Limitations of SSL on the N1 Service Provisioning System 4.1 (N1 Service Provisioning System 4.1 Installation Guide)

N1 Service Provisioning System 4.1 Installation Guide

Limitations of SSL on the N1 Service Provisioning System 4.1

The SSL implementation on the N1 Service Provisioning System 4.1 has the following limitations:

Only self-signed certificates are supported. The trust key store contains self-signed certificates only. You cannot use CA-signed certificates.
Both the trust and the private key stores must be configured with the same password. Also, within the private key store, the key password for each key in the store must be the same as the store password. The crkeys script used to create keys enforces this limitation.
Passwords echo to the terminal. To overcome this limitation on POSIX platforms, you may have the startup script disable terminal echo and then prompt the user for a password.
Although enabling client authentication for CLI Client applications is possible, this setup is not supported due to security limitations. The CLI Client applications do not prompt the user for key store passwords. If the key stores have been created, the key stores must be provided in the CLI Client properties file.

The N1 Service Provisioning System 4.1 uses single trust key store for both incoming and outgoing connections. Hence, if a Master Server connects to a Remote Agent and trusts its public key and if that Remote Agent becomes compromised, that Remote Agent's keys could be used to authenticate the CLI Client to the Master Server, if the CLI Client were to use client authentication.

Client authentication is not supported for CLI Client, therefore, the CLI Client only has a trust store. The benefit of supplying a password is that you can verify that the trust store has not been tampered with. You can specify the password in the properties file, but prompting the user for the password each time the CLI Client is run is more secure.
For SSH connections, the remote application, the Local Distributor or Remote Agent, is automatically started. The system does not prompt you for the key store passwords to start these applications. If the applications are initialized with key stores, the passwords to their key stores must be specified in their properties file.
When you configure the CLI Client to connect to the Master Server using SSH, the CLI Client connects to the Master Server using an SshProxy application that connects to the Master Server through sockets. The SshProxy can connect to the Master Server through SSL, but this configuration is not supported.