1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
TAO Security
DevGuideExamples/Security/SecurityUnawareApp/README
This directory contains an illustration of a security unaware
application. The examples vary the client's configuration to
demonstrate different features. For each of these examples,
however, the client and server process code remains the same.
For readability, long text lines from the example's service
configuration files are split into multiple lines. A backslash
indicates the end of partial line except for the final fragment.
The backslashes should be removed and the fragments joined for
use with the example programs.
For simplicity, the pass phrases have been stripped from the
private keys included with these examples in the 1.2a release.
This *should not* be construed as a recommended practice. Instead,
OCI strongly recommends that the security requirements of each
real-world application be evaluated carefully and that appropriate
procedures and practice be established accordingly. Private keys
without pass phrase protection are easily compromised and may
allow an unauthorized party to masquerade as an authorized system
user.
Prior to running the server in these examples, the SSL_CERT_FILE
environment variable must be set, e.g.,
# /bin/bash
export SSL_CERT_FILE=cacert.pem
or
rem Windows
set SSL_CERT_FILE=cacert.pem
For examples 1 and 2, the client's environment should also
define SSL_CERT_FILE appropriately. The final example
demonstrates how to establish a connection between a client
and server such that the client does not authenticate the
server and therefore does not need a value for SSL_CERT_FILE.
Example 1: Secured server and unsecured client
----------------------------------------------
The server is configured to accept requests only via secured
connections. No specific configuration is provided for the
client so it has the default configuration.
The server's configuration is:
#
# server.conf
#
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
"-SSLAuthenticate SERVER_AND_CLIENT \
-SSLPrivateKey PEM:server_key.pem \
-SSLCertificate PEM:server_cert.pem"
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
#
# end of server.conf
#
To run the server:
./MessengerServer -ORBSvcConf server.conf
To run the client:
./MessengerClient
Example 2: Secured server and unsecured client
----------------------------------------------
Both server and client are configured to issue and accept
requests via secured connections.
The server's configuration is:
#
# server.conf
#
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
"-SSLAuthenticate SERVER_AND_CLIENT \
-SSLPrivateKey PEM:server_key.pem \
-SSLCertificate PEM:server_cert.pem"
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
#
# end of server.conf
#
The client's configuration is:
#
# client.conf
#
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
"-SSLAuthenticate SERVER_AND_CLIENT \
-SSLPrivateKey PEM:server_key.pem \
-SSLCertificate PEM:server_cert.pem"
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
#
# end of client.conf
#
To run the server:
./MessengerServer -ORBSvcConf server.conf
To run the client:
./MessengerClient -ORBSvcConf client.conf
Example 3: client doesn't authenticate server
---------------------------------------------
The client is configured such that it doesn't authenticate
the server. It still employs an encrypted connection but,
since it doesn't need a CA certificate, no value for
SSL_CERT_FILE is required.
The server's configuration is:
#
# server.conf
#
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
"-SSLAuthenticate SERVER_AND_CLIENT \
-SSLPrivateKey PEM:server_key.pem \
-SSLCertificate PEM:server_cert.pem"
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
#
# end of server.conf
#
The client's configuration is:
#
# client.conf
#
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
"-SSLAuthenticate NONE \
-SSLPrivateKey PEM:server_key.pem \
-SSLCertificate PEM:server_cert.pem"
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
#
# end of client.conf
#
To run the server:
./MessengerServer -ORBSvcConf server.conf
To run the client:
./MessengerClient -ORBSvcConf client.conf
If a value for SSL_CERT_FILE has already been placed in the
client's environment, the client may be executed as follows (on
Unix platforms):
SSL_CERT_FILE= ./MessengerClient -ORBSvcConf client.conf
--------------------------------------------------
Files: DevGuideExamples/Security/SecurityUnawareApp/
Messenger.idl - Messenger interface definition.
Messenger_i.h - Messenger servant class definition.
Messenger_i.cpp - Messenger servant implementation.
MessengerServer.cpp - MessengerServer process main.
MessengerClient.cpp - MessengerClient process main.
|