87 lines
6.5 KiB
HTML
87 lines
6.5 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2005" />
|
|
<meta name="DC.rights.owner" content="(C) Copyright IBM Corporation 2005" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Configure the CIM server to verify client certificates" />
|
|
<meta name="abstract" content="You can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port." />
|
|
<meta name="description" content="You can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzatlsecure.htm" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzatlcertauth" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Configure the CIM server to verify client certificates</title>
|
|
</head>
|
|
<body id="rzatlcertauth"><a name="rzatlcertauth"><!-- --></a>
|
|
<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Configure the CIM server to verify client certificates</h1>
|
|
<div><p><span><img src="./delta.gif" alt="Start of change" />You can configure the CIM server to use secure
|
|
sockets layer (SSL) to verify client certificate's and to check certificate
|
|
revocation lists (CRLs) on the main SSL port and the export SSL port.<img src="./deltaend.gif" alt="End of change" /></span></p>
|
|
<p><img src="./delta.gif" alt="Start of change" />The CIM server uses the main SSL port for CIM operation requests,
|
|
such as <span class="parmname">GetInstance</span> requests and <span class="parmname">EnumerateInstance </span> requests.
|
|
The purpose of the export SSL port is to allow CIM export requests to use
|
|
automatic certificate-based authentication on a port that does not require
|
|
a user name and password. CIM export requests are used to deliver CIM Indications.
|
|
Because export requests do not have an associated user name,
|
|
the only way to deliver secure indications is to use SSL on the export SSL
|
|
port.<img src="./deltaend.gif" alt="End of change" /></p>
|
|
<p><img src="./delta.gif" alt="Start of change" />The CIM server can also check client certificates against
|
|
a CRL.<img src="./deltaend.gif" alt="End of change" /></p>
|
|
<div class="section"><h4 class="sectiontitle">Configure client certificate verification on the main SSL
|
|
port</h4><div class="p">To configure the CIM server to verify client certificates on
|
|
the main SSL port, use the <span class="parmname">sslClientVerificationMode</span> property
|
|
of the <span class="parmname">cimconfig</span> command. You can set this property to
|
|
do one of the following tasks:<ul><li>Disable client certificate verification</li>
|
|
<li>Require client certificate verification</li>
|
|
<li>Verify the client certificate if available and use the <span class="parmname">httpAuthType</span> property
|
|
if the certificate is not available</li>
|
|
</ul>
|
|
</div>
|
|
<p>With these choices, you can authenticate clients through certificate
|
|
verification, Basic authentication, or Kerberos authentication.</p>
|
|
<p><img src="./delta.gif" alt="Start of change" />You
|
|
can manage the certificates in the server's truststore for the main SSL port
|
|
by using the ssltrustmgr command. In this case the trust store name is <span class="parmname">cim_trust</span><img src="./deltaend.gif" alt="End of change" /></p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Configure client certificate verification on the export SSL
|
|
port</h4><p><img src="./delta.gif" alt="Start of change" />To configure the CIM server to verify client certificates
|
|
on the export SSL port, use the <span class="parmname">enableSSLExportClientVerification</span> property
|
|
of the <span class="parmname">cimconfig</span> command. When set to true, this property
|
|
causes the CIM server to require that certificates are sent by export clients.
|
|
The <span class="parmname">exportSSLTrustStore</span> property gives the location
|
|
of the truststore. In most cases, you can use the default value of the <span class="parmname">exportSSLTrustStore</span> property.<img src="./deltaend.gif" alt="End of change" /></p>
|
|
<p><img src="./delta.gif" alt="Start of change" />You can manage the certificates in the server's truststore for
|
|
the export SSL port by using the ssltrustmgr command. In this case the trust
|
|
store name is export_trust.". <img src="./deltaend.gif" alt="End of change" /></p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Configure client certification against a CRL</h4><p><img src="./delta.gif" alt="Start of change" />To
|
|
configure the CIM server to verify client certificates against a CRL, use
|
|
the <span class="parmname">crlStore</span> property. In most cases, the default value
|
|
of the <span class="parmname">crlStore</span> property can be used. The CIM server
|
|
checks a CRL file or directory on the local system. It does not contact a
|
|
remote CIM server for the CRL. The <span class="parmname">crlStore</span> property
|
|
gives the location of the CRL store. The <span class="parmname">crlStore</span> applies
|
|
to requests that are made on the main SSL port and the export SSL port. <img src="./deltaend.gif" alt="End of change" /></p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzatlsecure.htm" title="Use this topic to find out about the options that are available for ensuring that the CIM server is secure.">Secure Pegasus</a></div>
|
|
</div>
|
|
</div>
|
|
<img src="./deltaend.gif" alt="End of change" /></body>
|
|
</html> |