We require all connections between different RA compenents (NAC, NES, agents, repo, DB) to
be encrypted with SSL. Furthermore we have to use official company certificates (in this case
keystores). All those certificates are issued from a commercial certificate issuer software.
All those certificates come with a number of SSL extentions. Here is how these look like:
#6: ObjectId: 188.8.131.52 Criticality=false
#7: ObjectId: 184.108.40.206 Criticality=true
When using such certificates, the HTTPS and MQ connection works corrctly, however
the agent cannot connect via NiMi with such certificates.
I have been working a long time with support to reach this point. This is what support
With extension in place it is only allowing authentication over Active MQ, that is able to
communicate between NAC-NES but over NimiProtocol that is between NES and Agent
it doesn’t recognizes it.
This idea is about making the NiMi protocol aware and accepting SSL extensions.
Support and engineering's opinion is that this works as designed thus they will
not file it as a bug, thus they suggest to open a Request for Enhancement based
on this idea, hence this idea :-)