| blob | 24297ac067c8473721f2bb673bb8aa772412c008 |
2 <html>
3 <!-- -->
4 <!-- #BeginTemplate "/Templates/TAO_Security.dwt" -->
5 <head>
6 <!-- #BeginEditable "doctitle" -->
8 <!-- #EndEditable -->
11 <!--
16 }
23 }
36 } }
43 }
55 } }
56 }
57 //-->
58 </script>
59 </head>
60 <body bgcolor="#FFFFFF" onLoad="MM_preloadImages('fireworks/nav_bar_r02_c2_f3.gif','fireworks/nav_bar_r02_c2_f2.gif','fireworks/nav_bar_r04_c2_f3.gif','fireworks/nav_bar_r04_c2_f2.gif','fireworks/nav_bar_r04_c2_f4.gif','fireworks/nav_bar_r06_c2_f3.gif','fireworks/nav_bar_r06_c2_f2.gif','fireworks/nav_bar_r06_c2_f4.gif','fireworks/nav_bar_r08_c2_f3.gif','fireworks/nav_bar_r08_c2_f2.gif','fireworks/nav_bar_r08_c2_f4.gif','fireworks/nav_bar_r10_c2_f3.gif','fireworks/nav_bar_r10_c2_f2.gif','fireworks/nav_bar_r10_c2_f4.gif','fireworks/nav_bar_r12_c2_f3.gif','fireworks/nav_bar_r12_c2_f2.gif','fireworks/nav_bar_r12_c2_f4.gif','fireworks/nav_bar_r02_c2_f4.gif')">
61 <div id="Layer2" style="position:absolute; left:89px; top:32px; width:792px; height:125px; z-index:2">
62 <h1 align="center"><img src="images/CORBA_Security.jpg" width="500" height="131" align="middle"></h1>
63 </div>
64 <div id="Layer3" style="position:absolute; left:257px; top:199px; width:625px; height:1px; z-index:3"><!-- #BeginEditable "Body" -->
66 <hr>
67 <ul>
70 </ul>
71 <hr>
73 <p>TAO implements SSL as a pluggable protocol. As such, it must be dynamically
74 loaded into the ORB. You must use a service configurator file to do this.
75 The service configurator options for the ORB are described in detail in <a href="../docs/components.html?rev=HEAD&content-type=text/html">
77 file that includes: </p>
78 <pre>
79 dynamic SSLIOP_Factory Service_Object *
84 and then use that protocol in the ORB. The SSLIOP protocol has a number of
85 configuration options that we describe below. </p>
87 <p>Once the SSLIOP protocol is loaded you may want to setup the private key
88 and certificate files, the authentication level and similar features. This
89 is done by setting more options in the service configurator file, for example:
90 </p>
91 <pre>dynamic SSLIOP_Factory Service_Object *
92 TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()"<font color="#009900">-SSLAuthenticate SERVER</font>"</pre>
93 <p>will enforce validation of the server certificate on each SSL connection.
95 line. The complete list of options is: </p>
96 <p>
98 <tr>
101 </tr>
102 <tr>
104 <td>
105 <p>On the client side, this option forces request invocations to use the
106 standard insecure IIOP protocol.</p>
107 <p>On the server side, use of this option allows invocations on the server
108 to be made through the standard insecure IIOP protocol. Request invocations
109 through SSL may still be made.</p>
111 interface as defined in the CORBA Security Service is implemented.</p>
112 </td>
113 </tr>
114 <tr>
116 <td> Set the name of the file that contains the certificate for this process.
119 by a Certificate Authority recognized by the client. </td>
120 </tr>
121 <tr>
123 <td> Set the name of the file that contains the private key for this process.
124 The private key and certificate files must match. It is extremely important
126 utilities will generate pass phrase protected private key files. The password
127 is prompted when you run the CORBA application. </td>
128 </tr>
129 <tr>
134 the server is authenticated too. </td>
135 </tr>
136 <tr>
138 <td>Set the maximum amount of time to allow for establishing a
141 seconds.
