aboutsummaryrefslogtreecommitdiffstats
path: root/lib/orber/doc/src/ch_security.xml
diff options
context:
space:
mode:
Diffstat (limited to 'lib/orber/doc/src/ch_security.xml')
-rw-r--r--lib/orber/doc/src/ch_security.xml148
1 files changed, 148 insertions, 0 deletions
diff --git a/lib/orber/doc/src/ch_security.xml b/lib/orber/doc/src/ch_security.xml
new file mode 100644
index 0000000000..938025a629
--- /dev/null
+++ b/lib/orber/doc/src/ch_security.xml
@@ -0,0 +1,148 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+ <header>
+ <copyright>
+ <year>1999</year><year>2009</year>
+ <holder>Ericsson AB. All Rights Reserved.</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ </legalnotice>
+
+ <title>How to use security in Orber</title>
+ <prepared></prepared>
+ <docno></docno>
+ <date>1999-09-01</date>
+ <rev></rev>
+ <file>ch_security.xml</file>
+ </header>
+
+ <section>
+ <title>Security in Orber</title>
+
+ <section>
+ <title>Introduction</title>
+ <p>Orber SSL provides authentication, privacy and integrity for your
+ Erlang applications. Based on the Secure Sockets Layer protocol, the
+ Orber SSL ensures that your Orber clients and servers can
+ communicate securely over any network.
+ This is done by tunneling IIOP through an SSL connection. To get
+ the node secure you will also need to have a firewall which
+ only lets through connections to certain ports.</p>
+ </section>
+
+ <section>
+ <title>Enable Usage of Secure Connections</title>
+ <p>To enable a secure Orber domain you have to set the configuration variable
+ <em>secure</em> which currently only can have one of two values;
+ <em>no</em> if no security for IIOP should be used and <em>ssl</em> if
+ secure connections is needed (<em>ssl</em> is currently the only supported
+ security mechanism).</p>
+ <p>The default is no security.</p>
+ </section>
+
+ <section>
+ <title>Configurations when Orber is Used on the Server Side</title>
+ <p>The following three configuration variables can be used to configure Orber's SSL
+ behavior on the server side.</p>
+ <list type="bulleted">
+ <item><em>ssl_server_certfile</em> - which is a path to a file containing a
+ chain of PEM encoded certificates for the Orber domain as server.</item>
+ <item><em>ssl_server_cacertfile</em> - which is a path to a file containing
+ a chain of PEM encoded certificates for the Orber domain as server.</item>
+ <item><em>ssl_server_verify</em> - which specifies type of verification:
+ 0 = do not verify peer; 1 = verify peer, verify client once,
+ 2 = verify peer, verify client once, fail if no peer certificate.
+ The default value is 0.</item>
+ <item><em>ssl_server_depth</em> - which specifies verification depth, i.e.
+ how far in a chain of certificates the verification process shall
+ proceed before the verification is considered successful. The default
+ value is 1. </item>
+ <item><em>ssl_server_keyfile</em> - which is a path to a file containing a
+ PEM encoded key for the Orber domain as server.</item>
+ <item><em>ssl_server_password</em> - only used if the private keyfile is
+ password protected.</item>
+ <item><em>ssl_server_ciphers</em> - which is string of ciphers as a colon
+ separated list of ciphers.</item>
+ <item><em>ssl_server_cachetimeout</em> - which is the session cache timeout
+ in seconds.</item>
+ </list>
+ <p>There also exist a number of API functions for accessing the values of these variables:</p>
+ <list type="bulleted">
+ <item>orber:ssl_server_certfile/0</item>
+ <item>orber:ssl_server_cacertfile/0</item>
+ <item>orber:ssl_server_verify/0</item>
+ <item>orber:ssl_server_depth/0</item>
+ <item>orber:ssl_server_keyfile/0</item>
+ <item>orber:ssl_server_password/0</item>
+ <item>orber:ssl_server_ciphers/0</item>
+ <item>orber:ssl_server_cachetimeout/0</item>
+ </list>
+ </section>
+
+ <section>
+ <title>Configurations when Orber is Used on the Client Side</title>
+ <p>When the Orber enabled application is the client side in the secure connection the
+ different configurations can be set per client process instead and not for the whole domain
+ as for incoming calls.</p>
+ <p>One can use configuration variables to set default values for the domain but they can be changed
+ per client process. Below is the list of client configuration variables.</p>
+ <list type="bulleted">
+ <item><em>ssl_client_certfile</em> - which is a path to a file containing a
+ chain of PEM encoded certificates used in outgoing calls in the current
+ process.</item>
+ <item><em>ssl_client_cacertfile</em> - which is a path to a file containing a
+ chain of PEM encoded CA certificates used in outgoing calls in the
+ current process.</item>
+ <item><em>ssl_client_verify</em> - which specifies type of verification:
+ 0 = do not verify peer; 1 = verify peer, verify client once,
+ 2 = verify peer, verify client once, fail if no peer certificate.
+ The default value is 0.</item>
+ <item><em>ssl_client_depth</em> - which specifies verification depth, i.e.
+ how far in a chain of certificates the verification process shall proceed
+ before the verification is considered successful. The default value is 1. </item>
+ <item><em>ssl_client_keyfile</em> - which is a path to a file containing a
+ PEM encoded key when Orber act as client side ORB.</item>
+ <item><em>ssl_client_password</em> - only used if the private keyfile is
+ password protected.</item>
+ <item><em>ssl_client_ciphers</em> - which is string of ciphers as a colon
+ separated list of ciphers.</item>
+ <item><em>ssl_client_cachetimeout</em> - which is the session cache timeout
+ in seconds.</item>
+ </list>
+ <p>There also exist a number of API functions for accessing and changing the values of this
+ variables in the client processes.</p>
+ <p>Access functions:</p>
+ <list type="bulleted">
+ <item>orber:ssl_client_certfile/0</item>
+ <item>orber:ssl_client_cacertfile/0</item>
+ <item>orber:ssl_client_verify/0</item>
+ <item>orber:ssl_client_depth/0</item>
+ <item>orber:ssl_client_keyfile/0</item>
+ <item>orber:ssl_client_password/0</item>
+ <item>orber:ssl_client_ciphers/0</item>
+ <item>orber:ssl_client_cachetimeout/0</item>
+ </list>
+ <p>Modify functions:</p>
+ <list type="bulleted">
+ <item>orber:set_ssl_client_certfile/1</item>
+ <item>orber:set_ssl_client_cacertfile/1</item>
+ <item>orber:set_ssl_client_verify/1</item>
+ <item>orber:set_ssl_client_depth/1</item>
+ </list>
+ </section>
+ </section>
+</chapter>
+