William, I think the below sounds acceptable.
Dave
On 10/12/10 09:45 AM, William Schumann wrote:
On 10/ 8/10 04:02 PM, Dave Miner wrote:
William, in a lot of ways I buy the proposal below, but there's a big question
unanswered: can you share the certificates used for
wanboot with your proposed mechanism when we go to a secure solution? That is
a requirement in order to go down this path.
Yes, they can be shared.
On the Apache server, the server certificate and key, and the Certificate
Authority certificate must be available. The client
certificate is not required, nor is the CA key.
From the proposal, new installadm subcommands handle authentication:
installadm set-server -k<ssl_key> -c<ssl_certificate> [-A<CA
certificate>]
installadm set-client -k<client_ssl_key> -c<client_ssl_certificate> -a<CA
certificate> <client-ID>
For the server, if a single server instance is used for wanboot-cgi and for SC
profiles, the lone copy of the server certificate is
named in Apache httpd.conf SSLCertificateFile, server key in
SSLCertificateKeyFile, both PEM-encoded. The user runs installadm
set-server to specify the certificate and key. The CA certificate is also
provided, and goes to SSLCACertificateFile, PEM-encoded.
Usually, there will be only one CA; hence, one CA certificate, pointed to by
Apache httpd.conf SSLCACertificateFile, and
PEM-encoded. If there are multiple, they can be concatenated into
SSLCACertificateFile. SPARC wanboot seems to require the CA
certificate and key packaged into PKCS#12 format (at this moment, I'm not
certain that it absolutely requires the CA key, which
would simplify PKCS#12 encoding - I'm just not that far into wanboot code). 'openssl
pkcs12' can convert PEM<->PKCS#12.
For client authentication, the user runs installadm set-client, providing
client certificate/key and additional CA certificate, if
needed. (Internally, 'wanbootutil p12split/keymgmt' is leveraged.)
So, if the user uses set-server and set-client to configure authentication,
then all information is available for Apache
configuration, so that wanboot-cgi is not needed for secure SC profiles. The
one detail to resolve is which format to have the user
provide for the CA certificate: PKCS#12 version or separate PEM-encoded CA key
and certificate (again, 'openssl pkcs12' can convert
either way).
If the user changes CA information and uses the proposed set-server/set-client
subcommands, the Apache.conf SSLCACertificateFile can
be updated automatically. Apache must then be restarted.
William
_______________________________________________
caiman-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