143 href="http://bugzilla.dre.vanderbilt.edu/show_bug.cgi?id=1348">Bug 1348</a> in our <a href="http://bugzilla.dre.vanderbilt.edu/index.cgi">bug
145 </tr>
146 <tr>
148 <td>Set the filename containing the Diffie-Hellman parameters to
149 be used when using DSS-based certificates. The specified
150 file may be a file containing only Diffie-Hellman
151 parameters created by "<code>openssl dhparam</code>", or
152 it can be a certificate containing a PEM encoded set of
153 Diffie-Hellman parameters.</td>
154 </tr>
155 <tr>
157 <td>Sets the list of available ciphers. The cipher specification string
159 </tr>
160 <tr>
162 <td>When choosing a cipher, use the server's preferences instead of
163 the client preferences. When not set, the SSL server will always
164 follow the clients preferences.</td>
165 </tr>
166 <tr>
168 <td>Provide a file containing a trusted certificate, overriding the file named by SSL_CERT_FILE environment variable.</td>
169 </tr>
170 <tr>
172 <td>Provide a directory from which all files are read for trusted certificates overriding the directory named by SSL_CERT_DIR environment variable.<</td>
173 </tr>
174 <tr>
176 <td>Provide additional entropy from the named sources. Works in conjuction with any value supplied via SSL_RAND_FILE environment variable.</td>
177 </tr>
178 <tr>
180 <td>Unlike the cipher list option, this takes a list of SSL versions to support. List is a comma separated string containing SSLv23. If <code>-SSLVersionList</code> is not supplied, SSL will support all of these versions. </td>
181 </tr>
182 <tr>
184 <td>if the supplied <code>-SSLPrivateKey</code> is password protected, this option enables overriding the default password entry. The supplied specifier can be <code>prompt:</code><em>message</em> to prompt a user for entry, <code>file:</code><em>filename</em> reads a plain text file, <code>env:</code><em>envvarname</em>, or simply <em>thepassword</em>. Clearly using any option apart from prompt: weakens the protection. </td>
185 </tr>
186 <tr>
188 <td>Adds a verification of the peer address to the connection completion process. This feature requires OpenSSL 1.0.2 or newer and performs a reverse DNS lookup to find the originating hostname. If the version of ssl used does not support <code>X509_check_host()</code>, the peer address does not map to a cannonical host name, or the peer did not provide an X.509 certificate, the connection will fail. </td>
189 </tr>
190 <tr>
192 <td>Provide the name of the Elliptic Curve to use for ECDH cipher. To see a list of the available curve names use the command <em>openssl ecparam -list_curves</em> </td>
193 </tr>
195 </table>
197 <p>The SSLIOP protocol uses the following environment variables to control its
198 behavior. </p>
199 <p>
201 <tr>
204 </tr>
205 <tr>
207 <td> The name of the file that contains all the trusted certificate authority
208 self-signed certificates. By default it is set to the value of the <code>ACE_DEFAULT_SSL_CERT_FILE</code>
209 macro. </td>
210 </tr>
211 <tr>
213 <td> The name of the directory that contains all the trusted certificate
214 authority self-signed certificates. By default it is set to the value
216 be indexed using the OpenSSL format, i.e. each certificate is aliased
217 with the following link:
