question regarding client configuration

  • Please help me to get clarification on the below question.


    We have the following scenario: Multiple clients and one dxl-broker.


    Question) Is it OK, to generate one client configuration(client.key, client.crt, ca-broker.crt, dxlclient.config) and then copy the same to all client machines. Will this scheme work.


    Basically we would like to add the clients dynamically, and our requirement is to install the client on a host and start using the opendxl-fabric without going the config generation step. This is because of the the number of clients can be quite high and also we don't want to expose the opendxl-broker console to the client operator for config generation. If there is any option/ideas to achieve that, please guide us on that.




    ---

    Thanks and Regards,

    raid

  • Hi Raidu,


    This violates SSL best practice as it shares the unique key among all of the endpoints. You could automate the provisioning process.


    python -m dxlclient provisionconfig config myserver client1 -u myuser -p mypass


    Cheers,


    -Jesse

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758

  • I would expect the scheme of using the same client certificate and private key for each of the client machines would work. The OpenDXL broker should still allow each of the clients to still connect concurrently to the DXL fabric even if they all use the same client certificate.


    If you are using an ePO-managed broker and the ability to manage topic authorization per client in ePO, however, the approach of using a single certificate for all clients could limit the ability to provide granular authorization for subsets of clients. Also, if the client certificate needed to be rotated out at some point, it could be a bit more difficult to have to roll the new certificate and private key out to a large number of clients rather than just the smaller subset that needed to be rotated.


    Other than doing something like setting up your own separate application from the OpenDXL broker which does the certificate generation on behalf of the clients (maybe something like what is documented in the Certificate Files Creation (PKI) section in the OpenDXL Python Client SDK), though, I'm not sure that there are really any other better options at present for what you want to do.