Brocade Communications Systems 53-1001778-01 Computer Accessories User Manual


  Open as PDF
of 90
 
Brocade SMI Agent User’s Guide 47
53-1001778-01
Chapter
4
Mutual Authentication for Clients and Indications
In this chapter
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Mutual authentication for clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Mutual authentication for indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Client configuration to use client certificates . . . . . . . . . . . . . . . . . . . . . . . . 48
Client configuration to use client certificates for default SSL indications. . 50
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Introduction
The SMI-A installation wizard provides options for enabling mutual authentication for clients and
indications. This chapter describes how you can enable mutual authentication after installation,
without re-running the installation wizard.
If you enable mutual authentication, you should disable the CIM-XML client protocol adapter (CPA)
for the SMI-A so that the clients can use only HTTPS communication. If you do not disable the
CIM-XML CPA, then any client can communicate with the SMI-A using HTTP access.
The client and server certificates that are used in the mutual authentication are only private
certificates that are generated by Brocade and are not verified by any certificate authority. Clients
cannot add their own certificates to the server trust stores.
NOTE
Mutual authentication works using only Brocade-provided private certificates.
Mutual authentication for clients
You can restrict access to the SMI-A to only clients that are trusted by the agent. The SMI-A uses
private key information and authentication information to allow only specific clients to send
requests as SSL-encrypted CIM-XML to the SMI-A.
By default, mutual authentication for clients is disabled, which means that any client can use the
HTTPS communication protocol to communicate with the SMI-A. When mutual authentication for
clients is enabled, then only those clients whose certificates have been added to the SMI-A
TrustStore can use HTTPS to communicate with the SMI-A. That is, the SMI-A must have a
TrustStore that contains a certificate for an entry in the client KeyStore.
Additionally, when mutual authentication for clients is enabled, the client must have a TrustStore
that contains the certificate for an entry in the SMI-A KeyStore.
 previous next