On 10/ 8/10 04:02 PM, Dave Miner wrote:
William, in a lot of ways I buy the proposal below, but there's a big question unanswered: can you share the certificates used for
wanboot with your proposed mechanism when we go to a secure solution? That is a requirement in order to go down this path.
Yes, they can be shared.
On the Apache server, the server certificate and key, and the Certificate Authority certificate must be available. The client
certificate is not required, nor is the CA key.
From the proposal, new installadm subcommands handle authentication:
installadm set-server -k <ssl_key> -c <ssl_certificate> [-A <CA
certificate>]
installadm set-client -k <client_ssl_key> -c <client_ssl_certificate> -a <CA
certificate> <client-ID>
For the server, if a single server instance is used for wanboot-cgi and for SC profiles, the lone copy of the server certificate is
named in Apache httpd.conf SSLCertificateFile, server key in SSLCertificateKeyFile, both PEM-encoded. The user runs installadm
set-server to specify the certificate and key. The CA certificate is also provided, and goes to SSLCACertificateFile, PEM-encoded.
Usually, there will be only one CA; hence, one CA certificate, pointed to by Apache httpd.conf SSLCACertificateFile, and
PEM-encoded. If there are multiple, they can be concatenated into SSLCACertificateFile. SPARC wanboot seems to require the CA
certificate and key packaged into PKCS#12 format (at this moment, I'm not certain that it absolutely requires the CA key, which
would simplify PKCS#12 encoding - I'm just not that far into wanboot code). 'openssl pkcs12' can convert PEM<->PKCS#12.
For client authentication, the user runs installadm set-client, providing client certificate/key and additional CA certificate, if
needed. (Internally, 'wanbootutil p12split/keymgmt' is leveraged.)
So, if the user uses set-server and set-client to configure authentication, then all information is available for Apache
configuration, so that wanboot-cgi is not needed for secure SC profiles. The one detail to resolve is which format to have the user
provide for the CA certificate: PKCS#12 version or separate PEM-encoded CA key and certificate (again, 'openssl pkcs12' can convert
either way).
If the user changes CA information and uses the proposed set-server/set-client subcommands, the Apache.conf SSLCACertificateFile can
be updated automatically. Apache must then be restarted.
William
_______________________________________________
caiman-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
