[Spacewalk-list] server hw dimensioning and usage questions

[Mgr. Peter Hudec]

On 08/28/2012 01:06 PM, Jan Hutař wrote:
> On Tue, 28 Aug 2012 11:12:59 +0200 "Mgr. Peter Hudec"
> <peter.hudec at cnc.sk> wrote:
> 
>>>> 5) client side certificates
>>>> as the clients are mobile do the spacewalk have possibility
>>>> to verify the connection based on client ssl certificate? I
>>>> did not found any configuration directive on 'rhnsd' or
>>>> 'osad'.
>>>
>>> Not sure what you mean here - which client side certificates?
>>> rhn_check uses config in /etc/sysconfig/rhn/up2date - there
>>> you should have serverURL=https://... Services 'rhnsd' and
>>> 'osad' uses rhn_check to actually get and perform the action.
>> I ment SSL based authentication using the clients certificates.
>> You can find it on web based solutions, there the client have
>> imported clients certificates into the browser /or token/ and
>> the web server request the AAA based on this certificate. In
>> apache configuration is you can find directives
>> --- cut ---
>> SSLVerifyClient require
>> SSLVerifyDepth 10
>> SSLCACertificateFile <path too CA CERT>
>> --- cut ---
>> In our case each device will be authenticated by its
>> certificate. In case the of stolen device, we just revoke the
>> certificate. But I as did small engineering, there isn't
>> configuration option for rhnsd/osad/rhn_check to set the
>> client certificate.
>>
>> Of course there will applied another security policies such as
>> FDE, home/swap encryption, ....
> 
> I do not think we support this and I'm also not sure why you
> need it - what are you trying to achieve?
> 
This was question from the security officer. If the device will be stolen he wanted to cut off the device from the spacewalk management.
I will tell his, that this is not supported at this moment and the internal development will be needed.

	best regards
		Peter


-- 
Mgr. Peter Hudec
IT/Technical Specialist

CNC a.s.
Strojnícka 33
821 05 Bratislava

web: http://www.cnc.sk/
mail: peter.hudec at cnc.sk
mob: +421 905 997203