Will, We have several other integrated components that have the similar situation, it makes sense to consolidate the HTTPS client we used across CloudStack and have a global configuration to deal with self-signed certificate for all in testing or POC.
To help testing/POC process to be smooth, we may allow self-signed certificate by default(which is the current behave), security sensitive customers should disallow self-signed certificates in their production environment. Kelven On 6/6/13 9:08 AM, "Will Stevens" <wstev...@cloudops.com> wrote: >Hey All, >I am building integration between CS and an external Palo Alto Firewall >device. The API calls to the PA device are done over HTTPS. In some >cases >(like testing or a POC), it makes sense to use a self signed cert for this >connection. > >Currently I have a little http client wrapper which allows the use of a >self signed cert. Obviously, I do not want to use the wrapper when a real >cert is used. > >What I am thinking of doing is adding a checkbox on the 'Add Palo Alto >Device' configuration overlay with an option for 'Using a self signed >cert'. If this checkbox is checked, then the http client wrapper is used >so the self signed cert will not throw errors, if it is not checked, the >the http client wrapper will not be used and errors will be thrown if the >cert is not valid. > >Is this a realistic approach to this problem? Is this problem handled in >other parts of the system in a different way? > >Thanks, > >Will
