...
Hence we can decide at run time.
...
language | bash |
---|---|
title | Use ECF_SSL environment variable to enable encrypted communication |
...
Additionally ecFlow_ui is changed , so that the add server dialog, will now prompt the user to signify a SSL enabled server.
To use SSL choose between:
- export ECF_SSL=1 # search for server.crt otherwise <host>.<port>.crt
- export ECF_SSL=<host>.<port> # Use server specific certificates <host>.<port>.***
- use --ssl # argument on ecflow_client/ecflow_server, same as option 1. Typically ssl server can be started with ecflow_start.sh
...
- -s
...
Code Block | ||||
---|---|---|---|---|
| ||||
ecflow_server --ssl
ecflow_client --ssl --stats |
...
- \n"
- Client.enable_ssl() # for python client
ecFlow expects the certificates to be in directory $HOME/.ecflowrc/ssl
The certificates can be shared if you have multiple servers running on the same machine. In this case use ECF_SSL=1, then ecflow_server expects the following files in $HOME/.ecflowrc/ssl
- dh1024.pem
- server.crt
- server.key
- server.passwd (optional) if this exists it must contain the pass phrase used to create server.key
ecflow_client expects the following files in : $HOME/.ecflowrc/ssl
- server.crt (this must be the same as server)
Alternatively you can have different setting for each server ECF_SSL=<host>.<port>, then server expect files of the type:
- <host>.<port>.pem
- <host>.<port>.crt
- <host>.<port>.key
- <host>.<port>.passwd (optional)
and client expect files of the type:
- <host>.<port>.crt # as before this must be same as the server
when ECF_SSL=1, the server/client will automatically check existence of both variants but will give preference to NON <host>.<port>.*** variants first
The following steps, show you how to create the certificate files.
This may need to be adapted if you want to use <host>.<port>.***
Generate a password protected private key. This will request a pass phrase. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
Code Block language bash openssl genrsa -des3 -out server.key 1024 # Password protected private key
Additional security. If you want additional security, create a file called 'server.passwd' and add the pass phrase to the file. Then set the file permission so that file is only readable by the server process. Or you can choose to remove password requirement. In that case we don't need server.passwd file. code.
Code Block language bash cp server.key server.key.secure openssl rsa -in server.key.secure -out server.key # remove password requirement
Sign certificate with private key (self signed certificate). Generate Certificate Signing Request(CSR). This will prompt with a number of questions. However please ensure 'common name' matches the host where your server is going to run.
Code Block language bash openssl req -new -key server.key -out server.csr # Generate Certificate Signing Request(CSR)
Generate a self signed certificate CRT, by using the CSR and private key
Code Block language bash openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Generate dhparam file. ecFlow expects 1024 key
Code Block language bash openssl dhparam -out dh1024.pem 1024