Idea ID 2815958
Make a centralized PKI, so that there would be no self-signed certificate, and there would be no need for the command "omnicc -secure_comm -configure_peer <host> [-accept_host]". This command is an overhead, especially when there are many clients involved in the functioning of a cell.
The idea is to have something like below:
(1) Empower KMS to distribute CA certificate(s), including the trust anchor to the clients getting imported (directly via GUI or "omnicc -import_host <host>"). No thumb-print look-up. This will take care of the short/long host-name, FQDN, etc, as there would be no need for ssconfig entries.
(2) The same set of certificates can now be extended to the app-server, and everything can be fully automated. All of this could be made part of the "omnicc -import_host <host>".
(3) You will not need a user to be created to access the Cell Manager from a GUI client. This can be completely authenticated by the certificates.
(4) This could open up, N-number of possibilities, in a HIGHLY SIMPLIFIED manner. One such is, KMS can take up the role of checking the certificates' validity, daily, at the stroke of midnight hours, and trigger a notification, if they are about to get expired. The time can be made configurable, when you would start getting the notifications, say within 30 days' of expiry, or 5 days' of expiry.
NOTE: Please add more benefits, if you can find. I'm sure I did not cover all the nuances that can get simplified due to this. And yes, I don't see any downsides of this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.