Merge pull request #2303 from jwillemsen/jwi-803
[ACE_TAO.git] / TAO / orbsvcs / DevGuideExamples / Security / SecurityUnawareApp / README
blob23a6f3b525b8f4cdbc797364aa2ce7cc35ad0e44
3 TAO Security
5 DevGuideExamples/Security/SecurityUnawareApp/README
7 This directory contains an illustration of a security unaware
8 application.  The examples vary the client's configuration to
9 demonstrate different features. For each of these examples,
10 however, the client and server process code remains the same.
12 For readability, long text lines from the example's service
13 configuration files are split into multiple lines.  A backslash
14 indicates the end of partial line except for the final fragment.
15 The backslashes should be removed and the fragments joined for
16 use with the example programs.
18 For simplicity, the pass phrases have been stripped from the
19 private keys included with these examples in the 1.2a release.
20 This *should not* be construed as a recommended practice.  Instead,
21 OCI strongly recommends that the security requirements of each
22 real-world application be evaluated carefully and that appropriate
23 procedures and practice be established accordingly.  Private keys
24 without pass phrase protection are easily compromised and may
25 allow an unauthorized party to masquerade as an authorized system
26 user.
28 Prior to running the server in these examples, the SSL_CERT_FILE
29 environment variable must be set, e.g.,
30         # /bin/bash
31         export SSL_CERT_FILE=cacert.pem
33         rem Windows
34         set SSL_CERT_FILE=cacert.pem
36 For examples 1 and 2, the client's environment should also
37 define SSL_CERT_FILE appropriately.  The final example
38 demonstrates how to establish a connection between a client
39 and server such that the client does not authenticate the
40 server and therefore does not need a value for SSL_CERT_FILE.
44 Example 1: Secured server and unsecured client
45 ----------------------------------------------
46 The server is configured to accept requests only via secured
47 connections.  No specific configuration is provided for the
48 client so it has the default configuration.
50 The server's configuration is:
53 # server.conf
55 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
56         "-SSLAuthenticate SERVER_AND_CLIENT     \
57          -SSLPrivateKey PEM:server_key.pem      \
58          -SSLCertificate PEM:server_cert.pem"
60 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
62 # end of server.conf
65 To run the server:
66         ./MessengerServer -ORBSvcConf server.conf
68 To run the client:
69         ./MessengerClient
73 Example 2: Secured server and unsecured client
74 ----------------------------------------------
75 Both server and client are configured to issue and accept
76 requests via secured connections.
78 The server's configuration is:
81 # server.conf
83 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
84         "-SSLAuthenticate SERVER_AND_CLIENT     \
85          -SSLPrivateKey PEM:server_key.pem      \
86          -SSLCertificate PEM:server_cert.pem"
88 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
90 # end of server.conf
93 The client's configuration is:
96 # client.conf
98 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
99         "-SSLAuthenticate SERVER_AND_CLIENT     \
100          -SSLPrivateKey PEM:server_key.pem      \
101          -SSLCertificate PEM:server_cert.pem"
103 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
105 # end of client.conf
108 To run the server:
109         ./MessengerServer -ORBSvcConf server.conf
111 To run the client:
112         ./MessengerClient -ORBSvcConf client.conf
116 Example 3: client doesn't authenticate server
117 ---------------------------------------------
118 The client is configured such that it doesn't authenticate
119 the server.  It still employs an encrypted connection but,
120 since it doesn't need a CA certificate, no value for
121 SSL_CERT_FILE is required.
123 The server's configuration is:
126 # server.conf
128 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
129         "-SSLAuthenticate SERVER_AND_CLIENT     \
130          -SSLPrivateKey PEM:server_key.pem      \
131          -SSLCertificate PEM:server_cert.pem"
133 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
135 # end of server.conf
138 The client's configuration is:
141 # client.conf
143 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
144         "-SSLAuthenticate NONE                  \
145          -SSLPrivateKey PEM:server_key.pem      \
146          -SSLCertificate PEM:server_cert.pem"
148 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
150 # end of client.conf
153 To run the server:
154         ./MessengerServer -ORBSvcConf server.conf
156 To run the client:
157         ./MessengerClient -ORBSvcConf client.conf
159 If a value for SSL_CERT_FILE has already been placed in the
160 client's environment, the client may be executed as follows (on
161 Unix platforms):
162         SSL_CERT_FILE= ./MessengerClient -ORBSvcConf client.conf
166 --------------------------------------------------
167 Files: DevGuideExamples/Security/SecurityUnawareApp/
169 Messenger.idl           - Messenger interface definition.
170 Messenger_i.h           - Messenger servant class definition.
171 Messenger_i.cpp         - Messenger servant implementation.
172 MessengerServer.cpp     - MessengerServer process main.
173 MessengerClient.cpp     - MessengerClient process main.