diff options
author | Erlang/OTP <[email protected]> | 2009-11-20 14:54:40 +0000 |
---|---|---|
committer | Erlang/OTP <[email protected]> | 2009-11-20 14:54:40 +0000 |
commit | 84adefa331c4159d432d22840663c38f155cd4c1 (patch) | |
tree | bff9a9c66adda4df2106dfd0e5c053ab182a12bd /lib/orber/doc/src/ch_security.xml | |
download | otp-84adefa331c4159d432d22840663c38f155cd4c1.tar.gz otp-84adefa331c4159d432d22840663c38f155cd4c1.tar.bz2 otp-84adefa331c4159d432d22840663c38f155cd4c1.zip |
The R13B03 release.OTP_R13B03
Diffstat (limited to 'lib/orber/doc/src/ch_security.xml')
-rw-r--r-- | lib/orber/doc/src/ch_security.xml | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/lib/orber/doc/src/ch_security.xml b/lib/orber/doc/src/ch_security.xml new file mode 100644 index 0000000000..938025a629 --- /dev/null +++ b/lib/orber/doc/src/ch_security.xml @@ -0,0 +1,148 @@ +<?xml version="1.0" encoding="latin1" ?> +<!DOCTYPE chapter SYSTEM "chapter.dtd"> + +<chapter> + <header> + <copyright> + <year>1999</year><year>2009</year> + <holder>Ericsson AB. All Rights Reserved.</holder> + </copyright> + <legalnotice> + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + </legalnotice> + + <title>How to use security in Orber</title> + <prepared></prepared> + <docno></docno> + <date>1999-09-01</date> + <rev></rev> + <file>ch_security.xml</file> + </header> + + <section> + <title>Security in Orber</title> + + <section> + <title>Introduction</title> + <p>Orber SSL provides authentication, privacy and integrity for your + Erlang applications. Based on the Secure Sockets Layer protocol, the + Orber SSL ensures that your Orber clients and servers can + communicate securely over any network. + This is done by tunneling IIOP through an SSL connection. To get + the node secure you will also need to have a firewall which + only lets through connections to certain ports.</p> + </section> + + <section> + <title>Enable Usage of Secure Connections</title> + <p>To enable a secure Orber domain you have to set the configuration variable + <em>secure</em> which currently only can have one of two values; + <em>no</em> if no security for IIOP should be used and <em>ssl</em> if + secure connections is needed (<em>ssl</em> is currently the only supported + security mechanism).</p> + <p>The default is no security.</p> + </section> + + <section> + <title>Configurations when Orber is Used on the Server Side</title> + <p>The following three configuration variables can be used to configure Orber's SSL + behavior on the server side.</p> + <list type="bulleted"> + <item><em>ssl_server_certfile</em> - which is a path to a file containing a + chain of PEM encoded certificates for the Orber domain as server.</item> + <item><em>ssl_server_cacertfile</em> - which is a path to a file containing + a chain of PEM encoded certificates for the Orber domain as server.</item> + <item><em>ssl_server_verify</em> - which specifies type of verification: + 0 = do not verify peer; 1 = verify peer, verify client once, + 2 = verify peer, verify client once, fail if no peer certificate. + The default value is 0.</item> + <item><em>ssl_server_depth</em> - which specifies verification depth, i.e. + how far in a chain of certificates the verification process shall + proceed before the verification is considered successful. The default + value is 1. </item> + <item><em>ssl_server_keyfile</em> - which is a path to a file containing a + PEM encoded key for the Orber domain as server.</item> + <item><em>ssl_server_password</em> - only used if the private keyfile is + password protected.</item> + <item><em>ssl_server_ciphers</em> - which is string of ciphers as a colon + separated list of ciphers.</item> + <item><em>ssl_server_cachetimeout</em> - which is the session cache timeout + in seconds.</item> + </list> + <p>There also exist a number of API functions for accessing the values of these variables:</p> + <list type="bulleted"> + <item>orber:ssl_server_certfile/0</item> + <item>orber:ssl_server_cacertfile/0</item> + <item>orber:ssl_server_verify/0</item> + <item>orber:ssl_server_depth/0</item> + <item>orber:ssl_server_keyfile/0</item> + <item>orber:ssl_server_password/0</item> + <item>orber:ssl_server_ciphers/0</item> + <item>orber:ssl_server_cachetimeout/0</item> + </list> + </section> + + <section> + <title>Configurations when Orber is Used on the Client Side</title> + <p>When the Orber enabled application is the client side in the secure connection the + different configurations can be set per client process instead and not for the whole domain + as for incoming calls.</p> + <p>One can use configuration variables to set default values for the domain but they can be changed + per client process. Below is the list of client configuration variables.</p> + <list type="bulleted"> + <item><em>ssl_client_certfile</em> - which is a path to a file containing a + chain of PEM encoded certificates used in outgoing calls in the current + process.</item> + <item><em>ssl_client_cacertfile</em> - which is a path to a file containing a + chain of PEM encoded CA certificates used in outgoing calls in the + current process.</item> + <item><em>ssl_client_verify</em> - which specifies type of verification: + 0 = do not verify peer; 1 = verify peer, verify client once, + 2 = verify peer, verify client once, fail if no peer certificate. + The default value is 0.</item> + <item><em>ssl_client_depth</em> - which specifies verification depth, i.e. + how far in a chain of certificates the verification process shall proceed + before the verification is considered successful. The default value is 1. </item> + <item><em>ssl_client_keyfile</em> - which is a path to a file containing a + PEM encoded key when Orber act as client side ORB.</item> + <item><em>ssl_client_password</em> - only used if the private keyfile is + password protected.</item> + <item><em>ssl_client_ciphers</em> - which is string of ciphers as a colon + separated list of ciphers.</item> + <item><em>ssl_client_cachetimeout</em> - which is the session cache timeout + in seconds.</item> + </list> + <p>There also exist a number of API functions for accessing and changing the values of this + variables in the client processes.</p> + <p>Access functions:</p> + <list type="bulleted"> + <item>orber:ssl_client_certfile/0</item> + <item>orber:ssl_client_cacertfile/0</item> + <item>orber:ssl_client_verify/0</item> + <item>orber:ssl_client_depth/0</item> + <item>orber:ssl_client_keyfile/0</item> + <item>orber:ssl_client_password/0</item> + <item>orber:ssl_client_ciphers/0</item> + <item>orber:ssl_client_cachetimeout/0</item> + </list> + <p>Modify functions:</p> + <list type="bulleted"> + <item>orber:set_ssl_client_certfile/1</item> + <item>orber:set_ssl_client_cacertfile/1</item> + <item>orber:set_ssl_client_verify/1</item> + <item>orber:set_ssl_client_depth/1</item> + </list> + </section> + </section> +</chapter> + |