The SSL implementation on the Sun N1 Service Provisioning System 6.0 has the following limitations:
Both the trust and the private keystores must be configured with the same password. Also, within the private keystore, the key password for each key in the store must be the same as the store password. The crkeys script used to create keys enforces this limitation.
Although enabling client authentication for CLI Client applications is possible, this setup is not supported due to security limitations. The CLI Client applications do not prompt the user for keystore passwords. If the keystores have been created, the encoded password must be provided in the CLI Client properties file.
The Sun N1 Service Provisioning System 6.0 uses single trust keystore for both incoming and outgoing connections. Therefore, if a Master Server connects to a Remote Agent and trusts its public key and if that Remote Agent becomes compromised, that Remote Agent's keys could be used to authenticate the CLI Client to the Master Server, if the CLI Client were to use client authentication. Similarly, if a Local Distributor connects to a Remote Agent and the Remote Agent becomes compromised, the Local Distributor can be used to issue commands to the Master Server.
To secure the Master Server and the Local Distributor against such issues, configure the applications to accept connections only from servers that are expected to connect to them. Permit a Local Distributor to accept connections only from its parent node. Permit the Master Server to accept connections only from the designated CLI hosts. For instructions, see Chapter 10, Configuring the Java Virtual Machine Security Policy.
For SSH connections, the remote application, the Local Distributor or Remote Agent, is automatically started. The server does not prompt you for the keystore passwords to start these applications. If the applications are initialized with keystores, the encoded passwords to their keystores must be specified in their properties file.
When you configure the CLI Client to connect to the Master Server using SSH, the CLI Client connects to the Master Server using an SshProxy application that connects to the Master Server through sockets. The SshProxy can connect to the Master Server through SSL, but this configuration is not supported.
For windows applications, the encoded keystore password must be supplied in the properties file.
You cannot run the provisioning system CLI client with an SSL type 1 connection on the IBM AIX platform. The default implementation of the IBM JSSE Provider does not allow anonymous ciphers. This limitation prevents users from using anonymous ciphers for CLI or local distributor applications running on AIX.