summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorSol Jerome <solj@ices.utexas.edu>2010-01-11 19:20:16 +0000
committerSol Jerome <solj@ices.utexas.edu>2010-01-11 19:20:16 +0000
commit9afe5e46407af2613ae55b89ae9abafd7d7de6e1 (patch)
tree11970c3f288ed84a5b6bdd03ee8a0851e377d557 /doc
parente0df4d0993fe524b0d3b7a9b5f203aaa3ab1d7b3 (diff)
downloadbcfg2-9afe5e46407af2613ae55b89ae9abafd7d7de6e1.tar.gz
bcfg2-9afe5e46407af2613ae55b89ae9abafd7d7de6e1.tar.bz2
bcfg2-9afe5e46407af2613ae55b89ae9abafd7d7de6e1.zip
doc: Add note about certificate creation when using SSL
Signed-off-by: Sol Jerome <solj@ices.utexas.edu> git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5670 ce84e21b-d406-0410-9b95-82705330c041
Diffstat (limited to 'doc')
-rw-r--r--doc/authentication.txt19
1 files changed, 17 insertions, 2 deletions
diff --git a/doc/authentication.txt b/doc/authentication.txt
index 2a72917a3..56cb7ce3e 100644
--- a/doc/authentication.txt
+++ b/doc/authentication.txt
@@ -77,8 +77,8 @@ per-client passwords set will not be able to connect.
SSL Cert-based client authentication
====================================
-As of 1.0pre3, SSL-based client authentication is supported. This
-requires several things:
+SSL-based client authentication is supported. This requires several
+things:
#. Certificate Authority (to sign all keys)
@@ -98,6 +98,21 @@ using the following set of steps:
http://www.flatmtn.com/article/setting-ssl-certificates-apache
+ .. note::
+ The client CN must be the FQDN of the client (as returned by a
+ reverse DNS lookup of the ip address. Otherwise, you will end up
+ with an error message on the client that looks like::
+
+ Server failure: Protocol Error: 401 Unauthorized
+ Failed to download probes from bcfg2
+ Server Failure
+
+ on the client. You will also see an error message on the server
+ that looks something like::
+
+ cmssrv01 bcfg2-server[9785]: Got request for cmssrv115 from incorrect address 131.225.206.122
+ cmssrv01 bcfg2-server[9785]: Resolved to cmssrv115.fnal.gov
+
#. Distribute the keys and certs to the appropriate locations
#. Copy the ca cert to clients, so that the server can be authenticated