Mohamed Ali wrote:
Dear SGD users,
To enable the SGD Security services i need to Obtain and install the
X.509 certs. I have two servers need to be enabled security services.
Server1( Primary ) and Server2( Secondary ).
This is the command shown in the Admin guide:
Server1# tarantella security certrequest --country US --state Man
--orgname "Car Company"
I need to send the outcome of the above to supported CA Center. Once
CA Center give the signed certs, i will install in my Server1.
My question is, can i use the same signed certs for my Server2 ?
Not really, unless you used a SSL accelerator in front of your array, or
a reverse proxy.
Recall that you're actually talking about four server certificates - for
each server, one for Apache, one for SGD. Generally, there's a single
certificate, shared between the webserver and SGD, but they don't have
to be. Moreover, there are some differences in certificate handling
between web browsers and the SGD client.
For example, in Apache, you could share webserver certificates among the
two servers, by using wildcards in the hostname, so that a single
certificate/key pair could be used like *.sgd.example.com".
Alternatively, the ServerAltName field of a certificate could
conceivably be used (basically, the subject will be Server1 and the
ServerAltName would be set to Server2, though this is pretty much a
misuse of the certificate.)
But, the SGD client doesn't support either wildcards or ServerAltName,
so neither of these approaches get you very far unless you don't enable
"tarantella security", and only run https. This is actually not an
unreasonable approach for some because sniffing AIP isn't gonna give up
much info - but to use firewall traversal, you must enable security.
So, for most, this only becomes relevant when you want to establish a
certificate for a "round-robin" name, e.g.:
https://arrayname.example.com
https://server1.example.com
https://server2.example.com
For this to work, you'd create two certificate/key pairs:
cn=server1.example.com, ServerAltName=arrayname.example.com
cn=server2.example.com, ServerAltName=arrayname.example.com
Most web browsers will test the ServerAltName, so whether you browse to
any of:
https://arrayname.example.com, https://server1.example.com, or
https://server2.example.com
the web browsers will be happy because the hostnames will match, (since
they test the ServerAltName field.)
The SGD client itself will connect to a "real" hostname, (i.e. server1
or server2), so there won't be any issue (that is, the SGD client will
*never* attempt to arrayname.example.com, so the fact that it doesn't
test for ServerAltName won't come into play.)
I know this is probably more info than you needed, but thought it might
be useful for others on the list.
Regards,
Rick
Any advise?
Thanks in advance.
--
Rick Butland
E-Mail: [EMAIL PROTECTED]
AccessLine: (703) 579-1947 x53261
Direct: (703) 444-9398
Mobile: (703) 328-8130
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
