SSL support for CORBA (!4) · Merge requests · atlas-tdaq-software / ipc

Reiner Hauser requested to merge rhauser/ipc:ssl into master Jan 13, 2022

This makes minimal changes to ipc core to enable CORBA communication via SSL.

By default everything should work as before (no SSL). To enable it one has to create the necessary X509 certificates. Scripts for those can be seen in https://gitlab.cern.ch/rhauser/ssltest

Once the modified omni and ipc packages are locally compiled/installed any server can use SSL, below is ipc_server as an example. Only server side certificates are checked, the clients don't need one.

Clients will automatically select either SSL if the server requires it or fall back to TCP according to their client transport rules.

This is a draft to be discussed if it's interesting, a final version would probably have a TDAQ specific algorithm to find certificates and keys.

Also pinging @avolio

The idea came from wanting to protect selected servers which currently receive authorization tokens in clear text (pmgserver, run controller, rdb_writer)

###################################
# To run the ipc_server with SSL
##################################

# private domain
export TDAQ_IPC_INIT_REF=file:$(pwd)/ipc.ref

# needed by client and server
export ORBsslCAFile=$(pwd)/CA/cacert.pem

# needed by server only
env ORBsslKeyFile=$(pwd)/server.pem ORBsslKeyPassword="" ORBsslVerifyMode=peer ORBendPoint="giop:ssl::" ipc_server &

omni_catior $(cat ipc.ref)
# Check that there is a SSL profile and port number

env ORBtraceLevel=20 ipc_ls -l
# Check that a giop:ssl:* connection was used

Edited Jan 13, 2022 by Serguei Kolos

SSL support for CORBA

Merge request reports