search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #1551 from DOCGroup/plm_jira_333
[ACE_TAO.git] / TAO / orbsvcs / DevGuideExamples / Security / SecurityUnawareApp / README
blob8c5ac26490323d0121c96a0a1ae51ff5ac5c90d2
1
2
3 TAO Security
4
5 DevGuideExamples/Security/SecurityUnawareApp/README
6
7 This directory contains an illustration of a security unaware
8 application.  The examples vary the client's configuration to
9 demonstrate different features. For each of these examples,
10 however, the client and server process code remains the same.
11
12 For readability, long text lines from the example's service
13 configuration files are split into multiple lines.  A backslash
14 indicates the end of partial line except for the final fragment.
15 The backslashes should be removed and the fragments joined for
16 use with the example programs.
17
18 For simplicity, the pass phrases have been stripped from the
19 private keys included with these examples in the 1.2a release.
20 This *should not* be construed as a recommended practice.  Instead,
21 OCI strongly recommends that the security requirements of each
22 real-world application be evaluated carefully and that appropriate
23 procedures and practice be established accordingly.  Private keys
24 without pass phrase protection are easily compromised and may
25 allow an unauthorized party to masquerade as an authorized system
26 user.
27
28 Prior to running the server in these examples, the SSL_CERT_FILE
29 environment variable must be set, e.g.,
30         # /bin/bash
31         export SSL_CERT_FILE=cacert.pem
32 or
33         rem Windows
34         set SSL_CERT_FILE=cacert.pem
35
36 For examples 1 and 2, the client's environment should also
37 define SSL_CERT_FILE appropriately.  The final example
38 demonstrates how to establish a connection between a client
39 and server such that the client does not authenticate the
40 server and therefore does not need a value for SSL_CERT_FILE.
41
42
43
44 Example 1: Secured server and unsecured client
45 ----------------------------------------------
46 The server is configured to accept requests only via secured
47 connections.  No specific configurationi is provided for the
48 client so it has the default configuration.
49
50 The server's configuration is:
51
52 #
53 # server.conf
54 #
55 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
56         "-SSLAuthenticate SERVER_AND_CLIENT     \
57          -SSLPrivateKey PEM:server_key.pem      \
58          -SSLCertificate PEM:server_cert.pem"
59
60 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
61 #
62 # end of server.conf
63 #
64
65 To run the server:
66         ./MessengerServer -ORBSvcConf server.conf
67
68 To run the client:
69         ./MessengerClient
70
71
72
73 Example 2: Secured server and unsecured client
74 ----------------------------------------------
75 Both server and client are configured to issue and accept
76 requests via secured connections.
77
78 The server's configuration is:
79
80 #
81 # server.conf
82 #
83 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
84         "-SSLAuthenticate SERVER_AND_CLIENT     \
85          -SSLPrivateKey PEM:server_key.pem      \
86          -SSLCertificate PEM:server_cert.pem"
87
88 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
89 #
90 # end of server.conf
91 #
92
93 The client's configuration is:
94
95 #
96 # client.conf
97 #
98 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
99         "-SSLAuthenticate SERVER_AND_CLIENT     \
100          -SSLPrivateKey PEM:server_key.pem      \
101          -SSLCertificate PEM:server_cert.pem"
102
103 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
104 #
105 # end of client.conf
106 #
107
108 To run the server:
109         ./MessengerServer -ORBSvcConf server.conf
110
111 To run the client:
112         ./MessengerClient -ORBSvcConf client.conf
113
114
115
116 Example 3: client doesn't authenticate server
117 ---------------------------------------------
118 The client is configured such that it doesn't authenticate
119 the server.  It still employs an encrypted connection but,
120 since it doesn't need a CA certificate, no value for
121 SSL_CERT_FILE is required.
122
123 The server's configuration is:
124
125 #
126 # server.conf
127 #
128 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
129         "-SSLAuthenticate SERVER_AND_CLIENT     \
130          -SSLPrivateKey PEM:server_key.pem      \
131          -SSLCertificate PEM:server_cert.pem"
132
133 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
134 #
135 # end of server.conf
136 #
137
138 The client's configuration is:
139
140 #
141 # client.conf
142 #
143 dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() \
144         "-SSLAuthenticate NONE                  \
145          -SSLPrivateKey PEM:server_key.pem      \
146          -SSLCertificate PEM:server_cert.pem"
147
148 static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
149 #
150 # end of client.conf
151 #
152
153 To run the server:
154         ./MessengerServer -ORBSvcConf server.conf
155
156 To run the client:
157         ./MessengerClient -ORBSvcConf client.conf
158
159 If a value for SSL_CERT_FILE has already been placed in the
160 client's environment, the client may be executed as follows (on
161 Unix platforms):
162         SSL_CERT_FILE= ./MessengerClient -ORBSvcConf client.conf
163
164
165
166 --------------------------------------------------
167 Files: DevGuideExamples/Security/SecurityUnawareApp/
168
169 Messenger.idl           - Messenger interface definition.
170 Messenger_i.h           - Messenger servant class definition.
171 Messenger_i.cpp         - Messenger servant implementation.
172 MessengerServer.cpp     - MessengerServer process main.
173 MessengerClient.cpp     - MessengerClient process main.
174