Client authentication with third-party certificates in multi-ePO environment?

  • Our production environment uses multiple ePO servers, each of which has their own DXL fabric. We have created bridges between brokers on these fabrics to create one larger "multi-ePO" fabric.

    If I have a OpenDXL Python Client with a cert created and imported into ePO (using the "Provisioning" steps in the OpenDXL Python SDK Documentation), will I be able to connect my client to any of the bridged fabrics in our environment? Or just the individual fabric managed by the ePO with the client cert in question?

  • For a client with a third-party certificate (such as one generated by the steps you referred to in the OpenDXL Python Client Documentation) to be able to connect to a broker in any DXL fabric, that certificate/authority must be imported into ePO and distributed to the DXL brokers on that fabric.

    In a Multi-ePO environment, an ePO server and the brokers on its DXL fabric will not export third party certs to the other ePOs/fabrics. The administrator must perform this action manually in the ePO Server Settings for "DXL Certificates (Third Party)" for any other fabric in the Multi-ePO environment to which the client is expected to be able to connect.