218 <pre>
219 $ ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
220 </pre>
221 Consult the documentation of your SSL implementation for more details.
222 </td>
223 <tr>
225 <td>The name of the UNIX domain socket that the <a href="http://www.lothar.com/tech/crypto/">Entropy
227 <tr>
229 <td>The file that contains previously saved state from OpenSSL's pseudo-random
230 number generator.</td>
231 </table>
232 <hr>
234 <p></p>
235 <p>TAO's SSLIOP pluggable protocol allows an application to gain access to the
236 SSL session state for the current request. For example, it allows an application
237 to obtain the SSL peer certificate chain associated with the current request
238 so that the application can decide whether or not to reject the request. This
242 <p><code><font color="#0000FF"># pragma prefix</font> "<font color="#009900">omg.org</font>"</code></p>
243 <blockquote>
247 The chain<br>
248 /// is actually a sequence. The sender's certificate is<br>
249 /// first, followed by any Certificate Authority<br>
250 /// certificates proceeding sequentially upward.</font><br>
252 </blockquote>
254 extensions.</font><br>
255 <font color="#0000FF"># pragma prefix</font> "<font color="#009900">ssliop.tao</font>"</code></p>
256 <blockquote>
258 methods to<br>
259 /// gain access to the SSL session state for the current<br>
260 /// execution context.</font><br>
262 <blockquote>
264 /// operation was invoked outside of an SSL<br>
265 /// session.</font><br>
266 exception NoContext {};</code></p>
268 with<br>
269 /// the current execution context. If no SSL<br>
270 /// session is being used for the request or<br>
271 /// upcall, then the NoContext exception is<br>
272 /// raised.</font><br>
273 SSL_Cert get_peer_certificate_chain ()<br>
274 raises
276 </blockquote>
278 </blockquote>
279 <p><code> <font color="#0000FF"># pragma prefix</font> "<font color="#009900">omg.org</font>"</code></p>
285 Here is an example:</p>
286 <blockquote>
289 CORBA::ORB_init (argc, "", "<font color="#009900">my_orb</font>");</code></p>
291 orb->resolve_initial_references ("<font color="#009900">SSLIOPCurrent</font>");</code></p>
294 </blockquote>
295 <h4>Examining the Peer Certificate for the Current Request Using <a href="http://www.openssl.org/">OpenSSL</a></h4>
297 the peer certificate for the current request may be obtained by invoking the
299 <blockquote>
301 // exception if it is not invoked during a request being<br>
302 // performed over SSL.</font><br>
305 </blockquote>
307 DER is the on-the-wire format used to transmit certificates between peers.
308 </p>
309 <p> OpenSSL can be used to examine the certificate. For example, to extract
310 and display the certificate issuer from the DER encoded X.509 certificate,
311 the following can be done:</p>
312 <blockquote>
313 <p><code><font color="#0000FF">#include</font> <<font color="#009900">openssl/x509.h</font>><br>
314 <font color="#0000FF">#include</font> <<font color="#009900">iostream</font>></code><code><br>
316 .<br>
317 .</font> <br>
319 // SSLIOP::ASN_1_Cert.</font><br>
321 <br>
322 char buf[BUFSIZ];<br>
323 <br>
325 // OpenSSL's internal format.</font><br>
327 <br>
332 <br>
335 <br>
337 </blockquote>
339 <address></address>
341 <tr>
342 <td>
343 <p><font face="Georgia, Times New Roman, Times, serif"><font face="Arial, Helvetica, sans-serif"><a href="mailto:ossama@dre.vanderbilt.edu">Ossama
344 Othman<br>
345 </a></font></font><font face="Georgia, Times New Roman, Times, serif"><a href="mailto:coryan@uci.edu"><font face="Arial, Helvetica, sans-serif">Carlos
347 </td>
348 <td><a href="http://www.openssl.org/"><img src="images/openssl_button.gif" width="102" height="47" align="right" border="0"></a></td>
349 </tr>
350 </table>
