Mutual authentication setup, Configuring mutual authentication for clients – Brocade Communications Systems 53-1001778-01 User Manual
Page 38
22
Brocade SMI Agent User’s Guide
53-1001778-01
SMI Agent security
3
Mutual authentication setup
Before you enable mutual authentication for clients and indications, you need to do the following so
the Configuration Tool will know the location of the certificate files:
•
Configure the WbemClient.properties file with the location of the certificate files.
•
Update the CLASSPATH variable in two files with the location of the WbemClient.properties file.
Configuring mutual authentication for clients
You can restrict access to the SMI-A to only clients that are trusted by the agent. The SMI-A uses
private key information and authentication information to allow only specific clients to send
requests as SSL-encrypted CIM-XML to the SMI-A.
By default, mutual authentication for clients is disabled, which means that any client can use the
HTTPS communication protocol to communicate with the SMI-A. When mutual authentication for
clients is enabled, then only those clients whose certificates have been added to the SMI-A
TrustStore can use HTTPS to communicate with the SMI-A. That is, the SMI-A must have a
TrustStore that contains a certificate for an entry in the client KeyStore.
Additionally, when mutual authentication for clients is enabled, the client must have a TrustStore
that contains the certificate for an entry in the SMI-A KeyStore.
Using the Brocade SMI Agent Configuration Tool, you can enable and disable mutual authentication
for clients, import the client certificate to the SMI-A TrustStore, and export the server certificate to a
file where the client can access it.
If you enable mutual authentication, you may choose to disable the CIM-XML client protocol
adapter (CPA) for the SMI-A so that the clients can use only HTTPS communication. If you do not
disable the CIM-XML CPA, then any client can communicate with the SMI-A using HTTP access.
When you disable or enable mutual authentication for clients, the SMI-A server must be stopped.
1. Launch the Brocade SMI Agent Configuration Tool.
2. Click Mutual Authentication(Client) in the menu tree (see
The content pane displays the current setting, which is selected and dimmed.
3. To enable mutual authentication for clients, click the Enable Client Authentication radio button.
If this option is unavailable, then mutual authentication for clients is already enabled.
To disable mutual authentication for clients, click the Disable Client Authentication radio
button. If this option is unavailable, then mutual authentication for clients is already disabled.
4. Click the Stop Server to stop the SMI-A, if it is running. This button is unavailable if the server is
already stopped.
5. Click Apply.
6. If you enabled mutual authentication for clients, you can perform the following optional steps
to allow only secure communication with trusted clients:
a. Disable HTTP access so that only HTTPS access is available to the clients. (See
on page 24.) Clients should preferably use HTTPS for all
communications purposes if mutual authentication is enabled.
If you do not disable HTTP access, then any client can communicate with the SMI-A using
HTTP access.