

certificate authority for signing, or a self-signed certificate can be

signing request, execute the following:

generated. To generate a self-signed certificate, execute the following:

openssl<span

openssl x509 -in myserver.csr -out

style='font-family:Courier;color:#009900'> req -<span

myserver.cert -req -signkey myserver.key -days 365

class=SpellE>config openssl.cnf -new -key

Set the "sslCertificateFilePath" configuration property to point to this

myserver.key -out myserver.csr

certificate file. The above CSR file can be discarded after the certificate is

created.

</li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l12 level1 lfo6;tab-stops:list .5in'>At this point, the

certificate signing request can be sent out to a third-party certificate

authority for signing, or a self-signed certificate can be generated. To

generate a self-signed certificate, execute the following<span

class=GramE>:

openssl<span

style='font-family:Courier;color:#009900'> x509 -in myserver.csr

-out myserver.cert -req

-signkey myserver.key

-days 365

Set the "sslCertificateFilePath"

configuration property to point to this certificate file. The above CSR

file can be discarded after the certificate is created. </li>

</ul>

After creating the keypair, make sure you protect the information sufficiently

After creating the keypair, make sure you protect

by changing permissions on the files and/or directories. The following table

the information sufficiently by changing permissions on the files and/or

shows the recommended privileges:

directories. The following table shows the recommended privileges:

<table class=MsoNormalTable border=1 cellspacing=1 cellpadding=0 width="30%"

style='width:30.0%;mso-cellspacing:.7pt'>

<tbody>

<tr>

<th>

SSL file<o:p></o:p>

SSL file</th>

</td>

<th>

Pegasus Config property</th>

Pegasus <span

<th>

class=SpellE>Config property<o:p></o:p>

Permissions</th>

</td>

Permissions<o:p></o:p>

</td>

</tr>

<tr>

<td>Private key</td>

<td>sslKeyFilePath</td>

Private key

</td>

sslKeyFilePath

</td>

rwx------

</td>

</tr>

<tr>

<td>Public certificate</td>

<td>sslCertificateFilePath</td>

Public certificate

</td>

sslCertificateFilePath

</td>

rwxr-xr-x

</td>

</tr>

<tr>

<td>Truststore</td>

<td>sslTrustStore</td>

Truststore

</td>

sslTrustStore

</td>

rwxr-xr-x

</td>

</tr>

<tr>

<td>CRL store

CRL store

</td>

crlStore

</td>

rwxr-xr-x

</td>

<td>crlStore</td>

</tr>

</tbody>

</table>

The administrator is responsible for ensuring that the above file permissions

The administrator is responsible for ensuring that the above file

are set correctly. The administrator should also ensure that all containing

permissions are set correctly. The administrator should also ensure that all

directories all the way up to the base directory are not world-writable.

containing directories all the way up to the base directory are not

Pegasus only checks the following conditions when starting up:

world-writable. Pegasus only checks the following conditions when starting up:

<ul>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

The sslKeyFilePath and the sslCertificateFilePath are readable by the CIMOM.

mso-list:l1 level1 lfo7;tab-stops:list .5in'>The sslKeyFilePath

<li>

and the sslCertificateFilePath are readable by

The sslTrustStore and crlStore are readable by the CIMOM if they are a single

the CIMOM. </li>

file.

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l1 level1 lfo7;tab-stops:list .5in'>The sslTrustStore

The sslTrustStore and crlStore are readable and writable by the CIMOM if they

and crlStore are readable by the CIMOM if they

are a directory.</li>

are a single file. </li>

</ul>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l1 level1 lfo7;tab-stops:list .5in'>The sslTrustStore

These same file permissions should be used for protecting a client's private

and crlStore are readable and writable by the

key, public key, truststore, and crl store as well.

CIMOM if they are a directory.</li>

</ul>

For more information on generating keys and certificates, consult the <a href="http://www.openssl.org/docs/HOWTO/">

These same file permissions should be used for protecting a client's private

OpenSSL HOW-TO documentation</a>.

key, public key, truststore, and crl

store as well.

<h3><a name="CONFIGURE">Configuring Pegasus for SSL</a></h3>

There are many environment variable settings associated with SSL. Here is a

For more information on generating keys and certificates, consult the <a

brief discussion of the subtleties of these options and how they work together

href="http://www.openssl.org/docs/HOWTO/">OpenSSL

to create a more secure environment. More information on the default and

HOW-TO documentation</a>.

recommended settings can be found in PEP#200 Recommended OpenPegasus 2.5 Build

and Configuration Options for Selected Platforms. Additionally, the section on <a href="#DESIGN">

<h3><a name=CONFIGURE>Configuring Pegasus for SSL</a></h3>

Design Question List</a> should help determine what these settings should

be for a given application.

There are many environment variable settings associated with

enableHttpsConnection

SSL. Here is a brief discussion of the subtleties of these options and how they

work together to create a more secure environment. More information on the

default and recommended settings can be found in PEP#200 Recommended <span

class=SpellE>OpenPegasus 2.5 Build and Configuration Options for

Selected Platforms. Additionally, the section on <a href="#DESIGN">Design

Question List</a> should help determine what these settings should be for a

given application.

enableHttpsConnection

This is disabled by default on most platforms. It is recommended that all

remote communication be done over the HTTPS port. However, if you are sending

remote communication be done over the HTTPS port. However, if you are sending <span

cleartext passwords over the wire, it is imperative that you only use the

class=SpellE>cleartext passwords over the wire, it is imperative that

secure port. For added security, the HTTP port can be disabled to prevent

you only use the secure port. For added security, the HTTP port can be disabled

clients from connecting to it. The HTTPS connection is enabled by default only

to prevent clients from connecting to it. The HTTPS connection is enabled by

on the following platforms:

default only on the following platforms:

<ul>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l6 level1 lfo8;tab-stops:list .5in'>LINUX </li>

LINUX

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l6 level1 lfo8;tab-stops:list .5in'>OS-400 </li>

OS-400

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l6 level1 lfo8;tab-stops:list .5in'>HP_UX (if

HP_UX (if PEGASUS_USE_RELEASE_CONFIG_OPTIONS is true)

PEGASUS_USE_RELEASE_CONFIG_OPTIONS is true) </li>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

VMS (if PEGASUS_USE_RELEASE_CONFIG_OPTIONS is true)</li>

mso-list:l6 level1 lfo8;tab-stops:list .5in'>VMS (if

</ul>

PEGASUS_USE_RELEASE_CONFIG_OPTIONS is true)</li>

</ul>

httpsPort

httpsPort

The default setting is 5989, the official WBEM secure port.

