Configuring SSL Certificates for OpenLMI

Managing systems with OpenLMI requires authentication at two levels: First, all communications between managed systems and client systems must go over a secure connection. Second, valid account login information must be presented to the managed system to perform operations using OpenLMI.

OpenLMI uses the OpenPegasus CIMOM to talk to client applications and tools.

The protocol used by OpenLMI is called WBEM (Web-Based Enterprise Management) and functions over an HTTP transport layer. In order to authenticate this connection, standard HTTP “Basic” authentication is performed, which means that the username and password are transmitted alongside the requests. Because of the high-level of access that OpenLMI is granted on the managed system, it is very important to ensure that these credentials are not exposed. In order to do this, we configure the OpenPegasus CIMOM to use HTTPS for communication, thereby wrapping the requests in an encrypted channel and preserving the secrecy of the username and password. This approach requires provisioning an SSL certificate on the managed system to establish this trusted tunnel.

Instructions for doing this have been published at http://www.openlmi.org/PegasusSSL. The guide covers using both self-signed certificates as well as certificates signed by a Certificate Authority. Wherever possible we recommend managing certificates with a domain controller like FreeIPA.

Management level access to a system has to be carefully controlled, so make sure your SSL/TLS certificates are properly configured and managed!

About Russell Doty

A technology strategist and product manager at Red Hat, working on the next generation of open source systems.
This entry was posted in System Management. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s