Brocade Communications Systems 53-1001778-01 manual Mutual authentication for indications

Page 64

4 Mutual authentication for indications

Enabling mutual authentication for clients

1.Configure the SMI-A to support mutual authentication for clients. This can be done either during installation using the installation wizard, or after installation, as described in “Configuring mutual authentication for clients” on page 22.

2.Optionally, disable HTTP access so that only HTTPS access is available to the clients. HTTPS communication is preferred if mutual authentication is enabled. (See “Configuring HTTP access” on page 24.)

3.Optionally, configure the WBEM client to use client certificates to communicate with the SMI-A. (See “Client configuration to use client certificates” on page 48.)

Mutual authentication for indications

You can restrict delivery of indications using mutual SSL authentication to only clients that are trusted by the SMI-A.

By default, mutual authentication for indications is disabled, which means that the SMI-A uses SSL to send CIM-XML indications to a WBEM client listener, but does not attempt to verify the identity of the WBEM client listener. When mutual authentication for indications is enabled, then only those clients whose certificates have been added to the SMI-A Indications TrustStore can use SSL to receive indications from the SMI-A. That is, the SMI-A must have a TrustStore that contains a certificate for an entry in the client’s Indications KeyStore.

Enabling mutual authentication for indications

1.Configure the SMI-A to support mutual authentication for indications. This can be done either during installation using the installation wizard, or after installation, as described in “Configuring mutual authentication for indications” on page 23.

2.Optionally, disable HTTP access so that only HTTPS access is available to the clients. HTTPS communication is preferred if mutual authentication is enabled. (See “Configuring HTTP access” on page 24.)

3.Optionally, configure the WBEM client to use client certificates to communicate with the SMI-A. (See “Client configuration to use client certificates,” next.)

Client configuration to use client certificates

After installation is completed, the client certificates are in the following location:

On Linux, Solaris, and AIX:<SMIAgent>/agent/client

On Windows:<SMIAgent>\agent\client

This folder has the following files:

.client.keystore

.client.truststore

client.cer

.client.ind.keystore

48

Brocade SMI Agent User’s Guide

 

53-1001778-01

Page 63 Page 65
Image 64
Page 63 Page 65
Contents Brocade SMI Agent Brocade Communications Systems, Incorporated Title Publication number Summary of changes Date Brocade SMI Agent User’s Guide Contents Chapter Brocade SMI Agent Configuration Chapter Mutual Authentication for Clients and Indications Index This chapter How this document is organizedSupported hardware and software Document conventions What’s new in this documentText formatting Identifies command syntax examples Key termsBrocade resources Additional informationOther industry resources Getting technical help FT00X0054E9Brocade SMI Agent support Support@brocade.comDocument feedback Overview Common Information Model CIMBrocade SMI-S Initiative Brocade SMI AgentBrocade SMI Agent Brocade SMI Agent User’s Guide Brocade SMI Agent Starting the SMI-AStop the Brocade SMI Agent Starting the SMI-A as a serviceStopping the SMI-A Service Location Protocol SLP support Stopping the SMI-A as a serviceSlptool commands SLP on Linux, Solaris, and AIXStarting SLP on Linux, Solaris, and AIX Stopping SLP on Linux, Solaris, and AIXSLP on Windows Installing SLP on WindowsStarting SLP on Windows Disable Http for security reasons Connection monitoringEnable multi-homed support For exampleBrocade SMI Agent Configuration About the Brocade SMI Agent Configuration ToolApply Launch the Brocade SMI-A Configuration Tool Launching the Brocade SMI Agent Configuration Tool WindowsReloading provider.xml on fabric segmentation Proxy connectionsAdding proxy connections Login failure status information Removing proxy connectionsAccess control Access control Login failure status messagesMapping an SMI-A user to a switch user Setting up default SMI-A user mapping Limitations of SMI-A user-to-switch user mapping SMI Agent securityMutual authentication setup Configuring mutual authentication for clientsConfiguring mutual authentication for indications Configuring Http access Mutual authentication for indicationsHttp access Importing client certificatesExporting server certificates SMI Agent security Configuring user authentication User authentication Encoding proxy connection details Encode proxy detailsSMI Agent service configuration and removal Configuring or removing the SMI Agent as a serviceConfigure Http and Https ports Port configurationConfiguring the Http and Https ports Configure ARR and eventing ports Configuring the ARR and eventing portsFabric Manager database server configuration Configure ARR and eventing portsFirmware download software locations configuration Configuring software locations for firmware downloadFile Path Configuring debugging options for Cimom Debugging and logging options configurationDebugging options for Cimom Configure debugging options for Cimom Debugging options for the providerConfiguring debugging options for the provider Dynamic UpdateConfiguring logging options for provider Logging options for the providerConfigure logging options Log file examplesCapture provider cache information Capturing information from the provider cacheSupport information collection Collect support informationCollecting support information XML dumpRunning an XML dump Cimom server configuration Configuring the Cimom serverConfiguring log file options Uncomment the following linesMutual authentication for clients IntroductionMutual authentication for indications Client configuration to use client certificatesEnabling mutual authentication for clients Enabling mutual authentication for indicationsClient.ind.truststore Clientind.cer Java -classpath SMIAgent/agent/wbem.jar Troubleshooting XmlerrorXmlerror Frequently Asked Questions General questionsHow do I collect diagnostic data from the Brocade SMI Agent? Does the SMI Agent have support for Https communication? On Linux Type the following command Open source software used in SMI-A AppendixSun Industry Standards Source License Source Code LicenseDistribution Obligations Inability to Comply DUE to Statute or Regulation Termination IBM Common Public License Grant of Rights Commercial Distribution OpenSLP License Bouncy Castle GNU Library General Public LicensePublic Domain Sun Binary Code License AgreementBrocade SMI Agent User’s Guide Supplemental License Terms Brocade SMI Agent User’s Guide Brocade SMI Agent User’s Guide 53-1001778-01 Sun Binary Code License Agreement Index Brocade SMI Agent User’s Guide
Top Page Image Contents