1 files changed, 148 insertions, 0 deletions

diff --git a/lib/orber/doc/src/ch_security.xml b/lib/orber/doc/src/ch_security.xml
new file mode 100644
index 0000000000..938025a629
--- /dev/null
+++ b/lib/orber/doc/src/ch_security.xml
@@ -0,0 +1,148 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+  <header>
+    <copyright>
+      <year>1999</year><year>2009</year>
+      <holder>Ericsson AB. All Rights Reserved.</holder>
+    </copyright>
+    <legalnotice>
+      The contents of this file are subject to the Erlang Public License,
+      Version 1.1, (the "License"); you may not use this file except in
+      compliance with the License. You should have received a copy of the
+      Erlang Public License along with this software. If not, it can be
+      retrieved online at http://www.erlang.org/.
+    
+      Software distributed under the License is distributed on an "AS IS"
+      basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+      the License for the specific language governing rights and limitations
+      under the License.
+    
+    </legalnotice>
+
+    <title>How to use security in Orber</title>
+    <prepared></prepared>
+    <docno></docno>
+    <date>1999-09-01</date>
+    <rev></rev>
+    <file>ch_security.xml</file>
+  </header>
+
+  <section>
+    <title>Security in Orber</title>
+
+    <section>
+      <title>Introduction</title>
+      <p>Orber SSL provides authentication, privacy and integrity for your
+        Erlang applications. Based on the Secure Sockets Layer protocol, the
+        Orber SSL ensures that your Orber clients and servers can
+        communicate securely over any network. 
+        This is done by tunneling IIOP through an SSL connection. To get
+        the node secure you will also need to have a firewall which
+        only lets through connections to certain ports.</p>
+    </section>
+
+    <section>
+      <title>Enable Usage of Secure Connections</title>
+      <p>To enable a secure Orber domain you have to set the configuration variable 
+        <em>secure</em> which currently only can have one of two values;
+        <em>no</em> if no security for IIOP should be used and <em>ssl</em> if 
+        secure connections is needed (<em>ssl</em> is currently the only supported 
+        security mechanism).</p>
+      <p>The default is no security.</p>
+    </section>
+
+    <section>
+      <title>Configurations when Orber is Used on the Server Side</title>
+      <p>The following three configuration variables can be used to configure Orber's SSL
+        behavior on the server side.</p>
+      <list type="bulleted">
+        <item><em>ssl_server_certfile</em> - which is a path to a file containing a
+         chain of PEM encoded certificates for the Orber domain as server.</item>
+        <item><em>ssl_server_cacertfile</em> - which is a path to a file containing 
+         a chain of PEM encoded certificates for the Orber domain as server.</item>
+        <item><em>ssl_server_verify</em> - which specifies type of verification: 
+         0 = do not verify peer; 1 = verify peer, verify client once,
+         2 = verify peer, verify client once, fail if no peer certificate. 
+         The default value is 0.</item>
+        <item><em>ssl_server_depth</em> - which specifies verification depth, i.e. 
+         how far in a chain of certificates the verification process shall
+         proceed before the verification is considered successful. The default
+         value is 1. </item>
+        <item><em>ssl_server_keyfile</em> - which is a path to a file containing a
+         PEM encoded key for the Orber domain as server.</item>
+        <item><em>ssl_server_password</em> - only used if the private keyfile is
+         password protected.</item>
+        <item><em>ssl_server_ciphers</em> - which is string of ciphers as a colon
+         separated list of ciphers.</item>
+        <item><em>ssl_server_cachetimeout</em> - which is the session cache timeout
+         in seconds.</item>
+      </list>
+      <p>There also exist a number of API functions for accessing the values of these variables:</p>
+      <list type="bulleted">
+        <item>orber:ssl_server_certfile/0</item>
+        <item>orber:ssl_server_cacertfile/0</item>
+        <item>orber:ssl_server_verify/0</item>
+        <item>orber:ssl_server_depth/0</item>
+        <item>orber:ssl_server_keyfile/0</item>
+        <item>orber:ssl_server_password/0</item>
+        <item>orber:ssl_server_ciphers/0</item>
+        <item>orber:ssl_server_cachetimeout/0</item>
+      </list>
+    </section>
+
+    <section>
+      <title>Configurations when Orber is Used on the Client Side</title>
+      <p>When the Orber enabled application is the client side in the secure connection the 
+        different configurations can be set per client process instead and not for the whole domain
+        as for incoming calls.</p>
+      <p>One can use configuration variables to set default values for the domain but they can be changed 
+        per client process. Below is the list of client configuration variables.</p>
+      <list type="bulleted">
+        <item><em>ssl_client_certfile</em> - which is a path to a file containing a
+         chain of PEM encoded certificates used in outgoing calls in the current
+         process.</item>
+        <item><em>ssl_client_cacertfile</em> - which is a path to a file containing a
+         chain of PEM encoded CA certificates used in outgoing calls in the
+         current process.</item>
+        <item><em>ssl_client_verify</em> - which specifies type of verification: 
+         0 = do not verify peer; 1 = verify peer, verify client once, 
+         2 = verify peer, verify client once, fail if no peer certificate. 
+         The default value is 0.</item>
+        <item><em>ssl_client_depth</em> - which specifies verification depth, i.e. 
+         how far in a chain of certificates the verification process shall proceed
+         before the verification is considered successful. The default value is 1. </item>
+        <item><em>ssl_client_keyfile</em> - which is a path to a file containing a
+         PEM encoded key when Orber act as client side ORB.</item>
+        <item><em>ssl_client_password</em> - only used if the private keyfile is
+         password protected.</item>
+        <item><em>ssl_client_ciphers</em> - which is string of ciphers as a colon
+         separated list of ciphers.</item>
+        <item><em>ssl_client_cachetimeout</em> - which is the session cache timeout
+         in seconds.</item>
+      </list>
+      <p>There also exist a number of API functions for accessing and changing the values of this 
+        variables in the client processes.</p>
+      <p>Access functions:</p>
+      <list type="bulleted">
+        <item>orber:ssl_client_certfile/0</item>
+        <item>orber:ssl_client_cacertfile/0</item>
+        <item>orber:ssl_client_verify/0</item>
+        <item>orber:ssl_client_depth/0</item>
+        <item>orber:ssl_client_keyfile/0</item>
+        <item>orber:ssl_client_password/0</item>
+        <item>orber:ssl_client_ciphers/0</item>
+        <item>orber:ssl_client_cachetimeout/0</item>
+      </list>
+      <p>Modify functions:</p>
+      <list type="bulleted">
+        <item>orber:set_ssl_client_certfile/1</item>
+        <item>orber:set_ssl_client_cacertfile/1</item>
+        <item>orber:set_ssl_client_verify/1</item>
+        <item>orber:set_ssl_client_depth/1</item>
+      </list>
+    </section>
+  </section>
+</chapter>
+