diff options
Diffstat (limited to 'TAO/orbsvcs/DevGuideExamples/Security/SecurityUnawareApp/README')
-rw-r--r-- | TAO/orbsvcs/DevGuideExamples/Security/SecurityUnawareApp/README | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/TAO/orbsvcs/DevGuideExamples/Security/SecurityUnawareApp/README b/TAO/orbsvcs/DevGuideExamples/Security/SecurityUnawareApp/README new file mode 100644 index 00000000000..7eebb03ebfb --- /dev/null +++ b/TAO/orbsvcs/DevGuideExamples/Security/SecurityUnawareApp/README @@ -0,0 +1,172 @@ +TAO Security + +DevGuideExamples/Security/SecurityUnawareApp/README + +This directory contains an illustration of a security unaware +application. The examples vary the client's configuration to +demonstrate different features. For each of these examples, +however, the client and server process code remains the same. + +For readability, long text lines from the example's service +configuration files are split into multiple lines. A backslash +indicates the end of partial line except for the final fragment. +The backslashes should be removed and the fragments joined for +use with the example programs. + +For simplicity, the pass phrases have been stripped from the +private keys included with these examples in the 1.2a release. +This *should not* be construed as a recommended practice. Instead, +OCI strongly recommends that the security requirements of each +real-world application be evaluated carefully and that appropriate +procedures and practice be established accordingly. Private keys +without pass phrase protection are easily compromised and may +allow an unauthorized party to masquerade as an authorized system +user. + +Prior to running the server in these examples, the SSL_CERT_FILE +environment variable must be set, e.g., + # /bin/bash + export SSL_CERT_FILE=cacert.pem +or + rem Windows + set SSL_CERT_FILE=cacert.pem + +For examples 1 and 2, the client's environment should also +define SSL_CERT_FILE appropriately. The final example +demonstrates how to establish a connection between a client +and server such that the client does not authenticate the +server and therefore does not need a value for SSL_CERT_FILE. + + + +Example 1: Secured server and unsecured client +---------------------------------------------- +The server is configured to accept requests only via secured +connections. No specific configurationi is provided for the +client so it has the default configuration. + +The server's configuration is: + +# +# server.conf +# +dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ + "-SSLAuthenticate SERVER_AND_CLIENT \ + -SSLPrivateKey PEM:serverkey.pem \ + -SSLCertificate PEM:servercert.pem" + +static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" +# +# end of server.conf +# + +To run the server: + ./MessengerServer -ORBSvcConf server.conf + +To run the client: + ./MessengerClient + + + +Example 2: Secured server and unsecured client +---------------------------------------------- +Both server and client are configured to issue and accept +requests via secured connections. + +The server's configuration is: + +# +# server.conf +# +dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ + "-SSLAuthenticate SERVER_AND_CLIENT \ + -SSLPrivateKey PEM:serverkey.pem \ + -SSLCertificate PEM:servercert.pem" + +static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" +# +# end of server.conf +# + +The client's configuration is: + +# +# client.conf +# +dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ + "-SSLAuthenticate SERVER_AND_CLIENT \ + -SSLPrivateKey PEM:serverkey.pem \ + -SSLCertificate PEM:servercert.pem" + +static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" +# +# end of client.conf +# + +To run the server: + ./MessengerServer -ORBSvcConf server.conf + +To run the client: + ./MessengerClient -ORBSvcConf client.conf + + + +Example 3: client doesn't authenticate server +--------------------------------------------- +The client is configured such that it doesn't authenticate +the server. It still employs an encrypted connection but, +since it doesn't need a CA certificate, no value for +SSL_CERT_FILE is required. + +The server's configuration is: + +# +# server.conf +# +dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ + "-SSLAuthenticate SERVER_AND_CLIENT \ + -SSLPrivateKey PEM:serverkey.pem \ + -SSLCertificate PEM:servercert.pem" + +static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" +# +# end of server.conf +# + +The client's configuration is: + +# +# client.conf +# +dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ + "-SSLAuthenticate NONE \ + -SSLPrivateKey PEM:serverkey.pem \ + -SSLCertificate PEM:servercert.pem" + +static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" +# +# end of client.conf +# + +To run the server: + ./MessengerServer -ORBSvcConf server.conf + +To run the client: + ./MessengerClient -ORBSvcConf client.conf + +If a value for SSL_CERT_FILE has already been placed in the +client's environment, the client may be executed as follows (on +Unix platforms): + SSL_CERT_FILE= ./MessengerClient -ORBSvcConf client.conf + + + +-------------------------------------------------- +Files: DevGuideExamples/Security/SecurityUnawareApp/ + +Messenger.idl - Messenger interface definition. +Messenger_i.h - Messenger servant class definition. +Messenger_i.cpp - Messenger servant implementation. +MessengerServer.cpp - MessengerServer process main. +MessengerClient.cpp - MessengerClient process main. + |