The default setting is 5989, the official WBEM secure port.

sslCertificateFilePath

sslCertificateFilePath

This is the path to the x509 server certificate. The server certificate may be

a chain in which case the file should contain PEM encoded certificates

Line 272

Line 727

signed certificate, the file only contains the self-signed certificate in PEM

format. The certificate cannot be encrypted because there is currently no

mechanism for decrypting the certificate using a user-supplied password. This

property must be defined if enableHttpsConnection is true. Any failure in

property must be defined if enableHttpsConnection is

finding this file will result in the cimserver failing to start. See <a href="#CERTS">

true. Any failure in finding this file will result in the cimserver

Creating SSL Certificates</a> for more information.

failing to start. See <a href="#CERTS">Creating SSL Certificates</a> for more

information.

sslKeyFilePath

sslKeyFilePath

This is the path to the server's private key. All keys should be at least 1024

bytes long. This property must be defined if enableHttpsConnection is true. Any

bytes long. This property must be defined if enableHttpsConnection

failure in finding this file will result in the cimserver failing to start. See <a href="#CERTS">

is true. Any failure in finding this file will result in the <span

Creating SSL Certificate</a> for more information.

class=SpellE>cimserver failing to start. See <a href="#CERTS">Creating

SSL Certificate</a> for more information.

sslClientVerificationMode

This setting controls how the cimserver (i.e. the HTTPS port) is configured.

sslClientVerificationMode

There are three possible settings: disabled, required, optional. There is no

This setting controls how the cimserver (i.e. the

"right" setting for this property. The default is disabled and it is fine to

HTTPS port) is configured. There are three possible settings: disabled,

leave the setting as disabled if you are going to use basic authentication to

required, optional. There is no "right" setting for this property.

authenticate all client requests. In many applications where a physical person

The default is disabled and it is fine to leave the setting as disabled if you

is there to supply a username and password, basic authentication is sufficient.

are going to use basic authentication to authenticate all client requests. In

Other environments may be heterogeneous, in which case it makes sense to allow

many applications where a physical person is there to supply a username and

both basic authentication and SSL certificate verification. The setting of this

password, basic authentication is sufficient. Other environments may be

variable also impacts what happens during the OpenSSL handshake:

heterogeneous, in which case it makes sense to allow both basic authentication

and SSL certificate verification. The setting of this variable also impacts

<ul>

what happens during the OpenSSL handshake:

<li>

"required"

-- The server requires that the client certificate be trusted in order for the

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

handshake to continue. If the client fails to send a certificate or sends an

mso-list:l4 level1 lfo9;tab-stops:list .5in'>"required"

untrusted certificate, the handshake is immediately terminated.

-- The server requires that the client certificate be trusted in order for

<li>

the handshake to continue. If the client fails to send a certificate or

"optional" -- The server will request that a client certificate be sent,

sends an untrusted certificate, the handshake is

but will continue the handshake even if no certificate is received. If

immediately terminated. </li>

authentication is enabled, the server will seek to authenticate the client via

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

an alternative method of authentication.

mso-list:l4 level1 lfo9;tab-stops:list .5in'>"optional"

As of 2.5.1, if a certificate is sent but it is not validated, the handshake

-- The server will request that a client certificate be sent, but will

will fail. Before 2.5.1,the handshake would have continued and basic

continue the handshake even if no certificate is received. If

authentication would have proceeded.

authentication is enabled, the server will seek to authenticate the client

<li>

via an alternative method of authentication. As

"disabled" -- The server will not prompt the client for a certificate. This

of 2.5.1, if a certificate is sent but it is not validated, the handshake

is the default.</li>

will fail. Before 2.5.1,the handshake would

</ul>

have continued and basic authentication would have proceeded. </li>

Pegasus currently ties a certificate to a valid OS user. Multiple certificates

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

may be registered to the same user. When a certificate is authenticated,

mso-list:l4 level1 lfo9;tab-stops:list .5in'>"disabled"

Pegasus views it in the same way as if a user was authenticated via basic

-- The server will not prompt the client for a certificate. This is the

authentication. The providers receive the username that the certificate was

default.</li>

mapped to. See the SSL Authorization section for more information.

</ul>

sslTrustStore

This setting controls the truststore for the cimserver's HTTPS connection. It

Pegasus currently ties a certificate to a valid OS user.

can be either a directory or a single root CA file. When set to a directory, it

Multiple certificates may be registered to the same user. When a certificate is

is recommended that you use the cimtrust CLI to populate the truststore as

authenticated, Pegasus views it in the same way as if a user was authenticated

there are strict naming requirements for trusted certificate files. See the <a href="#CLI">

via basic authentication. The providers receive the username that the

cimtrust & cimcrl CLI</a> section for further information.

certificate was mapped to. See the SSL Authorization section for more

information.

sslTrustStoreUserName

This setting is only utilized if the sslTrustStore is a single CA file. It is

sslTrustStore

not used if the sslTrustStore setting is a directory, but it still must be set

This setting controls the truststore for the <span

to a valid system user. This is because the validation of the property is done

class=SpellE>cimserver's HTTPS connection. It can be either a directory

independently of the sslTrustStore setting. This property represents the valid

or a single root CA file. When set to a directory, it is recommended that you

use the cimtrust CLI to populate the <span

class=SpellE>truststore as there are strict naming requirements for

trusted certificate files. See the <a href="#CLI">cimtrust

& cimcrl CLI</a> section for further information.

