[Spacewalk-list] server hw dimensioning and usage questions
Jan Hutař
jhutar at redhat.com
Thu Aug 30 04:04:36 UTC 2012
On Tue, 28 Aug 2012 13:32:49 +0200 "Mgr. Peter Hudec"
<peter.hudec at cnc.sk> wrote:
> On 08/28/2012 01:06 PM, Jan Hutař wrote:
> > On Tue, 28 Aug 2012 11:12:59 +0200 "Mgr. Peter Hudec"
> > <peter.hudec at cnc.sk> wrote:
> >
> >>>> 5) client side certificates
> >>>> as the clients are mobile do the spacewalk have
> >>>> possibility to verify the connection based on client ssl
> >>>> certificate? I did not found any configuration directive
> >>>> on 'rhnsd' or 'osad'.
> >>>
> >>> Not sure what you mean here - which client side
> >>> certificates? rhn_check uses config
> >>> in /etc/sysconfig/rhn/up2date - there you should have
> >>> serverURL=https://... Services 'rhnsd' and 'osad' uses
> >>> rhn_check to actually get and perform the action.
> >> I ment SSL based authentication using the clients
> >> certificates. You can find it on web based solutions, there
> >> the client have imported clients certificates into the
> >> browser /or token/ and the web server request the AAA based
> >> on this certificate. In apache configuration is you can
> >> find directives
> >> --- cut ---
> >> SSLVerifyClient require
> >> SSLVerifyDepth 10
> >> SSLCACertificateFile <path too CA CERT>
> >> --- cut ---
> >> In our case each device will be authenticated by its
> >> certificate. In case the of stolen device, we just revoke
> >> the certificate. But I as did small engineering, there isn't
> >> configuration option for rhnsd/osad/rhn_check to set the
> >> client certificate.
> >>
> >> Of course there will applied another security policies such
> >> as FDE, home/swap encryption, ....
> >
> > I do not think we support this and I'm also not sure why you
> > need it - what are you trying to achieve?
> >
> This was question from the security officer. If the device
> will be stolen he wanted to cut off the device from the
> spacewalk management. I will tell his, that this is not
> supported at this moment and the internal development will be
> needed.
>
> best regards
> Peter
I see, thanks. By removing the profile of the stolen device you
can cut off it from your Spacewalk.
Regards,
Jan
--
Jan Hutar Systems Management QA
jhutar at redhat.com Red Hat, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20120830/7dd26612/attachment.sig>
More information about the Spacewalk-list
mailing list