ningyougang commented on issue #2427: Support client certificate on cli and nginx URL: https://github.com/apache/incubator-openwhisk/pull/2427#issuecomment-312535981 a) are there individual client certificates we need to deal with, or is it just the auto-generated one? answer: in openwhisk codes, we don't need to deal with individual client certificates, it is best to generated by the company who use openwhisk to deploy their serverless env for all users. The client certificate can be signed by their self-signed root certificate or trusted CA organization sigend root certificate. a.1) if there are individual (per user) client certificates how does those get generated so that it is valid with the OW server certificate? answer: server certificate has no relation with client certificate, their root certifiate can be different or same, also worked well. the per user client certificate is generated by their self-signed root certificate or trusted CA organization sigend root certificate.(above also refered)` a.2) if there are individual (per user) client certificates does they contain any namespace related information that can be used upstream, i.e. openwhisk controller, to authorize the request? answer: for our case, the client certificate subj includes CN=${emploeeid}, and other fields such as C, ST, L, O may be the depend on company's organization b) what exact security issue does this solve? does it protect for man-in-the-middle attacks only, or have you other ideas in mind to use that mechanism? answer: this feature just increase the security for auth, but it is optional default, if set ${nginx.ssl.verify_client} values to on, wsk client must pass client certificate, not every user can use wsk tool to send request to openwhisk server, if want to do that, must get their own client certificate from comany. Other guess, we may simplify the auth flow, if pass client certificate, in controlller, we can igore the auth key verify.(but i don't sure it has possible to simplify the auth flow) c) is the usage of the client certificate mandatory? answer: no, it is optional, default configuration for {ssl.nginx.verify_client} value is optional, so user can pass client certificate or not, also worked well, if set {ssl.nginx.verify_client} value to on, so user must pass client certifciate. d) I saw that you?re generating the server and client certificate during `setup.yml`. what would be the steps to generate the corresponding per user client certificate? answer: openwhisk has no need to care how to generate the client certificate, it just provide the configuration entry point how to use it. setup.yml's genssh.sh just a example provides steps how to generate client certificate. e) how does it work if I don?t have a hostname and only an IP. I?ve tried it with my `docker-machine` environment and get `x509: cannot validate certificate for 192.168.99.101 because it doesn't contain any IP SANs` answer: i should verity it. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
With regards, Apache Git Services