sslTrustStoreUserName

This setting is only utilized if the sslTrustStore is

a single CA file. It is not used if the sslTrustStore

setting is a directory, but it still must be set to a valid system user. This

is because the validation of the property is done independently of the <span

class=SpellE>sslTrustStore setting. This property represents the valid

OS user that corresponds to the root certificate. All requests authenticated

with a certificate under the root CA will be associated with this user and the

username will be propagated to providers. If applications desire for there to

be a one-to-one correspondence between users and certificates, it is

recommended that each certificate be registered individually using the <a href="#CLI">

recommended that each certificate be registered individually using the <a

cimtrust CLI</a>.

href="#CLI">cimtrust CLI</a>.

crlStore

crlStore

This is where the CRL (Certificate Revocation List) store resides. It is important

This is where the CRL (Certificate Revocation List) store resides. It is

to note that certificates are checked first against the CRL (if specified) and

important to note that certificates are checked first against the CRL (if

then against the server truststore. The <a href="#CLI"><span

specified) and then against the server truststore. The <a href="#CLI">cimcrl CLI</a>

class=SpellE>cimcrl CLI</a> should be used for CRL management.

should be used for CRL management.

<h4>Configuration Limitations</h4>

The following are configuration limitations:

<ul>

The following are configuration limitations:

<li>

The x509 server certificate file cannot be encrypted. The reason for this is

that there is currently no mechanism in Pegasus to grab the password needed to

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

unencrypt it. Therefore, the best way to secure the file is to follow the file

mso-list:l2 level1 lfo10;tab-stops:list .5in'>The x509 server certificate

permissions settings specified in <a href="#CERTS">Creating SSL Certificates.</a>

file cannot be encrypted. The reason for this is that there is currently

<li>

no mechanism in Pegasus to grab the password needed to unencrypt

There is no property to specify supported cipher lists at this time. Pegasus

it. Therefore, the best way to secure the file is to follow the file

uses the default OpenSSL cipher list. The cipher lists can be found at <a href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">

permissions settings specified in <a href="#CERTS">Creating SSL

http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> and

Certificates.</a> </li>

<a href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l2 level1 lfo10;tab-stops:list .5in'>There is no property to

The verification depth cannot be specified. Pegasus uses the default OpenSSL

specify supported cipher lists at this time. Pegasus uses the default <span

depth of 9. This means the OpenSSL will only accept client certificate chains

class=SpellE>OpenSSL cipher list. The cipher lists can be found at <a

up to 9 levels deep.

href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a>

<li>

and <a

No hostname checking is performed to ensure that the subject field of the

href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a>

distinguished name (DN) matches the hostname.</li>

</li>

</ul>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<h3><a name="DESIGN">SSL Design Question List</a></h3>

mso-list:l2 level1 lfo10;tab-stops:list .5in'>The verification depth

The following questions may be helpful in determining how to configure Pegasus

cannot be specified. Pegasus uses the default OpenSSL

CIM Server.

depth of 9. This means the OpenSSL will only

Should I enable the HTTPS port?

accept client certificate chains up to 9 levels deep. </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l2 level1 lfo10;tab-stops:list .5in'>No hostname checking is

performed to ensure that the subject field of the distinguished name (DN)

matches the hostname.</li>

</ul>

<h3><a name=DESIGN>SSL Design Question List</a></h3>

The following questions may be helpful in determining how to configure

Pegasus CIM Server.

Should I enable the HTTPS port?

Yes, especially if you are sending passwords with requests. The HTTP port can

be disabled for additional security if desired.

be disabled for additional security if desired.

Should I configure the CIMOM to use a truststore?

Should I configure the CIMOM to use a truststore?

This depends on the infrastructure of the application. If all clients are using

basic authentication over the secure port (and the passwords are secured), then

a truststore may not be needed. If an application does not want to store

a truststore may not be needed. If an application

user/pw information, then it is a good idea to use a certificate-based

does not want to store user/pw information, then it

infrastructure. If a CIMOM certificate is compromised, the cimserver and the

is a good idea to use a certificate-based infrastructure. If a CIMOM

certificate is compromised, the cimserver and the

providers of the system are compromised. The severity of this scenario is

dependent on the resources the providers have access to. If an OS password is

compromised, the entire system may be compromised. If using peer verification,

it is important to ensure that 1) the cimserver is properly configured to use a

it is important to ensure that 1) the cimserver is

truststore, 2) the truststore is loaded properly and protected, and 3)

properly configured to use a truststore, 2) the <span

class=SpellE>truststore is loaded properly and protected, and 3)

authorization checks are performed after a certificate is verified. These same

conditions also apply to a client that is verifying a server.

Should I use a self-signed certificate or one issued by a third-party

certificate authority?

Generally, scalability will determine whether it's appropriate to use a

Generally, scalability will determine whether it's appropriate to use a self-signed

self-signed certificate or one issued by Verisign or another third-party

certificate or one issued by Verisign or another

certificate authority. If an administrator administrates their self-signed

third-party certificate authority. If an administrator administrates their

certificates correctly, they are no less secure than one issued by a CA. What a

self-signed certificates correctly, they are no less secure than one issued by

CA buys you is scalability. An up front cost of setting up a CA relationship

a CA. What a CA buys you is scalability. An up front cost of setting up a CA

will be offset by the convenience of having that CA "vouch" for certs it has

relationship will be offset by the convenience of having that CA

signed, in large deployments. In small deployments the incremental cost might

"vouch" for certs it has signed, in large

never outweigh the initial CA-setup cost.

deployments. In small deployments the incremental cost might never outweigh the

initial CA-setup cost.

One important thing to remember is that you should not use the same certificate

for multiple CIMOMs. If using a self-signed certificate, a different one should

for multiple CIMOMs. If using a self-signed

be generated for each CIMOM, using some unique piece of data to make them

certificate, a different one should be generated for each CIMOM, using some

different. That way, if one of the certificates is compromised, the other ones

unique piece of data to make them different. That way, if one of the

remain secure.

certificates is compromised, the other ones remain secure.

