[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Making CA certificate available over http, __default__ rewrites

+++ Jan Pazdziora [11/07/13 15:49 +0200]:
On Thu, Jul 11, 2013 at 09:19:40AM -0400, Brenton Leanhardt wrote:

Am I misunderstanding your suggestion?  Are you wanting to serve the
CA only for your installation of OpenShift or are you suggesting this
become the standard for Origin?

Ideally there should be a way for users to get the CA certificate
from their OpenShift Origin deployment to their client machines. Yes,
the IT department of the organization can put it to a well known
place or even to some CA bundle they distribute in their organization
but in some situations, getting it from that OpenShift Origin website
is enough. Test automation is one such case.

But my question went beyond the particular "fetch the CA certificate"
use case. Even if the RewriteRule to allow for the file to be fetched
from the broker is not there by default, admins should still have
reasonably easy way to amend the broker configuration, to add this CA
config there, or to for example co-host nagios or FreeIPA or other
software, on the broker. And the problem that I hit in the all-on-one
installation is that if you also have node on the machine, you have to
do that configuration twice -- not just in broker's conf file but in
node's as well, and it then also applies to the gears which is not
what we want. It would be nice if node's config only dealt with gears
but not with the hostname which is not gear -- the broker.

Granted, all-on-one co-hosted with some other product is not something
that we'd be recommending for production use but for POCs, demos, and
general hacking, having it on one box makes some things much easier.

The change that worries me is that some may think that is secure and
clients will be written that first fetch the server certificate from
the server and then use it for a 'trusted' connection.

By no means do I propose that fetching the CA certificate should
happen automatically, in the rhc client. It certianly should be
a manual step.

The challenge we have today is that there are many different OpenShift
clients, not just rhc.  Anything we expose on the Broker becomes part
of the API.  Given what we've seen already the potential for misusing
the API seems fairly high to me.  I'd rather not do it for anything
security related.

That said, I hear you loud and clear that we need to ensure that
OpenShift httpd configurations play nicely with others and we'll
improve that.  Hopefully when we do that you'll be able to add the CA
support that you want for your environment.

This will also go along way to improving the all-in-one scenarios you
describe.  I know there are several different efforts underway to make
demos easier.

I want to make the former work, but I'm cautious about the latter.

FWIW, http://curl.haxx.se/docs/sslcerts.html mentions how you can use
'openssl s_client'.  It's definitely not as convenient as fetching a
file though.


Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]