diff options
| -rw-r--r-- | doc/authentication.txt | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/doc/authentication.txt b/doc/authentication.txt index 2a72917a3..56cb7ce3e 100644 --- a/doc/authentication.txt +++ b/doc/authentication.txt @@ -77,8 +77,8 @@ per-client passwords set will not be able to connect. SSL Cert-based client authentication ==================================== -As of 1.0pre3, SSL-based client authentication is supported. This -requires several things: +SSL-based client authentication is supported. This requires several +things: #. Certificate Authority (to sign all keys) @@ -98,6 +98,21 @@ using the following set of steps: http://www.flatmtn.com/article/setting-ssl-certificates-apache + .. note:: + The client CN must be the FQDN of the client (as returned by a + reverse DNS lookup of the ip address. Otherwise, you will end up + with an error message on the client that looks like:: + + Server failure: Protocol Error: 401 Unauthorized + Failed to download probes from bcfg2 + Server Failure + + on the client. You will also see an error message on the server + that looks something like:: + + cmssrv01 bcfg2-server[9785]: Got request for cmssrv115 from incorrect address 131.225.206.122 + cmssrv01 bcfg2-server[9785]: Resolved to cmssrv115.fnal.gov + #. Distribute the keys and certs to the appropriate locations #. Copy the ca cert to clients, so that the server can be authenticated |