Should the truststore be a single root CA file or

Should the truststore be a single root CA file or a directory?

a directory?

If you only anticipate connections from a narrowly defined set of clients, then

a single root CA certificate file should be sufficient. Alternatively, multiple

trusted certificates may be stored in PEM format inside of a single CA file. If

you anticipate getting requests from a heterogeneous set of clients, then it

probably makes sense to use the directory option to allow flexibility in the

future. In the latter scenario, the same single root CA file can still be used

with the additional step of using cimtrust to register it. It's important to

with the additional step of using cimtrust to

note that when registering a root CA, only one user can be associated with ALL

certificates under that CA. Following the principle of least privilege, it is

user can be associated with ALL certificates under that CA. Following the

not a good idea to register a root CA to a privileged user if lesser privileged

principle of least privilege, it is not a good idea to register a root CA to a

users will be connecting with it.

privileged user if lesser privileged users will be connecting with it.

How do I protect the keystore and the <span

How do I protect the keystore and the truststore?

class=SpellE>truststore?

The server's private key should always be protected; it is private for a

reason. Only the system administrator should be able to see it. The public

certificate can be viewed by anyone, however, it should be protected from

certificate can be viewed by anyone, however, it

alteration by system users. Similarly, any truststore or CRL file or directory

should be protected from alteration by system users. Similarly, any <span

should also be protected from alteration. See <a href="#CERTS">Creating SSL

class=SpellE>truststore or CRL file or directory should also be

Certificates</a> for the recommended file privileges.

protected from alteration. See <a href="#CERTS">Creating SSL Certificates</a>

for the recommended file privileges.

When do I need to use a CRL?

Certificate Revocation Lists are regularly issued by CA's. They contain a list

of certificates that have been revoked. Any application using a CA certificate

in its truststore should also implement CRLs (if the CA supports them). Pegasus

in its truststore should also implement <span

itself does not check CRL validity dates during startup. Therefore, it is the

class=SpellE>CRLs (if the CA supports them). Pegasus itself does not

responsibility of the administrator to regularly download or acquire the CRL

check CRL validity dates during startup. Therefore, it is the responsibility of

and import it into the CRL store using the <a href="#CLI">cimcrl CLI</a>.

the administrator to regularly download or acquire the CRL and import it into

CRLs are not checked for expiration during the SSL callback. This means that if

the CRL store using the <a href="#CLI">cimcrl CLI</a>.

a CRL for a particular issuer has expired, Pegasus still accepts certificates

CRLs<span

from the issuer and uses the expired CRL as the latest. Again, it is the

style='color:black'> are not checked for expiration during the SSL callback.

responsibility of the administrator to ensure the CRL is up to date. CRLs are

This means that if a CRL for a particular issuer has expired, Pegasus still

not checked for critical extensions during CRL verification. If a CRL contains

accepts certificates from the issuer and uses the expired CRL as the latest.

a critical extension it will be ignored.

Again, it is the responsibility of the administrator to ensure the CRL is up to

date. CRLs are not checked for critical extensions

during CRL verification. If a CRL contains a critical extension it will be

ignored.

If using self-signed certificates, however, a CRL is most likely not needed

(You can create a self-signed CRL but it is not really necessary). Because of

this, the certificate deletion option available via cimtrust is primarily

this, the certificate deletion option available via cimtrust

intended for self-signed certificates. Technically, CRL's are the correct way

is primarily intended for self-signed certificates. Technically, <span

to revoke compromised or invalid certificates.

class=SpellE>CRL's are the correct way to revoke compromised or invalid

certificates.

What is the order of operations for certificate verification?

The certificate is checked against any CRLs first before going through the rest

The certificate is checked against any CRLs first

of the verification process. Verification starts with the root certificate and

before going through the rest of the verification process. Verification starts

continues down to the peer certificate. If verification fails at any of these

with the root certificate and continues down to the peer certificate. If

points, the certificate is considered untrusted and the verification process

verification fails at any of these points, the certificate is considered <span

reports an error.

class=SpellE>untrusted and the verification process reports an error.

<h3><a name="TRUSTSTORE">Truststore Management</a></h3>

There are two directions of trust in an SSL client-server handshake: The client

<h3><a name=TRUSTSTORE></a>Truststore<span

trusts the server. The server trusts the client. Pegasus provides a way to

style='mso-bookmark:TRUSTSTORE'> Management</h3>

implement one or both of these relationships. Ideally, an application should

support both levels of trust for maximum security and this is the

There are two directions of trust in an SSL client-server

implementation Pegasus recommends. However, in some scenarios it may make sense

handshake: The client trusts the server. The server trusts the client. Pegasus

to only implement one of these; in that case, it is possible to override the

provides a way to implement one or both of these relationships. Ideally, an

client or the server to "trust all certificates." For example, if all clients

application should support both levels of trust for maximum security and this

will be using basic authentication over HTTPS, then the server can be setup to

is the implementation Pegasus recommends. However, in some scenarios it may

"trust all client certificates."

make sense to only implement one of these; in that case, it is possible to override

the client or the server to "trust all certificates." For example, if

To tell the cimserver to require that all clients be trusted, simply set the

all clients will be using basic authentication over HTTPS, then the server can

sslClientVerificationMode

be setup to "trust all client certificates."

property to "required."

To tell the cimserver to trust all clients, set the sslClientVerificationMode

To tell the cimserver to require that all clients

property to "disabled" or "optional".

be trusted, simply set the sslClientVerification<span

style='color:black'>Mode property to "required."

To tell the cimserver to trust all clients, set the <span

class=SpellE>sslClientVerificationMode

property to "disabled" or "optional".

