Brocade Communications Systems 53-1001778-01 manual Mutual authentication setup

Page 38

3 SMI Agent security

Mutual authentication setup

Before you enable mutual authentication for clients and indications, you need to do the following so the Configuration Tool will know the location of the certificate files:

Configure the WbemClient.properties file with the location of the certificate files.

Update the CLASSPATH variable in two files with the location of the WbemClient.properties file.

Configuring mutual authentication for clients

You can restrict access to the SMI-A to only clients that are trusted by the agent. The SMI-A uses private key information and authentication information to allow only specific clients to send requests as SSL-encrypted CIM-XML to the SMI-A.

By default, mutual authentication for clients is disabled, which means that any client can use the HTTPS communication protocol to communicate with the SMI-A. When mutual authentication for clients is enabled, then only those clients whose certificates have been added to the SMI-A TrustStore can use HTTPS to communicate with the SMI-A. That is, the SMI-A must have a TrustStore that contains a certificate for an entry in the client KeyStore.

Additionally, when mutual authentication for clients is enabled, the client must have a TrustStore that contains the certificate for an entry in the SMI-A KeyStore.

Using the Brocade SMI Agent Configuration Tool, you can enable and disable mutual authentication for clients, import the client certificate to the SMI-A TrustStore, and export the server certificate to a file where the client can access it.

If you enable mutual authentication, you may choose to disable the CIM-XML client protocol adapter (CPA) for the SMI-A so that the clients can use only HTTPS communication. If you do not disable the CIM-XML CPA, then any client can communicate with the SMI-A using HTTP access.

When you disable or enable mutual authentication for clients, the SMI-A server must be stopped.

1.Launch the Brocade SMI Agent Configuration Tool.

2.Click Mutual Authentication(Client) in the menu tree (see Figure 3 on page 14). The content pane displays the current setting, which is selected and dimmed.

3.To enable mutual authentication for clients, click the Enable Client Authentication radio button. If this option is unavailable, then mutual authentication for clients is already enabled.

To disable mutual authentication for clients, click the Disable Client Authentication radio button. If this option is unavailable, then mutual authentication for clients is already disabled.

4.Click the Stop Server to stop the SMI-A, if it is running. This button is unavailable if the server is already stopped.

5.Click Apply.

6.If you enabled mutual authentication for clients, you can perform the following optional steps to allow only secure communication with trusted clients:

a.Disable HTTP access so that only HTTPS access is available to the clients. (See “Configuring HTTP access” on page 24.) Clients should preferably use HTTPS for all communications purposes if mutual authentication is enabled.

If you do not disable HTTP access, then any client can communicate with the SMI-A using HTTP access.

22

Brocade SMI Agent User’s Guide

 

53-1001778-01

Page 37 Page 39
Image 38
Page 37 Page 39
Contents Brocade SMI Agent Brocade Communications Systems, Incorporated Title Publication number Summary of changes Date Brocade SMI Agent User’s Guide Contents Chapter Brocade SMI Agent Configuration Chapter Mutual Authentication for Clients and Indications Index This chapter How this document is organizedSupported hardware and software Text formatting What’s new in this documentDocument conventions Identifies command syntax examples Key termsOther industry resources Additional informationBrocade resources Getting technical help FT00X0054E9Brocade SMI Agent support Support@brocade.comDocument feedback Overview Common Information Model CIMBrocade SMI-S Initiative Brocade SMI AgentBrocade SMI Agent Brocade SMI Agent User’s Guide Brocade SMI Agent Starting the SMI-AStopping the SMI-A Starting the SMI-A as a serviceStop the Brocade SMI Agent Service Location Protocol SLP support Stopping the SMI-A as a serviceSlptool commands SLP on Linux, Solaris, and AIXStarting SLP on Linux, Solaris, and AIX Stopping SLP on Linux, Solaris, and AIXStarting SLP on Windows Installing SLP on WindowsSLP on Windows Disable Http for security reasons Connection monitoringEnable multi-homed support For exampleBrocade SMI Agent Configuration About the Brocade SMI Agent Configuration ToolApply Launch the Brocade SMI-A Configuration Tool Launching the Brocade SMI Agent Configuration Tool WindowsAdding proxy connections Proxy connectionsReloading provider.xml on fabric segmentation Login failure status information Removing proxy connectionsAccess control Access control Login failure status messagesMapping an SMI-A user to a switch user Setting up default SMI-A user mapping Limitations of SMI-A user-to-switch user mapping SMI Agent securityMutual authentication setup Configuring mutual authentication for clientsConfiguring mutual authentication for indications Configuring Http access Mutual authentication for indicationsHttp access Importing client certificatesExporting server certificates SMI Agent security Configuring user authentication User authentication Encoding proxy connection details Encode proxy detailsSMI Agent service configuration and removal Configuring or removing the SMI Agent as a serviceConfiguring the Http and Https ports Port configurationConfigure Http and Https ports Configure ARR and eventing ports Configuring the ARR and eventing portsFabric Manager database server configuration Configure ARR and eventing portsFirmware download software locations configuration Configuring software locations for firmware downloadFile Path Debugging options for Cimom Debugging and logging options configurationConfiguring debugging options for Cimom Configure debugging options for Cimom Debugging options for the providerConfiguring debugging options for the provider Dynamic UpdateConfiguring logging options for provider Logging options for the providerConfigure logging options Log file examplesCapture provider cache information Capturing information from the provider cacheSupport information collection Collect support informationRunning an XML dump XML dumpCollecting support information Cimom server configuration Configuring the Cimom serverConfiguring log file options Uncomment the following linesMutual authentication for clients IntroductionEnabling mutual authentication for clients Mutual authentication for indicationsClient configuration to use client certificates Enabling mutual authentication for indicationsClient.ind.truststore Clientind.cer Java -classpath SMIAgent/agent/wbem.jar Troubleshooting XmlerrorXmlerror Frequently Asked Questions General questionsHow do I collect diagnostic data from the Brocade SMI Agent? Does the SMI Agent have support for Https communication? On Linux Type the following command Open source software used in SMI-A AppendixSun Industry Standards Source License Source Code LicenseDistribution Obligations Inability to Comply DUE to Statute or Regulation Termination IBM Common Public License Grant of Rights Commercial Distribution OpenSLP License Bouncy Castle GNU Library General Public LicensePublic Domain Sun Binary Code License AgreementBrocade SMI Agent User’s Guide Supplemental License Terms Brocade SMI Agent User’s Guide Brocade SMI Agent User’s Guide 53-1001778-01 Sun Binary Code License Agreement Index Brocade SMI Agent User’s Guide
Top Page Image Contents