nap a écrit : > > Puppet has an interesting approach to this problem : to be able to > communicate with th server, each client must have a signed > certificate. Upon first launch, the client will generate a > request, send it to the server and upon approval (which is > manually done by the server admin), get the final client cert > signed by the server (which here acts a CA). > > Details are scarce, but some information here : > http://docs.puppetlabs.com/guides/security.html > > It's a very interesting way indeed. If I remember someone already talk > about such a way of working. It can be a good enhancement :) (We have a Puppet instrastructure deployed)
What is important here is to be able to reuse other certificates already available. We have a Kerberos deployment, and a Puppet deployment, and hopefully a Shinken deployment later, and I do not want to have a certificate per machine per daemon :) What is interesting using a CA mechanisms, is that this is quite standard and could be easily extended to be plugged on other CA infra (like a PKI) already available on site. If I remember correctly, someone developed a patch for puppet to be able to use the same certificates for their Puppet infra and their Func infra. It could be nice to be able to do the same thing for Shinken. Aurélien ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Shinken-devel mailing list Shinken-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shinken-devel