The SSL verification in Pegasus is independent of any other authentication

mechanism. It can still be utilized when authentication is disabled. When

authentication is enabled, the first line of defense is SSL client

verification. In situations where a

verification. In situations where a client is not

client is not authenticated by SSL because the client sent no certificate and

authenticated by SSL because the client sent no certificate and the setting is

the setting is "optional", the server will attempt to authenticate the client

"optional", the server will attempt to authenticate the client via

via another method of authentication . In this case, the authentication

another method of authentication . In this case, the

mechanism specified by the configuration property "httpAuthType" will be used

authentication mechanism specified by the configuration property "<span

for remote connections and local authentication will be used for local

class=SpellE>httpAuthType" will be used for remote connections and

connections. In situations where a client is not authenticated by SSL because

local authentication will be used for local connections. In situations where a

the client certificate was invalid, the handshake will be terminated.

client is not authenticated by SSL because the client certificate was invalid,

the handshake will be terminated.

Note: Before 2.5.1, in the latter case, authentication would have proceeded in

Note: Before 2.5.1, in the latter case, authentication would have proceeded

the same way as if the client had sent no certificate. To enable the legacy

in the same way as if the client had sent no certificate. To enable the legacy

behavior, the compile-time flag PEGASUS_OVERRIDE_SSL_CERT_VERIFICATION_RESULT

should be defined.

should be defined.

See the <a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a> section

See the <a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a>

below on how to setup the client's truststore.

section below on how to setup the client's truststore.

<h3><a name="CLI">cimtrust & cimcrl CLI</a></h3>

cimtrust CLI may be used to add, remove or list X509 certificates in a PEM

<h3><a name=CLI></a><span

format truststore. cimcrl CLI may be used to add, remove or list X509

style='mso-bookmark:CLI'>cimtrust<span style='mso-bookmark:

Certificate Revocation Lists in a PEM format CRL store. The CLIs interface with

CLI'> & cimcrl CLI</h3>

a Certificate control provider that runs as part of Pegasus's core. It operates

on the PG_SSLCertificate and PG_SSLCertificateRevocationList classes in

cimtrust

root/PG_Internal. It is recommended that the CLIs be used in place of manual

CLI may be used to add, remove or list X509 certificates in a PEM format <span

configuration for several reasons:

class=SpellE>truststore. cimcrl

<ul>

CLI may be used to add, remove or list X509 Certificate Revocation Lists in a

<li>

PEM format CRL store. The CLIs interface with a

OpenSSL places strict naming restrictions on certificates and CRLs in a

Certificate control provider that runs as part of Pegasus's core. It operates

directory (the files are looked up via a subject hash code)

on the PG_SSLCertificate and PG_SSLCertificateRevocationList

<li>

classes in root/PG_Internal. It is recommended that

Certificate instances are stored in the repository along with the corresponding

the CLIs be used in place of manual configuration for

username. If the certificate is not properly registered, the username mapping

several reasons:

will fail.

cimtrust CLI supports the

ability to register a certificate without a username for root

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

certificates and intermediate certificates, since these certificates

mso-list:l13 level1 lfo11;tab-stops:list .5in'>OpenSSL

represent a collection of users. In this scenario, each leaf

places strict naming restrictions on certificates and CRLs

certificate must be registered to an individual user. See the

in a directory (the files are looked up via a subject hash code) </li>

Authorization section for more information on username validation.

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l13 level1 lfo11;tab-stops:list .5in'>Certificate instances are

stored in the repository along with the corresponding username. If the

The CLIs,

certificate is not properly registered, the username mapping will fail.<span

or more correctly the provider they operate on, supports dynamic

style='color:fuchsia'> <span

deletion of certificates by resetting the cimserver's SSL context.

style='color:black'>cimtrust

CLI supports the ability to register a certificate without a username for

Normally, you would need to stop and start the cimserver to accomplish this.

root certificates and intermediate certificates, since these certificates

<li>

represent a collection of users. In this scenario, each leaf certificate

The CLIs, or more correctly the provider they operate on, performs a ton of

must be registered to an individual user. See the Authorization section

error checking you would not get by manually configuring the stores. This

for more information on username validation. </li>

alerts the administrator to various error conditions (e.g. the certificate

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l13 level1 lfo11;tab-stops:list .5in'>The

CLIs, or more correctly the provider they

operate on, supports dynamic deletion of certificates by resetting the <span

class=SpellE>cimserver's SSL context.<span style='color:

fuchsia'> Normally, you would need to stop and start the <span

class=SpellE>cimserver to accomplish this. </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l13 level1 lfo11;tab-stops:list .5in'>The CLIs,

or more correctly the provider they operate on, performs a ton of error

checking you would not get by manually configuring the stores. This alerts

the administrator to various error conditions (e.g. the certificate

expired) associated with a certificate or CRL.</li>

</ul>

The CIMOM must be up and running while executing cimtrust/cimcrl CLI. The

cimtrust and cimcrl manpages provide more information on commands and syntax.

The CIMOM must be up and running while executing <span

<h3><a name="CLIENT">Configuring the Pegasus CIM Client for SSL</a></h3>

class=SpellE>cimtrust/cimcrl CLI. The cimtrust

and cimcrl manpages provide

A Pegasus CIM client can be configured to use SSL by using a constructor that

more information on commands and syntax.

takes an SSLContext. The construction of the SSLContext is really what controls

the behavior of the client during the SSL handshake. Without going into minute

<h3><a name=CLIENT>Configuring the Pegasus CIM Client for SSL</a></h3>

details about what happens under the covers, here is a description of the

various SSLContext constructor parameters.

A Pegasus CIM client can be configured to use SSL by using a constructor

that takes an SSLContext. The construction of the <span

class=SpellE>SSLContext is really what controls the behavior of the

Here's a code snippet that shows how to call a client constructor that connects

client during the SSL handshake. Without going into minute details about what

to a server over SSL and can present its own trusted certificate if the server

happens under the covers, here is a description of the various <span

requests it. In this scenario, the client also checks the server certificate

class=SpellE>SSLContext constructor parameters.

against its truststore and specifies an additional callback in addition to the

default one (the user-specified callback is optional and can be set to null).

