NVIDIA UFM Enterprise User Manual
NVIDIA UFM Enterprise User Manual
Breadcrumbs

Appendix – Client Authentication

Overview

Client authentication feature enables providing a client certificate over secured connections (HTTPS) when using UFM REST API, and associating a specific SAN (Subject Alternative Name) of the client certificate to a UFM user.

Configuration

  1. Configure HTTPS access with UFM web client authentication using the command ufm web-client mode https-client-authentication

  2. Associate client certificate SAN with a UFM user using the command ufm web-client associate-user

  3. Set a server certificate hostname used to access the UFM web client using the command ufm web-client server-cert hostname

  4. Configure certificates automatic refresh settings using the commands:ufm web-client client-authentication cert-refresh self-client-cert fetch for supplying a bootstrap certificate fileufm web-client client-authentication cert-refresh ca-cert for setting a download URL for root/intermediate certificateufm web-client client-authentication cert-refresh server-cert for setting a download URL for server and bootstrap certificatesufm web-client client-authentication cert-refresh enable for enabling UFM web client certificates auto-refresh

Notes:

  • You may refresh the server and root/intermediate certificates manually using the CLI command ufm web-client client-authentication cert-refresh run-now

  • Instead of using the automatic refresh, you may supply the server and root/intermediate certificates using the commands ufm web-client server-cert fetch and ufm web-client client-authentication ca-cert fetch

  • In the Server section in the gv.cfg file, there is a configuration option for controlling the maximum request size when using client certificates:The maximum request size, specified in bytes, is set to a default value of 1,572,864 (1536 KB / 1.5 MB). If not explicitly defined, the system will default to Apache's value of 131,072 bytes (128 KB).max_ssl_request_size = 1572864This configuration is expressed in bytes.

To review the settings, run the show ufm web-client command.
Example

ufmapl [ mgmt-ha-active ] (config) # show ufm web-client 
  Mode: HTTPS
  Client authentication: Yes

  Bootstrap certificate file: Present
  CA certificate file: Present
  Server certificate file: Present

  Server certificate hostname: ufm.mellanoxhpc.net

  User Associations:
    SAN:  ufm.mellanoxhpc.net
    User: ufmsysadmin

  Certificate Auto-refresh:
    Enabled: Yes
    CA certificate URL: https://mellanox.com/cacerts
    Server certificate URL: https://mellanox.com/servercerts
    Server certificate thumbprint: 6007A082F1342511021E75576E57A5F72AEF31EF
    Last checked: 2019-10-17 09:15:20
    Last update: 2019-10-17 09:15:20


Once all configurations are set, start the UFM service using the command ufm start.


Last updated: