Start of change

Configure the CIM server to verify client certificates

Start of changeYou can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port.End of change

Start of changeThe CIM server uses the main SSL port for CIM operation requests, such as GetInstance requests and EnumerateInstance requests. The purpose of the export SSL port is to allow CIM export requests to use automatic certificate-based authentication on a port that does not require a user name and password. CIM export requests are used to deliver CIM Indications. Because export requests do not have an associated user name, the only way to deliver secure indications is to use SSL on the export SSL port.End of change

Start of changeThe CIM server can also check client certificates against a CRL.End of change

Configure client certificate verification on the main SSL port

To configure the CIM server to verify client certificates on the main SSL port, use the sslClientVerificationMode property of the cimconfig command. You can set this property to do one of the following tasks:
  • Disable client certificate verification
  • Require client certificate verification
  • Verify the client certificate if available and use the httpAuthType property if the certificate is not available

With these choices, you can authenticate clients through certificate verification, Basic authentication, or Kerberos authentication.

Start of changeYou can manage the certificates in the server's truststore for the main SSL port by using the ssltrustmgr command. In this case the trust store name is cim_trustEnd of change

Configure client certificate verification on the export SSL port

Start of changeTo configure the CIM server to verify client certificates on the export SSL port, use the enableSSLExportClientVerification property of the cimconfig command. When set to true, this property causes the CIM server to require that certificates are sent by export clients. The exportSSLTrustStore property gives the location of the truststore. In most cases, you can use the default value of the exportSSLTrustStore property.End of change

Start of changeYou can manage the certificates in the server's truststore for the export SSL port by using the ssltrustmgr command. In this case the trust store name is export_trust.". End of change

Configure client certification against a CRL

Start of changeTo configure the CIM server to verify client certificates against a CRL, use the crlStore property. In most cases, the default value of the crlStore property can be used. The CIM server checks a CRL file or directory on the local system. It does not contact a remote CIM server for the CRL. The crlStore property gives the location of the CRL store. The crlStore applies to requests that are made on the main SSL port and the export SSL port. End of change

Parent topic: Secure Pegasus
End of change