Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
Visitor.. AWG-STN
Visitor..
70 views

TLS two-way authentication between clients and CM?

Hi everybody,

I am currently specifying Data Protector integration for my client IT system and got one question. I looked into Data Protector documentation and could not find the answer. And whereas we already bought licenses, we are not able to install the product for the moment.

 

Is TLS "two-way" authentication feature implemented in DP ? Meaning, is it possible for DP CM to validate clients' certificate at TLS communication initialization ? I found in Administrator's guide some "verify-client" attribute in keystore "standalone.xml" configuration file but no information about its role and possible values.

 

Thanks in advance for your help !

vincent

0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: TLS two-way authentication between clients and CM?

Hi @AWG-STN,

The client-server communication is not handled by the AppServer so the standalone.xml is not related at all. In Secure Communication (SSC) each client (including the Cell Manager) creates a local self signed certificate. To allow communication a certificate based trust must be established from CM to client and from client to CM to allow communication. If one of the ends fail to validate the other there will be no communication at all. I guess this is what you mean with two-way authentication.

This is implemented in Data Protector INET, the component that exist on all Data Protector clients.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
0 Likes
Visitor.. AWG-STN
Visitor..

Re: TLS two-way authentication between clients and CM?

Hi @Sebastian.Koehler ,

thanks for your reply. To explain a little bit more the context : our goal is to use our own TLS certificates which will be generated from a dedicated CA, not to use self-signed certificate. I have read here that it should be possible.

From what I read regarding Host trusts, I understand this feature is based on hostnames only and is not directly related to TLS certificates authentication. TLS two-way authentication requires both parts of TLS communication, client and server, to validate the other's certificate (certificate issued by a trusted CA, not expired, not revoked, etc). Usually only the client authenticates the server (typically on websites using HTTPS protocol). In our specific case, our customer would like the server to also authenticate the client.

 

Regards,

vincent

0 Likes
Super Contributor.. Gamut Super Contributor..
Super Contributor..

Re: TLS two-way authentication between clients and CM?

Hi @AWG-STN ,

In Data Protector 9, a dedicated CA was not supported. Source: https://community.microfocus.com/t5/Data-Protector-User-Discussions/OED-ECC-can-the-Cell-Manager-operate-with-an-intermediate-CA/m-p/229864

I managed to get it to work, but it was an aweful excercise. DP9 was clearly not meant to be a sub CA of an internal CA.

I don't have any experience with DP10, so YMMV with DP10.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: TLS two-way authentication between clients and CM?

Hi @AWG-STN,

The certifcate-based security implementation in Data Protector 10.x is completely different than the one used in 9.x. As of today in version A.10.30 you can rely on self-signed certificates that are generated when the client is installed OR generate certificates with your CA and place them on each client accordingly.

Linux/UNIX
/etc/opt/omni/client/sscertificates/localhost_cert.pem
/etc/opt/omni/client/sscertificates/localhost_key.pem
Windows
C:\ProgramData\OmniBack\Config\client\sscertificates\localhost_cert.pem
C:\ProgramData\OmniBack\Config\client\sscertificates\localhost_key.pem

From there on the trust is established by running omnicc -secure_comm -configure_peer CMHostname from the client and omnicc -secure_comm -configure_peer ClientHostname from the CM.

I talked to @Shishir Misra about this situation at the Micro Focus Universe recently and a more comprehensive solution is coming soon. Maybe he can comment on the plans and answer your questions.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.