lib/orber/doc/src/ch_security.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

<?xml version="1.0" encoding="latin1" ?>
<!DOCTYPE chapter SYSTEM "chapter.dtd">

<chapter>
  <header>
    <copyright>
      <year>1999</year><year>2009</year>
      <holder>Ericsson AB. All Rights Reserved.</holder>
    </copyright>
    <legalnotice>
      The contents of this file are subject to the Erlang Public License,
      Version 1.1, (the "License"); you may not use this file except in
      compliance with the License. You should have received a copy of the
      Erlang Public License along with this software. If not, it can be
      retrieved online at http://www.erlang.org/.
    
      Software distributed under the License is distributed on an "AS IS"
      basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
      the License for the specific language governing rights and limitations
      under the License.
    
    </legalnotice>

    <title>How to use security in Orber</title>
    <prepared></prepared>
    <docno></docno>
    <date>1999-09-01</date>
    <rev></rev>
    <file>ch_security.xml</file>
  </header>

  <section>
    <title>Security in Orber</title>

    <section>
      <title>Introduction</title>
      <p>Orber SSL provides authentication, privacy and integrity for your
        Erlang applications. Based on the Secure Sockets Layer protocol, the
        Orber SSL ensures that your Orber clients and servers can
        communicate securely over any network. 
        This is done by tunneling IIOP through an SSL connection. To get
        the node secure you will also need to have a firewall which
        only lets through connections to certain ports.</p>
    </section>

    <section>
      <title>Enable Usage of Secure Connections</title>
      <p>To enable a secure Orber domain you have to set the configuration variable 
        <em>secure</em> which currently only can have one of two values;
        <em>no</em> if no security for IIOP should be used and <em>ssl</em> if 
        secure connections is needed (<em>ssl</em> is currently the only supported 
        security mechanism).</p>
      <p>The default is no security.</p>
    </section>

    <section>
      <title>Configurations when Orber is Used on the Server Side</title>
      <p>The following three configuration variables can be used to configure Orber's SSL
        behavior on the server side.</p>
      <list type="bulleted">
        <item><em>ssl_server_certfile</em> - which is a path to a file containing a
         chain of PEM encoded certificates for the Orber domain as server.</item>
        <item><em>ssl_server_cacertfile</em> - which is a path to a file containing 
         a chain of PEM encoded certificates for the Orber domain as server.</item>
        <item><em>ssl_server_verify</em> - which specifies type of verification: 
         0 = do not verify peer; 1 = verify peer, verify client once,
         2 = verify peer, verify client once, fail if no peer certificate. 
         The default value is 0.</item>
        <item><em>ssl_server_depth</em> - which specifies verification depth, i.e. 
         how far in a chain of certificates the verification process shall
         proceed before the verification is considered successful. The default
         value is 1. </item>
        <item><em>ssl_server_keyfile</em> - which is a path to a file containing a
         PEM encoded key for the Orber domain as server.</item>
        <item><em>ssl_server_password</em> - only used if the private keyfile is
         password protected.</item>
        <item><em>ssl_server_ciphers</em> - which is string of ciphers as a colon
         separated list of ciphers.</item>
        <item><em>ssl_server_cachetimeout</em> - which is the session cache timeout
         in seconds.</item>
      </list>
      <p>There also exist a number of API functions for accessing the values of these variables:</p>
      <list type="bulleted">
        <item>orber:ssl_server_certfile/0</item>
        <item>orber:ssl_server_cacertfile/0</item>
        <item>orber:ssl_server_verify/0</item>
        <item>orber:ssl_server_depth/0</item>
        <item>orber:ssl_server_keyfile/0</item>
        <item>orber:ssl_server_password/0</item>
        <item>orber:ssl_server_ciphers/0</item>
        <item>orber:ssl_server_cachetimeout/0</item>
      </list>
    </section>

    <section>
      <title>Configurations when Orber is Used on the Client Side</title>
      <p>When the Orber enabled application is the client side in the secure connection the 
        different configurations can be set per client process instead and not for the whole domain
        as for incoming calls.</p>
      <p>One can use configuration variables to set default values for the domain but they can be changed 
        per client process. Below is the list of client configuration variables.</p>
      <list type="bulleted">
        <item><em>ssl_client_certfile</em> - which is a path to a file containing a
         chain of PEM encoded certificates used in outgoing calls in the current
         process.</item>
        <item><em>ssl_client_cacertfile</em> - which is a path to a file containing a
         chain of PEM encoded CA certificates used in outgoing calls in the
         current process.</item>
        <item><em>ssl_client_verify</em> - which specifies type of verification: 
         0 = do not verify peer; 1 = verify peer, verify client once, 
         2 = verify peer, verify client once, fail if no peer certificate. 
         The default value is 0.</item>
        <item><em>ssl_client_depth</em> - which specifies verification depth, i.e. 
         how far in a chain of certificates the verification process shall proceed
         before the verification is considered successful. The default value is 1. </item>
        <item><em>ssl_client_keyfile</em> - which is a path to a file containing a
         PEM encoded key when Orber act as client side ORB.</item>
        <item><em>ssl_client_password</em> - only used if the private keyfile is
         password protected.</item>
        <item><em>ssl_client_ciphers</em> - which is string of ciphers as a colon
         separated list of ciphers.</item>
        <item><em>ssl_client_cachetimeout</em> - which is the session cache timeout
         in seconds.</item>
      </list>
      <p>There also exist a number of API functions for accessing and changing the values of this 
        variables in the client processes.</p>
      <p>Access functions:</p>
      <list type="bulleted">
        <item>orber:ssl_client_certfile/0</item>
        <item>orber:ssl_client_cacertfile/0</item>
        <item>orber:ssl_client_verify/0</item>
        <item>orber:ssl_client_depth/0</item>
        <item>orber:ssl_client_keyfile/0</item>
        <item>orber:ssl_client_password/0</item>
        <item>orber:ssl_client_ciphers/0</item>
        <item>orber:ssl_client_cachetimeout/0</item>
      </list>
      <p>Modify functions:</p>
      <list type="bulleted">
        <item>orber:set_ssl_client_certfile/1</item>
        <item>orber:set_ssl_client_cacertfile/1</item>
        <item>orber:set_ssl_client_verify/1</item>
        <item>orber:set_ssl_client_depth/1</item>
      </list>
    </section>
  </section>
</chapter>