Skip to content

BugFix: load of signer certificates not possible(network or firewall restrictions) #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
djorgen-ibm merged 2 commits into from
May 8, 2020
Merged

BugFix: load of signer certificates not possible(network or firewall restrictions) #180

djorgen-ibm merged 2 commits into from
May 8, 2020

Conversation

@svetterIO
Copy link
Contributor

@svetterIO svetterIO commented Aug 15, 2019

load of signer certificates had following issues:

  • loading of local runtime certificates not possible (e.g. ansible can not reach local aac runtime certificate for checking)
  • ansible is required to be able to load the certificate for comparison (firewall restrictions can prevent this to work properly)

fix: additional parameter "check_remote" introduces.
description: parameter "check_remote" controls whether to load remote certificate into ansible for comparison or to simply compare the kdb for existance of the label. For backward compatibility and default behavior (LMI) reasons "check_remote" parameter is set to False by default.

Previous commit (c3b3522) broke customer implementations, where firewall blocked the load of the remote certificates from the ansible server.

@svetterIO
BigFix: load of signer certificates not possible(network or firewall)
8e5c534 
load of signer certificates had following issues:
-  loading of local runtime certificates not possible (e.g. ansible can not reach local aac runtime certificate for checking)
- ansible is required to be able to load the certificate for comparison (firewall restrictions can prevent this to work properly)

fix: additional parameter  "check_remote" introduces.
description: parameter "check_remote" controls whether to load remote certificate into ansible for comparison or to simply compare the kdb for existance of the label. For backward compatibility and default behavior (LMI) reasons "check_remote" parameter is set to False by default.

Previous commit (IBM-Security@c3b3522) broke customer implementations, where firewall blocked the load of the remote certificates from the ansible server.
@svetterIO svetterIO changed the title BigFix: load of signer certificates not possible(network or firewall restrictions) BugFix: load of signer certificates not possible(network or firewall restrictions) Aug 15, 2019
@svetterIO svetterIO mentioned this pull request Aug 15, 2019
Closed
@ram-ibm
Copy link
Collaborator

ram-ibm commented Oct 1, 2019

I believe we can determine if "server" is local or not and avoid the need to pass another parameter for it. Will work on setting that logic up.

@svetterIO
Copy link
Contributor Author

svetterIO commented Oct 2, 2019

The functionality itself is handy and shouldn't be restricted to requests on the same machine. Maybe some customer want to check the signer certificates from the remote ansible server and therefor they'll give special permissions to allow such access (firewall rules). I think we should let the user decide which functionality to load signer certificates is preferred.

@svetterIO
Fix: signer_certificates URL encode added back
49d6875 
1) url encoding was mistakenly deleted. added pack.
2) added some logging output for check_remote and certificate comparison
@djorgen-ibm djorgen-ibm merged commit 23ce11f into IBM-Security:master May 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@svetterIO @ram-ibm @djorgen-ibm