Hi all, David O'Callaghan wrote: > Hi, > > Two questions on the X509 access control login type: > > 1) Why does it require signing the session cookie, rather than simply > taking the client cert from the SSL session? > > A think this can be a problem it certain cases. I.e. user can have two certs - one for signing and another for authentication. In OpenCA x509 access control scenario not authentication, but signing certificate will be used. Correct me if I'm wrong, but I believe, that using signing certificate for authentication is bad idea.
> 2) How are the roles mapped from the certificates? In my test set up it > seems that any "User" can effectively log in to the RA component and > sign CSRs! > You can set up your Apache server to grant access only for specific certificates (with specific "O=" and/or "OU="). I suggest to use separate CA for issuing administrative (for internal use only) certificates. Then you configure Apache to grant access to RA/CA web interface for certificates from this administrative CA and that's it, no users in RA interface. > Kind regards, > > David > > Best regards, Dmitrij ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
