If you want to use client certificates, first prepare your certificate directory with the required files, then modify step 18 to include the --local-certs-dir flag.

Note Important: The --local-certs-dir flag can only be used during initial installation. If UFM is already installed, you must reinstall to use this feature.

The local certificates directory must contain the following files in PEM format:

server.crt - SSL certificate

server.key - SSL key

ca-intermediate.crt - CA intermediate certificate

Copy Copied! sudo -u ufmadm podman run -it --rm --name=ufm_installer \ -v /run/podman-ufm/podman-ufm.sock:/var/run/docker.sock \ -v /opt/ufm/:/installation/ufm_files/ \ -v /opt/ufm/systemd:/etc/systemd_files/ \ mellanox/ufm-enterprise:latest \ --install \ --fabric- interface ib0 \ --mgmt- interface enp1s0 \ --rootless \ --plugin-path /opt/ufm/ufm_plugins_data \ --ufm-user ufmadm \ --ufm-group ufmadm \ --local-certs-dir /path/to/local/certs

Replace /path/to/local/certs with the actual path to your directory containing the certificate files on the host.

Once the UFM service is running, enter the container:

Copy Copied! sudo -u ufmadm podman exec -it ufm /bin/bash

Copy Copied! /opt/ufm/scripts/manage_client_authentication.sh enable-client-cert-authen

Copy Copied! /opt/ufm/scripts/manage_client_authentication.sh set-subject-identifier --identifier CN

Note Use CN or SAN.





Copy Copied! /opt/ufm/scripts/manage_client_authentication.sh associate-user --cn <CN> --username <UFM_USER>

Replace:

<CN> : The Common Name from your client certificate

<UFM_USER> : The UFM username to associate with the certificate

Copy Copied! /opt/ufm/scripts/manage_client_authentication.sh set-ssl-cert-hostname --hostname <hostname>

Note Replace <hostname> with your server's hostname.





Copy Copied! /opt/ufm/scripts/manage_client_authentication.sh restart_ufm_websrv

Client Certificate Authentication Notes