Re: Question: Domain filed on the SSL upload form

[Andrija Panic <an...@gmail.com>]

anyone ?

On 27 February 2018 at 14:32, Andrija Panic <an...@gmail.com> wrote:

> Hi all,
>
> I got confused about the domain fields/API parameter that is used when
> uploading new SSL, to be used on CPVM and SSVM copy process (this is
> domain_suffix in cloud.keystore table)
>
> Due to some automation, I came across the following scenarios, which WORKS
> FINE, but I'm confused as how and why it works.
>
> New SSL that was issued for " *.domain1.com " was uploaded via API (CA,
> intermediate, server cert, and the key in pkcs8) - but doman specified
> during this SSL upload process was " domain2.com " (so NOT matching
> domain of the certificate)
>
> This causes the cloud.keystore table/rows to have this domain2.com in the
> last column next to CA/intermediate/server/key... (this is domain_suffix
> column)
>
> But in global config we define " *.domain1.com " as the CERT to be used
> for CPVM and for securing/encrypting secondary storage copy process between
> zones
> Same SSL is also used to i.e. download templates etc...
>
> So it all works fine, but...how ?, when "domain1.com" (instead of "*.
> domain2.com") was defined in uploadCertificate GUI/API - i.e. what is the
> use of this domain_suffix field at all ?
>
> Thx,
>
> --
>
> Andrija Panić
>



-- 

Andrija Panić

Re: Question: Domain filed on the SSL upload form

[Andrija Panic <an...@gmail.com>]

Thanks Rafael, that seems reasonable. Excellent !

Thx a lot.

On 1 March 2018 at 14:58, Rafael Weingärtner <ra...@gmail.com>
wrote:

> Looking at the code, I see that the "domainSuffix" is not validated against
> the certificate commons name. That is why everything works for you. The
> "domainSuffix" is only used for logical stuff inside ACS.
>
> The global parameter is only used to generate the URL to access the
> SSVM/console proxy, which is protected via SSL and use the certificate you
> configured. So, as long as the commons name of the certificate matches the
> global parameter you are good to go.
>
> On Thu, Mar 1, 2018 at 10:49 AM, Andrija Panic <an...@gmail.com>
> wrote:
>
> > anyone ?
> >
> > On 27 February 2018 at 14:32, Andrija Panic <an...@gmail.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > I got confused about the domain fields/API parameter that is used when
> > > uploading new SSL, to be used on CPVM and SSVM copy process (this is
> > > domain_suffix in cloud.keystore table)
> > >
> > > Due to some automation, I came across the following scenarios, which
> > WORKS
> > > FINE, but I'm confused as how and why it works.
> > >
> > > New SSL that was issued for " *.domain1.com " was uploaded via API
> (CA,
> > > intermediate, server cert, and the key in pkcs8) - but doman specified
> > > during this SSL upload process was " domain2.com " (so NOT matching
> > > domain of the certificate)
> > >
> > > This causes the cloud.keystore table/rows to have this domain2.com in
> > the
> > > last column next to CA/intermediate/server/key... (this is
> domain_suffix
> > > column)
> > >
> > > But in global config we define " *.domain1.com " as the CERT to be
> used
> > > for CPVM and for securing/encrypting secondary storage copy process
> > between
> > > zones
> > > Same SSL is also used to i.e. download templates etc...
> > >
> > > So it all works fine, but...how ?, when "domain1.com" (instead of "*.
> > > domain2.com") was defined in uploadCertificate GUI/API - i.e. what is
> > the
> > > use of this domain_suffix field at all ?
> > >
> > > Thx,
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
> >
> >
> > --
> >
> > Andrija Panić
> >
>
>
>
> --
> Rafael Weingärtner
>



-- 

Andrija Panić

Re: Question: Domain filed on the SSL upload form

[Andrija Panic <an...@gmail.com>]

Thanks Rafael, that seems reasonable. Excellent !

Thx a lot.

On 1 March 2018 at 14:58, Rafael Weingärtner <ra...@gmail.com>
wrote:

> Looking at the code, I see that the "domainSuffix" is not validated against
> the certificate commons name. That is why everything works for you. The
> "domainSuffix" is only used for logical stuff inside ACS.
>
> The global parameter is only used to generate the URL to access the
> SSVM/console proxy, which is protected via SSL and use the certificate you
> configured. So, as long as the commons name of the certificate matches the
> global parameter you are good to go.
>
> On Thu, Mar 1, 2018 at 10:49 AM, Andrija Panic <an...@gmail.com>
> wrote:
>
> > anyone ?
> >
> > On 27 February 2018 at 14:32, Andrija Panic <an...@gmail.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > I got confused about the domain fields/API parameter that is used when
> > > uploading new SSL, to be used on CPVM and SSVM copy process (this is
> > > domain_suffix in cloud.keystore table)
> > >
> > > Due to some automation, I came across the following scenarios, which
> > WORKS
> > > FINE, but I'm confused as how and why it works.
> > >
> > > New SSL that was issued for " *.domain1.com " was uploaded via API
> (CA,
> > > intermediate, server cert, and the key in pkcs8) - but doman specified
> > > during this SSL upload process was " domain2.com " (so NOT matching
> > > domain of the certificate)
> > >
> > > This causes the cloud.keystore table/rows to have this domain2.com in
> > the
> > > last column next to CA/intermediate/server/key... (this is
> domain_suffix
> > > column)
> > >
> > > But in global config we define " *.domain1.com " as the CERT to be
> used
> > > for CPVM and for securing/encrypting secondary storage copy process
> > between
> > > zones
> > > Same SSL is also used to i.e. download templates etc...
> > >
> > > So it all works fine, but...how ?, when "domain1.com" (instead of "*.
> > > domain2.com") was defined in uploadCertificate GUI/API - i.e. what is
> > the
> > > use of this domain_suffix field at all ?
> > >
> > > Thx,
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
> >
> >
> > --
> >
> > Andrija Panić
> >
>
>
>
> --
> Rafael Weingärtner
>



