ecFlow's documentation is now on readthedocs!

Please go to https://ecflow.readthedocs.io/en/latest/index.html

  • Created by Unknown User (ma0), last modified on Oct 27, 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Openssl, enables encrypted communication between client and server. For ecflow this can be used for user commands.

To enable this, please ensure you build ecflow with '-DENABLE_SSL'. You will need to ensure that open ssl is installed on your system. To check that you have openssl enabled.

Check if openssl enabled for ecflow
ecflow_client --version # look for a string openssl
ecflow_server --version # look for a string openssl

In order to use openssl, we need set up some certificates. (These will self signed certificates).

The ecflow client and server, will look for the certificates in  $HOME/.eflowrc/ssl directory.

Ecflow server expects the following files in : $HOME/.eflowrc/ssl

  • dh1024.pem
  • server.crt
  • server.key
  • server.passwd (optional) if this exists it must contain the pass phrase used to create server.key.

Ecflow client expects the following files in : $HOME/.eflowrc/ssl

  • server.crt ( this must be the same as server)

The following steps, show you how to create these files:

  • Generate a password protected private key. This will request a pass phrase.

    This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text

    Password protected private key
    openssl genrsa -des3 -out server.key 1024

  • If you want additional security  you can embed the pass phrase in a file, called 'server.passwd'.

    Or you can choose to remove password requirement. In this case we don't need server.passwd file.

    remove password requirement
    cp server.key server.key.secure
openssl rsa -in server.key.secure -out server.key

  • Sign certificate with private key (self signed certificate).  Generate Certificate Signing Request(CSR). 

    This will prompt with a number of questions. However please ensure 'common name' matches the host where your server is going to run.

    Generate Certificate Signing Request(CSR)
    openssl req -new -key server.key -out server.csr
  • generate certificate CRT, by using the CSR and private key.
    Sign the certificate. server.crt must be accessible by client and server
    openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

  • Generate dhparam file. ecflow expects 1024 key.

    openssl dhparam -out dh1024.pem 1024

 

  • No labels