Here's a code snippet that shows how to call a client constructor that

connects to a server over SSL and can present its own trusted certificate if

<ul>

the server requests it. In this scenario, the client also checks the server

client.connect( hostname, port, SSLContext(trustStore,

certificate against its truststore and specifies an

certPath, keyPath, verifyCert, randomFile), username, password);

additional callback in addition to the default one (the user-specified callback

</ul>

is optional and can be set to null).

<span

Here's a code snippet that shows how to call a client constructor that connects

class=GramE>client.connect<span

to a server over SSL and does not possess its own trusted certificate. In this

class=GramE>(<span

scenario, the client also checks the server certificate against its truststore.

style='font-family:Courier'> hostname, port, SSLContext(<span

class=SpellE>trustStore, certPath, <span

<ul>

class=SpellE>keyPath, verifyCert, <span

client.connect( hostname, port, SSLContext(trustStore, NULL,

class=SpellE>randomFile), username, password);

randomFile), username password);

</ul>

Here's a code snippet that shows how to call a client constructor that

connects to a server over SSL and does not possess its own trusted certificate.

<ul>

In this scenario, the client also checks the server certificate against its <span

<li>

class=SpellE>truststore.

trustStore

-- This specifies the truststore that the client uses to verify server

<span

certificates. It can be String::EMPTY if no truststore exists.

class=GramE>client.connect<span

<li>

class=GramE>(<span

certPath

style='font-family:Courier'> hostname, port, SSLContext(<span

-- This specifies the x509 certificate of the client that will be sent during

class=SpellE>trustStore, NULL, randomFile),

an SSL handshake. Note that this certificate will only be sent if the server

username password);

requests it. If this option is specified, the keyPath parameter must also be

specified.

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

keyPath

mso-list:l3 level1 lfo14;tab-stops:list .5in'><span

-- This specifies the private key of the client. If this option is specified,

class=GramE>trustStore -- This specifies the <span

the certPath parameter must also be specified.

class=SpellE>truststore that the client uses to verify server

<li>

certificates. It can be String::EMPTY if no <span

crlPath

class=SpellE>truststore exists. </li>

-- This specifies an optional CRL store path. The client checks the CRL list

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

first, before attempting any further authentication, including the

mso-list:l3 level1 lfo14;tab-stops:list .5in'><span

user-specified callback.

class=GramE>certPath -- This specifies the x509

<li>

certificate of the client that will be sent during an SSL handshake. Note

verifyCert

that this certificate will only be sent if the server requests it. If this

-- This is a user-specified verification callback. If this is set to null, the

option is specified, the keyPath parameter must

default OpenSSL verification callback will be executed. You can implement this

also be specified. </li>

method to "trust all servers" or to perform additional authentication checks

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

that OpenSSL does not perform by default.

mso-list:l3 level1 lfo14;tab-stops:list .5in'><span

<li>

class=GramE>keyPath -- This specifies the private key

randomFile -- A file to seed the pseudo random number generator (PRNG).</li>

of the client. If this option is specified, the certPath

parameter must also be specified. </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l3 level1 lfo14;tab-stops:list .5in'><span

class=GramE>crlPath -- This specifies an optional CRL

store path. The client checks the CRL list first, before attempting any

further authentication, including the user-specified callback. </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l3 level1 lfo14;tab-stops:list .5in'><span

class=GramE>verifyCert -- This is a user-specified

verification callback. If this is set to null, the default <span

class=SpellE>OpenSSL verification callback will be executed. You

can implement this method to "trust all servers" or to perform

additional authentication checks that OpenSSL

does not perform by default. </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l3 level1 lfo14;tab-stops:list .5in'><span

class=GramE>randomFile -- A file to seed the pseudo

random number generator (PRNG).</li>

</ul>

Here are some general guidelines on implementing peer verification for the

client:

client:

<ul>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

The client should enable peer verification by specifying a truststore and

mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should enable

(optionally) a user-specified callback function.

peer verification by specifying a truststore and

<li>

(optionally) a user-specified callback function. </li>

The client should employ a truststore in order to properly verify the server.

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

The truststore should contain a file or directory of trusted CA certificates.

mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should employ a <span

The cimtrust CLI cannot be used to configure client truststores. The trusted

class=SpellE>truststore in order to properly verify the server. The

certificate(s) should be placed in a protected file or directory specified by

truststore should contain a file or directory of

the trustStore parameter. Keep in mind that the SSL context generally has to be

trusted CA certificates. The cimtrust CLI cannot

reloaded to pick up any truststore changes.

be used to configure client truststores. The

<li>

trusted certificate(s) should be placed in a protected file or directory

The client could also use a user-specified callback in addition to the default

specified by the trustStore parameter. Keep in

verification callback, if additional verifications are desired over the normal

mind that the SSL context generally has to be reloaded to pick up any <span

checks that OpenSSL performs. In most cases, the default verification callback

class=SpellE>truststore changes. </li>

is sufficient for checking server certificates.

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<li>

mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client could also use a

The client should ensure that adequate entropy is attained.

user-specified callback in addition to the default verification callback,

<li>

if additional verifications are desired over the normal checks that <span

The client should use a CRL store if the truststore contains CA certificates

class=SpellE>OpenSSL performs. In most cases, the default

that support one.

verification callback is sufficient for checking server certificates. </li>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

The client should only use the SSLv3 and TLSv1 protocols. By default, Pegasus

mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should ensure

is not built with SSLv2 support.

that adequate entropy is attained. </li>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

The client should perform post-connection checks.

mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should use a CRL

<ul>

store if the truststore contains CA certificates

<li>

that support one. </li>

Ensure a certificate was received.

