OpenPegasus WBEM Services for Linux
| .cvsignore | ||
| access.conf | ||
| genOpenPegasusSSLCerts | ||
| genSSLcerts | ||
| Makefile | ||
| pegasus_arch_alternatives | ||
| pegasus_rpm_build_env.sh | ||
| pegasus-2.5.1-pam-wbem.patch | ||
| pegasus-2.5.1-warnings.patch | ||
| pegasus-2.6.0-cimuser.patch | ||
| pegasus-2.7.0-no_snmp_tests.patch | ||
| pegasus-2.7.0-PIE.patch | ||
| pegasus-2.7.2-baseelif.patch | ||
| pegasus-2.9.0-cmpi-provider-lib.patch | ||
| pegasus-2.9.0-fix_tests.patch | ||
| pegasus-2.9.0-initscript.patch | ||
| pegasus-2.9.0-local-or-remote-auth.patch | ||
| pegasus-2.9.0-no_privilege_separation.patch | ||
| pegasus-2.9.0-no-rpath.patch | ||
| pegasus-2.9.0-redhat-config.patch | ||
| pegasus-2.9.0-sparc.patch | ||
| README.RedHat.Security | ||
| README.RedHat.SSL | ||
| RedHat.OpenPegasus.Makefile | ||
| rpm_build_env | ||
| sources | ||
| tog-pegasus.spec | ||
Red Hat SSL configuration for tog-pegasus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Red Hat tog-pegasus package is built with support for SSL
(the Secure Socket Layer).
Note: the upstream documentation for SSL is located here:
/usr/share/doc/tog-pegasus-%{version}/PegasusSSLGuidelines.htm
However, because the upstream documentation for SSL is not up-to-date
(it was last updated in March, 2006, around the time of the
OpenPegasus-2.5.1 release), nor accurate, we are providing this short
description of how to configure SSL, as well as how it should be used.
Hard-Coded Build-Time Constants:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is the list of constants which are hard-coded during build time:
PEGASUS_CONFIG_DIR = /etc/Pegasus
PEGASUS_PEM_DIR = $(PEGASUS_CONFIG_DIR)
(= /etc/Pegasus)
PEGASUS_SSL_KEY_FILE = file.pem
PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
(= /etc/Pegasus/file.pem)
o Contains the private key for the CIM Server SSL Certificate.
PEGASUS_SSL_CERT_FILE = server.pem
PEGASUS_SSL_CERT_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
(= /etc/Pegasus/server.pem)
o Contains the CIM Server SSL Certificate.
PEGASUS_SSL_TRUSTSTORE = client.pem
PEGASUS_SSL_CLIENT_TRUSTSTORE = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE)
(= /etc/Pegasus/client.pem)
PEGASUS_SSL_SERVER_TRUSTSTORE = $(PEGASUS_PEM_DIR)/cimserver_trust
(= /etc/Pegasus/cimserver_trust)
o Specifies the location of the OpenSSL truststore. Consistent with the
OpenSSL implementation, a truststore can be either a file or directory.
If the truststore is a directory, then all certificates within the
directory are considered trusted.
PEGASUS_SSL_SERVER_CRL = $(PEGASUS_PEM_DIR)/crl
(= /etc/Pegasus/crl)
o This is where the CRL (Certificate Revocation List) store resides.
Tips Following Package Installation:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o CIM Server default SSL certificates are generated when you run the
tog-pegasus daemon (for example, by issuing the command
"service tog-pegasus start") for the first time, which includes the
following files, which are created in /etc/Pegasus: client.pem, file.pem,
server.pem and ssl.cnf.
Important: simply running the "cimserver" binary (/usr/sbin/cimserver)
does NOT create the certificates or abovementioned files.
Note: if you want to use your own certificates, simply overwrite the ones
in /etc/Pegasus.
o to enable/disable HTTPS port 5989 (the official WBEM secure port),
use cimconfig.
o the wbemcli command (from the sblim-wbemcli package)
uses /etc/Pegasus/client.pem by default (see man wbemcli).