Enhancement Req: Get Trusted Root into Keystore for us
Most LDAP'y style tools these days, when they see an SSL/TLS request,
and the cert is not trusted, ask if you want to trust the Root Cert.
What they do in the back end is basically read out the Trusted Root from
the server offering it, and dump it into the needed Keystore (Java based
or Windows Cert store).
Why not have Analyzer just do this? There is literally no need for the
complexity (even if it is straightforward when you know how) of getting
the Trusted Root in binary format (DER), opening a DOS box, or terminal,
running keytool like:
"C:\Program Files\Java\jre6\bin\keytool" -import -alias newcert -file
V:\path\to\Cert\file\IDV-Lab.der -keystore v:\path\to\keystore\\MyKeystore
and then know that the password should be set as "default"
I mean seriously. Go try the Gowars LDAP browser, the first time you
hit an SSL/TLS LDAP site without a trusted root, pops up a box, asks if
you want to trust it once, always or never. Done. Never have to think
about it again!
From a more Novell centered perspective, the Omnibond drivers (AS400,
Mainframe (RACF, TOPSECRET, ACF2), Linux/Unix, Scripting, usually both
Bi-Dir and Fanout) when you use their Remote Loader you get asked to
point at an LDAP server in the correct tree, and it does exactly the
same thing. It gets the Trusted root from the SSL/TLS connection,
writes it to the keystore, DONE.
As an enduser, it is pretty clear which approach is easier.
Why not just implement this? It is clearly trivial to do, as basically
everyone else who ever does this sort of thing has already implemented
it! There is an open Bugzilla (Mark W tells me) to add the Omnibond
simplicity approach to Remote Loader configuration over SSL to the rest
of the IDM drivers. The same should apply to Analyzer.
|
Threaded Mode