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

<ul>

mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should only use

<li>

the SSLv3 and TLSv1 protocols. By default, Pegasus is not built with SSLv2

WARNING:  In some implementations of SSL a NULL server certificate is

support. </li>

perfectly valid and authenticates against all trust stores.  If the client

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

does not ensure a certificate exists then the client is not providing server

mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should perform

post-connection checks. </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:

auto;mso-list:l11 level2 lfo15;tab-stops:list 1.0in'>Ensure a certificate

was received. </li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:

auto;mso-list:l11 level3 lfo15;tab-stops:list 1.5in'>WARNING:  In

some implementations of SSL a NULL server certificate is perfectly valid

and authenticates against all trust stores.  If the client does not

ensure a certificate exists then the client is not providing server

authentication and could have a security bulletin class defect.</li>

</ul>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:

Validate that the certificate received was issued to the host for which the

auto;mso-list:l11 level2 lfo15;tab-stops:list 1.0in'>Validate that the

client was attempting to connect.

certificate received was issued to the host for which the client was attempting

<ul>

to connect. </li>

<li>

Ensure that the common name (CN) in the server�s certificate subject matches

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:

the host name of the server.  For X509v3 certificates, the �SubjectAltName�

auto;mso-list:l11 level3 lfo15;tab-stops:list 1.5in'>Ensure that the

fields in the certificate's extended attributes are also valid host names for

common name (CN) in the server�s certificate subject matches the host

the certificate.

name of the server.  For X509v3 certificates, the �<span

<li>

class=SpellE>SubjectAltName� fields in

WARNING:  If the client does not ensure the host name of the server is the

the certificate's extended attributes are also valid host names for the

same as one of the host names explicitly described in the server�s certificate,

certificate. </li>

you have not authenticated the server�s identity.  Any other server which

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:

was issued a certificate from the same trusted CA can masquerade as the server

auto;mso-list:l11 level3 lfo15;tab-stops:list 1.5in'>WARNING:  If

unless the client performs the host name check.</li>

the client does not ensure the host name of the server is the same as

one of the host names explicitly described in the server�s certificate,

you have not authenticated the server�s identity.  Any other server

which was issued a certificate from the same trusted CA can masquerade

as the server unless the client performs the host name check.</li>

</ul>

<li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:

Ensure that certificate verification methods/routines return no errors.</li>

auto;mso-list:l11 level2 lfo15;tab-stops:list 1.0in'>Ensure that

certificate verification methods/routines return no errors.</li>

</ul>

</li>

</ul>

Because only the above arguments can be passed into the Pegasus SSLContext,

Because only the above arguments can be passed into the Pegasus <span

there are some limitations in the client configuration:

class=SpellE>SSLContext, there are some limitations in the client

configuration:

<ul>

<li>

The verification depth cannot be specified. Pegasus uses the default OpenSSL

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

depth of 9.

mso-list:l10 level1 lfo16;tab-stops:list .5in'>The verification depth

<li>

cannot be specified. Pegasus uses the default OpenSSL

The cipher list cannot be specified. Pegasus uses the default OpenSSL cipher

depth of 9. </li>

list. The cipher lists can be found at <a href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a> and

mso-list:l10 level1 lfo16;tab-stops:list .5in'>The cipher list cannot be

<a href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a>

specified. Pegasus uses the default OpenSSL

<li>

cipher list. The cipher lists can be found at <a

No hostname checking is performed to ensure that the subject field of the

href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a>

distinguished name (DN) matches the hostname. If desired, a user-specified

and <a

callback should be configured to perform this check or any additional checks

href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a>

relevant to the application.</li>

</li>

<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;

mso-list:l10 level1 lfo16;tab-stops:list .5in'>No hostname checking is

performed to ensure that the subject field of the distinguished name (DN)

matches the hostname. If desired, a user-specified callback should be

configured to perform this check or any additional checks relevant to the

application.</li>

</ul>

<h3><a name="AUTH">SSL Authorization</a></h3>

<h3><a name=AUTH>SSL Authorization</a></h3>

The following paragraphs concern authorization of users authenticated by

certificate on the cimserver's HTTPS port.

certificate on the cimserver's HTTPS port.

It is important to note that SSL certificates are verified during the

It is important to note that SSL certificates are verified during the initial

initial handshake, BEFORE any further authentication takes place. If a

handshake, BEFORE any further authentication takes place. If a certificate

certificate fails, the connection can be terminated immediately, resulting in a

fails, the connection can be terminated immediately, resulting in a connection

connection exception. This scenario will occur if the sslClientVerification

exception. This scenario will occur if the sslClientVerification property is

property is set to "required" and no certificate or an <span

set to "required" and no certificate or an untrusted certificate is sent.

class=SpellE>untrusted certificate is sent.

Further authorization checks must be performed when validating

Further authorization checks must be performed when validating

the user that is mapped to the certificate. First, the user that is registered

to the certificate is validated as a valid system user and a valid cimuser (if

to the certificate is validated as a valid system user and a valid <span

the cimuser function has been configured).

class=SpellE>cimuser (if the cimuser function

In the case of

has been configured). In the case of a certificate

a certificate chain, the username authorization starts with the leaf

chain, the username authorization starts with the leaf certificate. If it

certificate. If it successfully finds a mapping

successfully finds a mapping for the leaf certificate, it continues; if there

for the leaf certificate, it continues; if there is no username for the

is no username for the leaf certificate, the validation proceeds up to the root

leaf certificate, the validation proceeds up to the root certificate.

certificate. If the root certificate is reached and there is still no mapped

If the root certificate is reached and there is still no mapped

username, the authorization fails. Additionally,

username, the authorization fails.

if Pegasus was configured to use PAM, the pam_acct_mgmt

Additionally, if Pegasus was configured to use PAM, the pam_acct_mgmt

function will be called with the user that is mapped to the certificate. This

ensures that any login conditions that would have been placed on a user

authenticated via basic authentication are still applied to a user

authenticated via certificate. The pam_authenticate method will NOT be called.

authenticated via certificate. The pam_authenticate

Lastly, the providers must authorize the user. They receive the username that

method will NOT be called. Lastly, the providers must authorize the user. They

was mapped to the certificate in the OperationContext.

receive the username that was mapped to the certificate in the <span

class=SpellE>OperationContext.

A provider may request the client's certificate chain information through its

provider registration MOF. The "RequestedOperationContextContainers" property

A provider may request the client's certificate chain information through

of PG_Provider should be set to include the "SSLCertificateChainContainer"

its provider registration MOF. The "RequestedOperationContextContainers"

value. If a client is authenticated via trusted certificate, then the container

property of PG_Provider should be set to include the

will include a certificate for each level in the client's certificate chain, up

"SSLCertificateChain" by setting the value �0�.

to a maximum depth of seven.

If a client is authenticated via trusted certificate, then the container will

The behavior of this property is dependent on the overall

include a certificate for each level in the client's certificate chain, up to a

CIMOM settings. The "enableHttpsConnection" configuration property must be set

maximum depth of seven.

to true for the property to have any effect. Additionally, the

"sslClientVerificationMode" configuration property must be set to either

The behavior of this property is dependent

"required" or "optional". If "required" is specified, then the container will

on the overall CIMOM settings. The "enableHttpsConnection"

always be populated. If "optional" is specified, the container will be populated

configuration property must be set to true for the property to have any effect.

only if the client is authenticated via trusted certificate, as opposed to

Additionally, the "sslClientVerificationMode"

another mechanism such as basic authentication. Because the container may not

configuration property must be set to either "required" or

always be included in the OperationContext, providers should always check for

"optional". If "required" is specified, then the container

its existence before performing operations on it. See the SSLCertificateInfo

will always be populated. If "optional" is specified, the container

class in Pegasus/Common/SSLContext.h for a full list of certificate parameters

will be populated only if the client is authenticated via trusted certificate,

that the SSLCertificateChainContainer supports.

as opposed to another mechanism such as basic authentication. Because the

<o:p></o:p>

container may not always be included in the OperationContext,

<h3><a name="EXT">Critical Extension Handling</a></h3>

providers should always check for its existence before performing operations on

it. See the SSLCertificateInfo class in

The extensions defined for X.509 v3 certificates provide methods for

Pegasus/Common/SSLContext.h for a full list of

associating additional attributes with users or public keys and for

certificate parameters that the SSLCertificateChainContainer

managing the certification hierarchy. Each extension in a certificate

supports. <u1:p></u1:p>

may be designated as critical or non-critical. Pegasus relies on the

underlying OpenSSL implementation to handle critical extensions

<h3><a name=EXT>Critical Extension Handling</a></h3>

specified in a certificate. Please refer to the OpenSSL documentation

for more information on currently supported extensions in OpenSSL and

The extensions defined for X.509 v3 certificates

on the behavior of OpenSSL in the case of unhandled critical extensions.

provide methods for associating additional attributes with users or public keys

and for managing the certification hierarchy. Each extension in a certificate

may be designated as critical or non-critical. Pegasus relies on the underlying

<h3><a name="RESOURCES">Resources</a></h3>

OpenSSL implementation to handle critical extensions

specified in a certificate. Please refer to the OpenSSL

For OpenSSL information pick up a copy of O'Reilly's Network Security with

documentation for more information on currently supported extensions in <span

OpenSSL or go to the OpenSSL Site:

class=SpellE>OpenSSL and on the behavior of OpenSSL

<a href="http://www.openssl.org">http://www.openssl.org</a>

in the case of unhandled critical extensions.

A really fabulous guide on certificate management and installation with OpenSSL:

<h3><a name=RESOURCES>Resources</a></h3>

For OpenSSL information pick up a copy of

O'Reilly's Network Security with OpenSSL or go to the

OpenSSL Site:

<a href="http://www.openssl.org">http://www.openssl.org</a>

A really fabulous guide on certificate management and installation with <span

class=SpellE>OpenSSL:

<a href="http://www.gagravarr.org/writing/openssl-certs/index.shtml">http://www.gagravarr.org/writing/openssl-certs/index.shtml</a>

x509 Certificate and CRL RFC:

x509 Certificate and CRL RFC:

<a href="http://www.ietf.org/rfc/rfc2459.txt?number=2459">http://www.ietf.org/rfc/rfc2459.txt?number=2459</a>

SSLv3 RFC:

<a href="http://wp.netscape.com/eng/ssl3/">http://wp.netscape.com/eng/ssl3</a>

SSLv3 RFC:

<a href="http://wp.netscape.com/eng/ssl3/">http://wp.netscape.com/eng/ssl3</a>

TLSv1 RFC:

TLSv1 RFC:

Basic Authentication RFC:

Basic Authentication RFC:

<hr>

Company, L.P.; IBM Corp.; The Open Group; VERITAS Software Corporation

Permission is hereby granted, free of charge, to any person

obtaining a copy  of this software and associated documentation files (the

</div>

"Software"), to deal in the Software without restriction, including without

limitation the rights to use, copy, modify, merge, publish, distribute,

sublicense, and/or sell copies of the Software, and to permit persons to whom

Hewlett-Packard Development Company, L.P.; IBM Corp.; The Open Group; VERITAS

the Software is furnished to do so, subject to the following conditions:

Software Corporation

THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL

Permission is hereby granted, free of

BE INCLUDED IN ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE

charge, to any person obtaining a copy  of this software and associated

IS PROVIDED  "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

documentation files (the "Software"), to deal in the Software without

INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

restriction, including without limitation the rights to use, copy, modify,

PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR

merge, publish, distribute, sublicense, and/or sell copies of the Software, and

to permit persons to whom the Software is furnished to do so, subject to the

IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

following conditions:

CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

<hr>

THE ABOVE COPYRIGHT NOTICE AND THIS

PERMISSION NOTICE SHALL BE INCLUDED IN ALL COPIES OR SUBSTANTIAL PORTIONS OF

THE SOFTWARE. THE SOFTWARE IS PROVIDED  "AS

IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT

LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE

LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF

CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE

SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

</div>

</body>

</html>

Legend:

Removed from v.1.4.4.1
changed lines
	Added in v.1.4.4.2

No CVS admin address has been configured