1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
<?xml version="1.0" encoding="latin1" ?>
<!DOCTYPE chapter SYSTEM "chapter.dtd">
<chapter>
<header>
<copyright>
<year>1999</year><year>2009</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
The contents of this file are subject to the Erlang Public License,
Version 1.1, (the "License"); you may not use this file except in
compliance with the License. You should have received a copy of the
Erlang Public License along with this software. If not, it can be
retrieved online at http://www.erlang.org/.
Software distributed under the License is distributed on an "AS IS"
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
the License for the specific language governing rights and limitations
under the License.
</legalnotice>
<title>How to use security in Orber</title>
<prepared></prepared>
<docno></docno>
<date>1999-09-01</date>
<rev></rev>
<file>ch_security.xml</file>
</header>
<section>
<title>Security in Orber</title>
<section>
<title>Introduction</title>
<p>Orber SSL provides authentication, privacy and integrity for your
Erlang applications. Based on the Secure Sockets Layer protocol, the
Orber SSL ensures that your Orber clients and servers can
communicate securely over any network.
This is done by tunneling IIOP through an SSL connection. To get
the node secure you will also need to have a firewall which
only lets through connections to certain ports.</p>
</section>
<section>
<title>Enable Usage of Secure Connections</title>
<p>To enable a secure Orber domain you have to set the configuration variable
<em>secure</em> which currently only can have one of two values;
<em>no</em> if no security for IIOP should be used and <em>ssl</em> if
secure connections is needed (<em>ssl</em> is currently the only supported
security mechanism).</p>
<p>The default is no security.</p>
</section>
<section>
<title>Configurations when Orber is Used on the Server Side</title>
<p>The following three configuration variables can be used to configure Orber's SSL
behavior on the server side.</p>
<list type="bulleted">
<item><em>ssl_server_certfile</em> - which is a path to a file containing a
chain of PEM encoded certificates for the Orber domain as server.</item>
<item><em>ssl_server_cacertfile</em> - which is a path to a file containing
a chain of PEM encoded certificates for the Orber domain as server.</item>
<item><em>ssl_server_verify</em> - which specifies type of verification:
0 = do not verify peer; 1 = verify peer, verify client once,
2 = verify peer, verify client once, fail if no peer certificate.
The default value is 0.</item>
<item><em>ssl_server_depth</em> - which specifies verification depth, i.e.
how far in a chain of certificates the verification process shall
proceed before the verification is considered successful. The default
value is 1. </item>
<item><em>ssl_server_keyfile</em> - which is a path to a file containing a
PEM encoded key for the Orber domain as server.</item>
<item><em>ssl_server_password</em> - only used if the private keyfile is
password protected.</item>
<item><em>ssl_server_ciphers</em> - which is string of ciphers as a colon
separated list of ciphers.</item>
<item><em>ssl_server_cachetimeout</em> - which is the session cache timeout
in seconds.</item>
</list>
<p>There also exist a number of API functions for accessing the values of these variables:</p>
<list type="bulleted">
<item>orber:ssl_server_certfile/0</item>
<item>orber:ssl_server_cacertfile/0</item>
<item>orber:ssl_server_verify/0</item>
<item>orber:ssl_server_depth/0</item>
<item>orber:ssl_server_keyfile/0</item>
<item>orber:ssl_server_password/0</item>
<item>orber:ssl_server_ciphers/0</item>
<item>orber:ssl_server_cachetimeout/0</item>
</list>
</section>
<section>
<title>Configurations when Orber is Used on the Client Side</title>
<p>When the Orber enabled application is the client side in the secure connection the
different configurations can be set per client process instead and not for the whole domain
as for incoming calls.</p>
<p>One can use configuration variables to set default values for the domain but they can be changed
per client process. Below is the list of client configuration variables.</p>
<list type="bulleted">
<item><em>ssl_client_certfile</em> - which is a path to a file containing a
chain of PEM encoded certificates used in outgoing calls in the current
process.</item>
<item><em>ssl_client_cacertfile</em> - which is a path to a file containing a
chain of PEM encoded CA certificates used in outgoing calls in the
current process.</item>
<item><em>ssl_client_verify</em> - which specifies type of verification:
0 = do not verify peer; 1 = verify peer, verify client once,
2 = verify peer, verify client once, fail if no peer certificate.
The default value is 0.</item>
<item><em>ssl_client_depth</em> - which specifies verification depth, i.e.
how far in a chain of certificates the verification process shall proceed
before the verification is considered successful. The default value is 1. </item>
<item><em>ssl_client_keyfile</em> - which is a path to a file containing a
PEM encoded key when Orber act as client side ORB.</item>
<item><em>ssl_client_password</em> - only used if the private keyfile is
password protected.</item>
<item><em>ssl_client_ciphers</em> - which is string of ciphers as a colon
separated list of ciphers.</item>
<item><em>ssl_client_cachetimeout</em> - which is the session cache timeout
in seconds.</item>
</list>
<p>There also exist a number of API functions for accessing and changing the values of this
variables in the client processes.</p>
<p>Access functions:</p>
<list type="bulleted">
<item>orber:ssl_client_certfile/0</item>
<item>orber:ssl_client_cacertfile/0</item>
<item>orber:ssl_client_verify/0</item>
<item>orber:ssl_client_depth/0</item>
<item>orber:ssl_client_keyfile/0</item>
<item>orber:ssl_client_password/0</item>
<item>orber:ssl_client_ciphers/0</item>
<item>orber:ssl_client_cachetimeout/0</item>
</list>
<p>Modify functions:</p>
<list type="bulleted">
<item>orber:set_ssl_client_certfile/1</item>
<item>orber:set_ssl_client_cacertfile/1</item>
<item>orber:set_ssl_client_verify/1</item>
<item>orber:set_ssl_client_depth/1</item>
</list>
</section>
</section>
</chapter>
|