Make NiMi SSL connection aware of SSL extensions

Idea created by xhystos on Feb 3, 2016
    New
    Score18

    We require all connections between different RA compenents (NAC, NES, agents, repo, DB) to

    be encrypted with SSL. Furthermore we have to use official company certificates (in this case

    keystores). All those certificates are issued from a commercial certificate issuer software.

    All those certificates come with a number of SSL extentions. Here is how these look like:

     

    Extensions:

     

    (...)

    #6: ObjectId: 2.5.29.37 Criticality=false

    ExtendedKeyUsages [

      serverAuth

      clientAuth

    ]

     

    #7: ObjectId: 2.5.29.15 Criticality=true

    KeyUsage [

      DigitalSignature

      Key_Encipherment

    ]

    (...)

     

    When using such certificates, the HTTPS and MQ connection works corrctly, however

    the agent cannot connect via NiMi with such certificates.

     

    I have been working a long time with support to reach this point. This is what support

    eventually said:

    "

    With extension in place it is only allowing authentication over Active MQ, that is able to

    communicate between NAC-NES but over NimiProtocol that is between NES and Agent

    it doesn’t recognizes it.

    "

     

    This idea is about making the NiMi protocol aware and accepting SSL extensions.

    Support and engineering's opinion is that this works as designed thus they will

    not file it as a bug, thus they suggest to open a Request for Enhancement based

    on this idea, hence this idea :-)