TAO Security DevGuideExamples/Security/SecurityUnawareApp/README This directory contains an illustration of a security unaware application. The examples vary the client's configuration to demonstrate different features. For each of these examples, however, the client and server process code remains the same. For readability, long text lines from the example's service configuration files are split into multiple lines. A backslash indicates the end of partial line except for the final fragment. The backslashes should be removed and the fragments joined for use with the example programs. For simplicity, the pass phrases have been stripped from the private keys included with these examples in the 1.2a release. This *should not* be construed as a recommended practice. Instead, OCI strongly recommends that the security requirements of each real-world application be evaluated carefully and that appropriate procedures and practice be established accordingly. Private keys without pass phrase protection are easily compromised and may allow an unauthorized party to masquerade as an authorized system user. Prior to running the server in these examples, the SSL_CERT_FILE environment variable must be set, e.g., # /bin/bash export SSL_CERT_FILE=cacert.pem or rem Windows set SSL_CERT_FILE=cacert.pem For examples 1 and 2, the client's environment should also define SSL_CERT_FILE appropriately. The final example demonstrates how to establish a connection between a client and server such that the client does not authenticate the server and therefore does not need a value for SSL_CERT_FILE. Example 1: Secured server and unsecured client ---------------------------------------------- The server is configured to accept requests only via secured connections. No specific configuration is provided for the client so it has the default configuration. The server's configuration is: # # server.conf # dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ "-SSLAuthenticate SERVER_AND_CLIENT \ -SSLPrivateKey PEM:server_key.pem \ -SSLCertificate PEM:server_cert.pem" static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" # # end of server.conf # To run the server: ./MessengerServer -ORBSvcConf server.conf To run the client: ./MessengerClient Example 2: Secured server and unsecured client ---------------------------------------------- Both server and client are configured to issue and accept requests via secured connections. The server's configuration is: # # server.conf # dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ "-SSLAuthenticate SERVER_AND_CLIENT \ -SSLPrivateKey PEM:server_key.pem \ -SSLCertificate PEM:server_cert.pem" static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" # # end of server.conf # The client's configuration is: # # client.conf # dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ "-SSLAuthenticate SERVER_AND_CLIENT \ -SSLPrivateKey PEM:server_key.pem \ -SSLCertificate PEM:server_cert.pem" static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" # # end of client.conf # To run the server: ./MessengerServer -ORBSvcConf server.conf To run the client: ./MessengerClient -ORBSvcConf client.conf Example 3: client doesn't authenticate server --------------------------------------------- The client is configured such that it doesn't authenticate the server. It still employs an encrypted connection but, since it doesn't need a CA certificate, no value for SSL_CERT_FILE is required. The server's configuration is: # # server.conf # dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ "-SSLAuthenticate SERVER_AND_CLIENT \ -SSLPrivateKey PEM:server_key.pem \ -SSLCertificate PEM:server_cert.pem" static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" # # end of server.conf # The client's configuration is: # # client.conf # dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \ "-SSLAuthenticate NONE \ -SSLPrivateKey PEM:server_key.pem \ -SSLCertificate PEM:server_cert.pem" static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory" # # end of client.conf # To run the server: ./MessengerServer -ORBSvcConf server.conf To run the client: ./MessengerClient -ORBSvcConf client.conf If a value for SSL_CERT_FILE has already been placed in the client's environment, the client may be executed as follows (on Unix platforms): SSL_CERT_FILE= ./MessengerClient -ORBSvcConf client.conf -------------------------------------------------- Files: DevGuideExamples/Security/SecurityUnawareApp/ Messenger.idl - Messenger interface definition. Messenger_i.h - Messenger servant class definition. Messenger_i.cpp - Messenger servant implementation. MessengerServer.cpp - MessengerServer process main. MessengerClient.cpp - MessengerClient process main.