Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » EMF » [CDO] Cert management for SSL connections to CDO server
[CDO] Cert management for SSL connections to CDO server [message #974177] Tue, 06 November 2012 22:57 Go to next message
Warwick Burrows is currently offline Warwick BurrowsFriend
Messages: 87
Registered: July 2009
Location: Austin, TX
Member
Hi,

We're trying to determine what the certification management requirements will be for SSL connections between the CDO server and its clients. For authentication to the server with the client cert does the client cert have to be stored in the server's keystore or does the server trust the clients CA and trust chain without requiring the actual cert? We need this to determine whether or not every client we bring up has to be registered in the CDO server's keystore.

Thanks,
Warwick
Re: [CDO] Cert management for SSL connections to CDO server [message #974422 is a reply to message #974177] Wed, 07 November 2012 03:48 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 5574
Registered: July 2009
Senior Member
Hi Warwick,

I really hope that someone from the company that developed and contributed the SSL connector can comment on this. I've
cc'ed them.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


Am 06.11.2012 23:57, schrieb Warwick Burrows:
> Hi,
>
> We're trying to determine what the certification management requirements will be for SSL connections between the CDO
> server and its clients. For authentication to the server with the client cert does the client cert have to be stored
> in the server's keystore or does the server trust the clients CA and trust chain without requiring the actual cert? We
> need this to determine whether or not every client we bring up has to be registered in the CDO server's keystore.
>
> Thanks,
> Warwick
>
Re: [CDO] Cert management for SSL connections to CDO server [message #976946 is a reply to message #974422] Fri, 09 November 2012 00:13 Go to previous messageGo to next message
Warwick Burrows is currently offline Warwick BurrowsFriend
Messages: 87
Registered: July 2009
Location: Austin, TX
Member
A followup to this for those who might be interested. It seems that the cert usage is to establish the ssl ocnnection only and the client simply needs to trust the server. So if you deploy a cert on the server in a java keystore and just add the cert issuer to your truststore on the client it will theoretically be ok. Then as long as you keep your server cert valid the clients should not need to be changed. This is coming from discussions with our deployment team but we have yet to prove that. Hoewever we do have a self-signed cert in dev that seems to work this way.

It may also be possible to tie an identity with the client cert and do client auth but we aren't doing that right now.

Re: [CDO] Cert management for SSL connections to CDO server [message #977135 is a reply to message #976946] Fri, 09 November 2012 04:00 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 5574
Registered: July 2009
Senior Member
Am 09.11.2012 01:13, schrieb Warwick Burrows:
> A followup to this for those who might be interested. It seems that the cert usage is to establish the ssl ocnnection
> only and the client simply needs to trust the server. So if you deploy a cert on the server in a java keystore and
> just add the cert issuer to your truststore on the client it will theoretically be ok. Then as long as you keep your
> server cert valid the clients should not need to be changed. This is coming from discussions with our deployment team
> but we have yet to prove that. Hoewever we do have a self-signed cert in dev that seems to work this way.
>
> It may also be possible to tie an identity with the client cert and do client auth but we aren't doing that right now.
Warwick, Thanks for the infos! I must admit that I'm totally unexperienced with the SSLEngine. When you're sure about
these things it would be cool if you could write up/contribute a small setup description, perhaps in the form of Javadoc
for SSLUtil?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Cert management for SSL connections to CDO server [message #977145 is a reply to message #977135] Fri, 09 November 2012 04:12 Go to previous messageGo to next message
Warwick Burrows is currently offline Warwick BurrowsFriend
Messages: 87
Registered: July 2009
Location: Austin, TX
Member
Sure, in the next few months we are going to be integrating fine-grained access control with the server at which point we may need indenties for our application clients so by that time I should have a better understanding of what CDO has out-of-the-box. Also a big thanks to the guys from the company who developed the SSL connector as it was a big help when promoting CDO to our development team.
Re: [CDO] Cert management for SSL connections to CDO server [message #977165 is a reply to message #977145] Fri, 09 November 2012 04:30 Go to previous messageGo to next message
Eike Stepper is currently offline Eike StepperFriend
Messages: 5574
Registered: July 2009
Senior Member
Am 09.11.2012 05:12, schrieb Warwick Burrows:
> Sure, in the next few months we are going to be integrating fine-grained access control with the server
Are you planning to make use of the new security model and the SecurityManager?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


> at which point we may need indenties for our application clients so by that time I should have a better understanding
> of what CDO has out-of-the-box. Also a big thanks to the guys from the company who developed the SSL connector as it
> was a big help when promoting CDO to our development team.
Re: [CDO] Cert management for SSL connections to CDO server [message #977209 is a reply to message #977165] Fri, 09 November 2012 05:19 Go to previous messageGo to next message
Warwick Burrows is currently offline Warwick BurrowsFriend
Messages: 87
Registered: July 2009
Location: Austin, TX
Member
Yes we are. We're using what I believe is the final release candidate for the CDO 4.1 release this year. At the time we picked it up you had said that it would become the 4.1 release. I believe it has the security manager implementation included but I haven't looked at the source for it in great detail as yet but we do plan to use it if its suited to what we need. We've not yet integrated 4.1 SR-1 into our source base but would appreciate any suggestions as how to best do that.
Re: [CDO] Cert management for SSL connections to CDO server [message #977215 is a reply to message #977209] Fri, 09 November 2012 05:22 Go to previous message
Eike Stepper is currently offline Eike StepperFriend
Messages: 5574
Registered: July 2009
Senior Member
Am 09.11.2012 06:19, schrieb Warwick Burrows:
> Yes we are. We're using what I believe is the final release candidate for the CDO 4.1 release this year. At the time
> we picked it up you had said that it would become the 4.1 release. I believe it has the security manager
> implementation included but I haven't looked at the source for it in great detail as yet but we do plan to use it if
> its suited to what we need. We've not yet integrated 4.1 SR-1 into our source base but would appreciate any
> suggestions as how to best do that.
I vaguely remember that I applied some fixes to the security manager. Probably just in 4.2. Would have to investigate
whether they could be ported back...

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Previous Topic:Exception when trying to observe a value for a particular key in an EMap
Next Topic:[EMF Compare] Accounting for changes in XML schema
Goto Forum:
  


Current Time: Sun Nov 23 01:16:25 GMT 2014

Powered by FUDForum. Page generated in 0.01863 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software