-- 

Andrija Panić

Re: Question: Domain filed on the SSL upload form

[Rafael Weingärtner <ra...@gmail.com>]

Looking at the code, I see that the "domainSuffix" is not validated against
the certificate commons name. That is why everything works for you. The
"domainSuffix" is only used for logical stuff inside ACS.

The global parameter is only used to generate the URL to access the
SSVM/console proxy, which is protected via SSL and use the certificate you
configured. So, as long as the commons name of the certificate matches the
global parameter you are good to go.

On Thu, Mar 1, 2018 at 10:49 AM, Andrija Panic <an...@gmail.com>
wrote:

> anyone ?
>
> On 27 February 2018 at 14:32, Andrija Panic <an...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > I got confused about the domain fields/API parameter that is used when
> > uploading new SSL, to be used on CPVM and SSVM copy process (this is
> > domain_suffix in cloud.keystore table)
> >
> > Due to some automation, I came across the following scenarios, which
> WORKS
> > FINE, but I'm confused as how and why it works.
> >
> > New SSL that was issued for " *.domain1.com " was uploaded via API (CA,
> > intermediate, server cert, and the key in pkcs8) - but doman specified
> > during this SSL upload process was " domain2.com " (so NOT matching
> > domain of the certificate)
> >
> > This causes the cloud.keystore table/rows to have this domain2.com in
> the
> > last column next to CA/intermediate/server/key... (this is domain_suffix
> > column)
> >
> > But in global config we define " *.domain1.com " as the CERT to be used
> > for CPVM and for securing/encrypting secondary storage copy process
> between
> > zones
> > Same SSL is also used to i.e. download templates etc...
> >
> > So it all works fine, but...how ?, when "domain1.com" (instead of "*.
> > domain2.com") was defined in uploadCertificate GUI/API - i.e. what is
> the
> > use of this domain_suffix field at all ?
> >
> > Thx,
> >
> > --
> >
> > Andrija Panić
> >
>
>
>
> --
>
> Andrija Panić
>



-- 
Rafael Weingärtner

Re: Question: Domain filed on the SSL upload form

[Rafael Weingärtner <ra...@gmail.com>]

Looking at the code, I see that the "domainSuffix" is not validated against
the certificate commons name. That is why everything works for you. The
"domainSuffix" is only used for logical stuff inside ACS.

The global parameter is only used to generate the URL to access the
SSVM/console proxy, which is protected via SSL and use the certificate you
configured. So, as long as the commons name of the certificate matches the
global parameter you are good to go.

On Thu, Mar 1, 2018 at 10:49 AM, Andrija Panic <an...@gmail.com>
wrote:

> anyone ?
>
> On 27 February 2018 at 14:32, Andrija Panic <an...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > I got confused about the domain fields/API parameter that is used when
> > uploading new SSL, to be used on CPVM and SSVM copy process (this is
> > domain_suffix in cloud.keystore table)
> >
> > Due to some automation, I came across the following scenarios, which
> WORKS
> > FINE, but I'm confused as how and why it works.
> >
> > New SSL that was issued for " *.domain1.com " was uploaded via API (CA,
> > intermediate, server cert, and the key in pkcs8) - but doman specified
> > during this SSL upload process was " domain2.com " (so NOT matching
> > domain of the certificate)
> >
> > This causes the cloud.keystore table/rows to have this domain2.com in
> the
> > last column next to CA/intermediate/server/key... (this is domain_suffix
> > column)
> >
> > But in global config we define " *.domain1.com " as the CERT to be used
> > for CPVM and for securing/encrypting secondary storage copy process
> between
> > zones
> > Same SSL is also used to i.e. download templates etc...
> >
> > So it all works fine, but...how ?, when "domain1.com" (instead of "*.
> > domain2.com") was defined in uploadCertificate GUI/API - i.e. what is
> the
> > use of this domain_suffix field at all ?
> >
> > Thx,
> >
> > --
> >
> > Andrija Panić
> >
>
>
>
> --
>
> Andrija Panić
>



-- 
Rafael Weingärtner