From: Vihang K. <vka...@vm...> - 2015-01-16 20:07:40
|
Reactivating this old thread to keep the context. Is there a way to pass a CustomSSLSocketFactory to the WBEMClient so that all the SSL connections made by the WBEMClient uses it when it talks to CIMOM? Our application already implements a customTrustManager and customSSLSocketFactory so that it can populate the server certificates in the truststore interactively through UI. I am investigating if we can leverage this and use it to configure the WBEMClient instead of re-doing most of the work. Thanks, Vihang -----Original Message----- From: Vihang Karajgaonkar Sent: Tuesday, April 29, 2014 3:16 PM To: Dave Heller Cc: sbl...@li... Subject: Re: [Sblim-devel] CIM Client configuration for SSL connections Thanks for the suggestions Dave. Vihang ----- Original Message ----- From: "Dave Heller" <hel...@li...> To: "Vihang Karajgaonkar" <vka...@vm...> Cc: sbl...@li... Sent: Monday, April 28, 2014 4:29:52 PM Subject: Re: [Sblim-devel] CIM Client configuration for SSL connections There isn't currently any support for this in the Java client, and it is (arguably) a bit beyond the scope of the JCC to do this, but rather within the scope of the application *using* the Java Client. That said, it would be helpful to access some of the JCC internal classes that perform the SSL authentication, if one were to implement this, to avoid duplication. Ideally the JCC would have some API extension to expose certificate information (and other pertinent details of the SSL/TLS connection) to the calling application, so that the application could make some sort of decision (interactive or otherwise) to accept/import the endpoint certificate. This would require the implementation of a custom X509TrustManager interface, along with the bits to expose the required methods, etc. via the API. There are currently no plans to add any such support. I have seen some custom X509TrustManager implementations on the 'net, that allow an interactive certificate import using a simple (y/n) command line interface. You might be able to implement something like this in JCC, which would give you the support in a sort of hackish way, but this might suit your needs. Really the "better way" is, rather than relying on the import of (possibly many) individual CIMOM certificates into a local truststore, to implement some true PKI in your environment. That is, use CIMOM certificates that are signed by some central certificate authority (local or otherwise), and install the CA certificate into your client truststore. (assuming not already included in the Java default truststore) Then, your CIMOMs will be trusted automatically by your clients, as appropriate, according to your PKI. This is obviously much more scalable and reliable than relying on user interaction. Another more scalable approach is to forego the local truststore (file) altogether and implement a X509TrustManager that supports LDAP based authentication. This would really be a more appropriate enhancement for the JCC. Dave On 04/28/2014 03:22 PM, Vihang Karajgaonkar wrote: > Thanks so much Dave. > > I am currently looking into possibility of implementing certificate based authentication for my CIM Client. According to the documents, the CIMOM certificate should be imported into the truststore before CIM Client application initiates the connection. Is there a better way to do this? Can we do it in the run-time such that we can retrieve the certificate that CIMOM sent during the first connection, and then trust the certificate based on a user action? > > Thanks, > Vihang |