Versions Compared

Old Version 2

changes.mady.by.user Stonebranch

Saved on

compared with

New Version Current

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The client presents an X.509 certificate to OMS Server
  • An OMS_ACCESS entry must exist whose host value matches the hostname or IP address reported by the client
  • The access value in the matching OMS_ACCESS entry must be allow
    • If the access value is deny, the connection request is rejected with no further evaluation
  • The certrule value in the matching OMS_ACCESS entry must be cert (see OMS_ACCESS for background on why this interaction exists)
    • If the certrule value is nocert, OMS Server will proceed to the next OMS_ACCESS entry.

...

  • OMS Server will look for a CERT_MAP entry that matches information in the client's certificate.
  • OMS Server will use that CERT_MAP entry's certid value to locate a matching OMS_CERT_ACCESS entry.
    • If OMS Server does not find a match, it will permit the connection.
    • If a match is found, OMS Server will permit or reject the connection based on the entry's access value (i.e., allow or deny).

...

Info
titleUAG Server Client Certificates

You must set UAG Server's SSL_CLIENT_AUTH option to send any configured certificate/private key from UAG Server to OMS Server.

...

Info
titleAdditional Certificate Authentication

Prior to UACL rule evaluation, OMS Server may also reject in one of two ways:

  • If OMS Server cannot authenticate the client certificate's issuer (i.e., CA validation fails), OMS will refuse the connection.
  • If the OMS Server configuration option AUTHENTICATE_PEER is set to yes and the client certificate does not contain a hostname or IP address that matches the client system's DNS Name or IP Address, OMS will refuse the connection.
    • When AUTHENTICATE_PEER is no, OMS Server relies solely on the OMS_CERT_ACCESS rules to accept or reject connections based on client certificate information.

...

Info
titleCERT_MAP Requirement

If you intend to author OMS_CERT_ACCESS rules into your configuration, you must also have one or more CERT_MAP entries defined. The Universal Agent does not support a configuration where OMS_CERT_ACCESS rules exist without CERT_MAP entries.

...

The following example conditionally grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40 that presents an X.509 certificate. Before accepting the connection, OMS Server will look for a matching CERT_MAP entry and use its certid value to evaluate the OMS_CERT_ACCESS rules.

...

Scenario 2a

Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will accept the above connection.

...

Scenario 2b

Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will reject the above connection.

...