353 <div id="Layer1" style="position:absolute; left:87px; top:162px; width:153px; height:373px; z-index:4"><!-- Image with table -->
355 <!-- fwtable fwsrc="Untitled" fwbase="nav_bar.gif" -->
361 </tr>
363 <td colspan="3"><img name="nav_bar_r01_c1" src="fireworks/nav_bar_r01_c1.gif" width="158" height="35" border="0"></td>
365 </tr>
367 <td rowspan="12"><img name="nav_bar_r02_c1" src="fireworks/nav_bar_r02_c1.gif" width="9" height="342" border="0"></td>
368 <td><a href="index.html" onMouseOut="MM_nbGroup('out');" onMouseOver="MM_nbGroup('over','Home','fireworks/nav_bar_r02_c2_f2.gif','fireworks/nav_bar_r02_c2_f4.gif',1)" onClick="MM_nbGroup('down','navbar1','Home','fireworks/nav_bar_r02_c2_f3.gif',1)" ><img name="Home" src="fireworks/nav_bar_r02_c2.gif" border="0" onLoad=""></a></td>
369 <td rowspan="12"><img name="nav_bar_r02_c3" src="fireworks/nav_bar_r02_c3.gif" width="8" height="342" border="0"></td>
371 </tr>
373 <td><img name="nav_bar_r03_c2" src="fireworks/nav_bar_r03_c2.gif" width="141" height="5" border="0"></td>
375 </tr>
377 <td><a href="Download.html" onMouseOut="MM_nbGroup('out');" onMouseOver="MM_nbGroup('over','Download','fireworks/nav_bar_r04_c2_f2.gif','fireworks/nav_bar_r04_c2_f4.gif',1)" onClick="MM_nbGroup('down','navbar1','Download','fireworks/nav_bar_r04_c2_f3.gif',1)" ><img name="Download" src="fireworks/nav_bar_r04_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
379 </tr>
381 <td><img name="nav_bar_r05_c2" src="fireworks/nav_bar_r05_c2.gif" width="141" height="5" border="0"></td>
383 </tr>
385 <td><a href="http://www.dre.vanderbilt.edu/~schmidt/TAO.html" onMouseOut="MM_nbGroup('out');" onMouseOver="MM_nbGroup('over','TAO','fireworks/nav_bar_r06_c2_f2.gif','fireworks/nav_bar_r06_c2_f4.gif',1)" onClick="MM_nbGroup('down','navbar1','TAO','fireworks/nav_bar_r06_c2_f3.gif',1)" ><img name="TAO" src="fireworks/nav_bar_r06_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
387 </tr>
389 <td><img name="nav_bar_r07_c2" src="fireworks/nav_bar_r07_c2.gif" width="141" height="5" border="0"></td>
391 </tr>
393 <td><a href="SSLIOP.html" onMouseOut="MM_nbGroup('out');" onMouseOver="MM_nbGroup('over','SSLIOP','fireworks/nav_bar_r08_c2_f2.gif','fireworks/nav_bar_r08_c2_f4.gif',1)" onClick="MM_nbGroup('down','navbar1','SSLIOP','fireworks/nav_bar_r08_c2_f3.gif',1)" ><img name="SSLIOP" src="fireworks/nav_bar_r08_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
395 </tr>
397 <td><img name="nav_bar_r09_c2" src="fireworks/nav_bar_r09_c2.gif" width="141" height="5" border="0"></td>
399 </tr>
401 <td><a href="Security_Service.html" onMouseOut="MM_nbGroup('out');" onMouseOver="MM_nbGroup('over','Security_Service','fireworks/nav_bar_r10_c2_f2.gif','fireworks/nav_bar_r10_c2_f4.gif',1)" onClick="MM_nbGroup('down','navbar1','Security_Service','fireworks/nav_bar_r10_c2_f3.gif',1)" ><img name="Security_Service" src="fireworks/nav_bar_r10_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
403 </tr>
405 <td><img name="nav_bar_r11_c2" src="fireworks/nav_bar_r11_c2.gif" width="141" height="5" border="0"></td>
407 </tr>
409 <td><a href="FAQ.html" onMouseOut="MM_nbGroup('out');" onMouseOver="MM_nbGroup('over','FAQ','fireworks/nav_bar_r12_c2_f2.gif','fireworks/nav_bar_r12_c2_f4.gif',1)" onClick="MM_nbGroup('down','navbar1','FAQ','fireworks/nav_bar_r12_c2_f3.gif',1)" ><img name="FAQ" src="fireworks/nav_bar_r12_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
411 </tr>
413 <td><img name="nav_bar_r13_c2" src="fireworks/nav_bar_r13_c2.gif" width="141" height="101" border="0"></td>
415 </tr>
416 <!-- This table was automatically created with Macromedia Fireworks 3.0 -->
417 <!-- http://www.macromedia.com -->
418 </table>
419 </div>
421 <tr>
423 </tr>
424 </table>
425 </body>
426 <!-- #EndTemplate -->
427 </html>