Support Migration Notice: To update migrated JIRA cases click here to open a new case use www.vmware.com/go/sr | vFabric Hyperic 5.7.0 is Now Available

Hyperic HQ

SSL-When server importing agent cert, we should use a unique alias each time. (It was: All the keystore should have different "CN")

Details

  • Case Links:
    none
  • Regression:
    No
  • Story Points:
    3

Description

"CN" will be used as the alias when client importing host's certificate. However, certificates with the same alias is not allowed.
All the hq servers have the same CN name.
The agents now have ip in their CN name but it's not safe still. Should have a mechanism to generate unique CN for each instance. (could be UUID)

Activity

Hide
Annie Chen added a comment - - edited

If you're trying to import agent cert to server keystore with a existing alias name, this is the error message you'll get:
...
What IP should HQ use to contact the agent [default=10.16.17.38]: localhost
What port should HQ use to contact the agent [default=2144]:

  • Received temporary auth token from agent
  • Registering agent with HQ
    The server to agent communication channel is using a self-signed certificate and could not be verified
    Are you sure you want to continue connecting? [default=no]: yes
  • Unable to register agent: Failed to connect to agent: Error sending argument: Unable to connect to localhost:2144: Broken pipe, retried 5 times, cmd=agent:ping

It basically didn't tell you anything why the connection failed. We use java.security.KeyStore.store(OutputStream stream, char[] password) to import the cert. However, it won't give any Exceptions, neither import the cert while there's existing truststore entry has the same alias name.

We reduce this risk by adding UUID to the alias.

Show
Annie Chen added a comment - - edited If you're trying to import agent cert to server keystore with a existing alias name, this is the error message you'll get: ... What IP should HQ use to contact the agent [default=10.16.17.38]: localhost What port should HQ use to contact the agent [default=2144]:
  • Received temporary auth token from agent
  • Registering agent with HQ The server to agent communication channel is using a self-signed certificate and could not be verified Are you sure you want to continue connecting? [default=no]: yes
  • Unable to register agent: Failed to connect to agent: Error sending argument: Unable to connect to localhost:2144: Broken pipe, retried 5 times, cmd=agent:ping
It basically didn't tell you anything why the connection failed. We use java.security.KeyStore.store(OutputStream stream, char[] password) to import the cert. However, it won't give any Exceptions, neither import the cert while there's existing truststore entry has the same alias name. We reduce this risk by adding UUID to the alias.
Hide
Annie Chen added a comment -

We should keep CN as it is and add UUID to alias at the moment when importing the certs.

Show
Annie Chen added a comment - We should keep CN as it is and add UUID to alias at the moment when importing the certs.
Hide
Ilayaperumal Gopinathan added a comment -

Verified that both server and agent certs have the UUID to the keystore alias when they are imported at the agent/server side.

Verified in build: 4.6.0.BUILD-20110714.105306-239.

Thanks.

Show
Ilayaperumal Gopinathan added a comment - Verified that both server and agent certs have the UUID to the keystore alias when they are imported at the agent/server side. Verified in build: 4.6.0.BUILD-20110714.105306-239. Thanks.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
    Last comment:
    2 years, 40 weeks, 6 days ago