1 Reply Latest reply on Jan 4, 2011 4:52 AM by R V

    client authentication with certificate fails

    R V

      hi all,

       

      I am in BL8.0 SP6, environment is Linux 32bit and I try to setup authentication between appserver and agent using a certificate.

       

      I did all three steps mentioned in the administration guide (generating the certificate, adding the passphrase to the appserver's securecert-file and adding the SHA1-fingerprint to the agents certs/bladmin-file). To allow the root-users to connect from the appserver to the agent I added "root   rw,map=root" to the users.local-file of the agent.

       

      When I now try to invoke some command like "nexec -i -l blrscd80 /bin/bash" I get

       

      - in the agent's rscd.log:

      01/04/11 08:13:40.655 WARN     rscd -  192.168.187.121 5843 0/0 (root): nexec: Certificate check failed

       

      - on the appservers's commandline:

      Not authorized to run this command

       

      Added info: when I invoke "agentinfo blrscd80" I get:

      blrscd80:

        Agent Release   : 8.0.6.622

        Hostname        : blrscd80

        Operating System: Linux 2.6.18-164.el5

        User Permissions: 0/0 (root/root)

        Security        : Protocol=5, Encryption=TLS1 with X.509 Certificates

        Host ID         : A8C0CBBB

        # of Processors : 1

        License Status  : Licensed for NSH/CM - Expires Tue May 17 23:06:36 2011

       

      This seems to be ok.

       

      Does anyone have an idea what caused this error?

       

      Regards,

      Reinhard

       

      Nachricht geändert durch Reinhard Vielhaber -  added "agentinfo"-output

        • 1. client authentication with certificate fails
          R V

          The solution was very simple. The documentation describes the way to allow client-connections for the "bladmin"-user. But I invoked the "nexec"-command as "root"...

           

          After creating a certificate for "root" and changing "bladmin" to "root" in the secadmin- and putcert-commands, I was able to connect in a secure manner.