Idea Details

Make NiMi SSL connection aware of SSL extensions

Last activity 02-08-2016 03:00 PM
Anon Anon's profile image
02-03-2016 06:17 AM

We require all connections between different RA compenents (NAC, NES, agents, repo, DB) to

be encrypted with SSL. Furthermore we have to use official company certificates (in this case

keystores). All those certificates are issued from a commercial certificate issuer software.

All those certificates come with a number of SSL extentions. Here is how these look like:

 

Extensions:

 

(...)

#6: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

  serverAuth

  clientAuth

]

 

#7: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  DigitalSignature

  Key_Encipherment

]

(...)

 

When using such certificates, the HTTPS and MQ connection works corrctly, however

the agent cannot connect via NiMi with such certificates.

 

I have been working a long time with support to reach this point. This is what support

eventually said:

"

With extension in place it is only allowing authentication over Active MQ, that is able to

communicate between NAC-NES but over NimiProtocol that is between NES and Agent

it doesn’t recognizes it.

"

 

This idea is about making the NiMi protocol aware and accepting SSL extensions.

Support and engineering's opinion is that this works as designed thus they will

not file it as a bug, thus they suggest to open a Request for Enhancement based

on this idea, hence this idea :-)


Comments

02-08-2016 03:00 PM

Me as well!

02-08-2016 02:52 PM

Definitely a good idea. And speaking as one of those Support guys, it is correct that it is intended behavior for the time being. You've got my upvote!