Re: [Sblim-devel] Self signed Client certificate configuration in CIMOM

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi George,

The SSL configuration is documented here, hopefully this will help guide 
you.  Let me know if you have further questions following that.

http://sourceforge.net/apps/mediawiki/sblim/index.php?title=SfcbSsl

Specifically, you are getting the error below because you have 
sslClientCertificate=require in your configuration and your client is 
(apparently) not configured to present it's own certificate.  Clients 
are commonly *not* configured to do this by default (since a cert is 
really only required at the server).

The openssl error messages are sometimes a bit imprecise; this could 
also mean your client *did* present a certificate but it could not be 
verified by the contents of the SFCB sslClientTrustStore.  I think you 
can get this same error in this case but I don't remember for sure.

As a suggestion, you could get your full bidirectional peer-verification 
configured and tested by using one of the simple clients like wbemcli or 
cimcli, then move to using openwsman as the client and take it from there.

Thanks,
Dave

On 05/07/2014 06:06 AM, George varghese wrote:
> Hi,
>
> I am trying to configure CIMOM for SSL connections. I want to validate
> the client certificate in server.
>
> For that , How to configure it?..
> Please let me know.
>
> I just tried, Please see the httpsd configuration section in sfcb.cfg file,
>
>
> *sslKeyFilePath: /home/hplumenApp/tmpfs/Web/ssl/serverkey.pem
> *
> *sslCertificateFilePath: /etc/ssl/certs/server.pem
> *
> *sslCertList: /etc/ssl/clist.pem
> *
> *sslClientCertificate: require
> *
> *sslIndicationReceiverCert: ignore
> *
> *sslClientTrustStore:  /etc/sfcb/client.pem
> *
> *
> *
> *
> *
> Then tried to send wsman request, I got the ssl connect error.
>
> please see the debug log message of sfcb,
>
> --- SSL_ERROR_SSL during handshake: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
>
> *** httpAdapter.c:1697 SSL_ERROR_SSL error during SSL handshake -- exiting
>
> Please let me know how to resolve it.
>
> Regards,
> George
>
>
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
> &#149; 3 signs your SCM is hindering your productivity
> &#149; Requirements for releasing software faster
> &#149; Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce
>
>
>
> _______________________________________________
> Sblim-devel mailing list
> Sbl...@li...
> https://lists.sourceforge.net/lists/listinfo/sblim-devel
>