OpenPegasus WBEM Services for Linux
26f581517e
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org> |
||
---|---|---|
.gitignore | ||
access.conf | ||
cimprovagt-wrapper.sh | ||
cmpiOSBase_OperatingSystemProvider-cimprovagt.example | ||
generate-certs | ||
pegasus_arch_alternatives | ||
pegasus_rpm_build_env.sh | ||
pegasus-2.5.1-pam-wbem.patch | ||
pegasus-2.5.1-warnings.patch | ||
pegasus-2.7.0-PIE.patch | ||
pegasus-2.7.0-snmp-tests.patch | ||
pegasus-2.9.0-cmpi-provider-lib.patch | ||
pegasus-2.9.0-local-or-remote-auth.patch | ||
pegasus-2.9.0-no-rpath.patch | ||
pegasus-2.9.0-redhat-config.patch | ||
pegasus-2.9.0-sparc.patch | ||
pegasus-2.9.1-getpagesize.patch | ||
pegasus-2.10.0-dont-strip.patch | ||
pegasus-2.10.0-sparc-posix-lock.patch | ||
pegasus-2.12.0-cimmofl-allow-experimental.patch | ||
pegasus-2.12.0-empty_arrays.patch | ||
pegasus-2.12.0-null_value.patch | ||
pegasus-2.12.0-schema-version-and-includes.patch | ||
pegasus-2.13.0-enable-subscriptions-for-nonprivileged-users.patch | ||
pegasus-2.13.0-gcc5-build.patch | ||
pegasus-2.14.1-build-fixes.patch | ||
pegasus-2.14.1-cimconfig-man-page-fixes.patch | ||
pegasus-2.14.1-fix-setup-sdk-ppc64le.patch | ||
pegasus-2.14.1-fix-setup-sdk.patch | ||
pegasus-2.14.1-openssl-1.1-fix.patch | ||
pegasus-2.14.1-snmpv3-trap.patch | ||
pegasus-2.14.1-ssl-cert-path.patch | ||
pegasus-2.14.1-ssl-include.patch | ||
pegasus-2.14.1-tesid.patch | ||
README.RedHat.Security | ||
README.RedHat.SSL | ||
repupgrade.1.gz | ||
rpm_build_env | ||
snmptrapd.conf | ||
sources | ||
tog-pegasus.service | ||
tog-pegasus.spec | ||
tog-pegasus.tmpfiles |
Red Hat SSL configuration for tog-pegasus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Red Hat tog-pegasus package is built with support for SSL (the Secure Socket Layer). Note: the upstream documentation for SSL is located here: /usr/share/doc/tog-pegasus/PegasusSSLGuidelines.htm However, because the upstream documentation for SSL is not up-to-date (it was last updated in March, 2006, around the time of the OpenPegasus-2.5.1 release), nor accurate, we are providing this short description of how to configure SSL, as well as how it should be used. Hard-Coded Build-Time Constants: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is the list of constants which are hard-coded during build time: PEGASUS_CONFIG_DIR = /etc/Pegasus PEGASUS_PEM_DIR = /etc/pki/Pegasus PEGASUS_SSL_KEY_FILE = file.pem PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE) (= /etc/pki/Pegasus/file.pem) o Contains the private key for the CIM Server SSL Certificate. PEGASUS_SSL_CERT_FILE = server.pem PEGASUS_SSL_CERT_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE) (= /etc/pki/Pegasus/server.pem) o Contains the CIM Server SSL Certificate. PEGASUS_SSL_TRUSTSTORE = client.pem PEGASUS_SSL_CLIENT_TRUSTSTORE = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE) (= /etc/pki/Pegasus/client.pem) PEGASUS_SSL_SERVER_TRUSTSTORE = $(PEGASUS_PEM_DIR)/cimserver_trust (= /etc/pki/Pegasus/cimserver_trust) o Specifies the location of the OpenSSL truststore. Consistent with the OpenSSL implementation, a truststore can be either a file or directory. If the truststore is a directory, then all certificates within the directory are considered trusted. PEGASUS_SSL_SERVER_CRL = $(PEGASUS_PEM_DIR)/crl (= /etc/pki/Pegasus/crl) o This is where the CRL (Certificate Revocation List) store resides. Tips Following Package Installation: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o CIM Server default SSL certificates are generated when you run the tog-pegasus daemon (for example, by issuing the command "systemctl start tog-pegasus") for the first time, which includes the following files, which are created in /etc/pki/Pegasus: ca.crt, ca.srl, client.pem, file.pem, server.pem and in /etc/Pegasus: ssl-ca.cnf, ssl-service.cnf. Important: simply running the "cimserver" binary (/usr/sbin/cimserver) does NOT create the certificates or abovementioned files. Note: if you want to use your own certificates, simply overwrite the ones in /etc/pki/Pegasus. o to enable/disable HTTPS port 5989 (the official WBEM secure port), use cimconfig. o the wbemcli command (from the sblim-wbemcli package) uses /etc/pki/Pegasus/client.pem by default (see man wbemcli).