Versions Compared

Old Version 8

changes.mady.by.user Unknown User (ma0)

Saved on

compared with

New Version Current

changes.mady.by.user Iain Russell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In ecflow 4.0 we had an option for SSL support. However, this was a compile-time decision.

It meant that the GUI could not look at SSL and non-SSL servers at the same time.

In ecflow 5.1.0 the default is to allow both to be used, providing the open ssl SSL libraries were found.

Hence we can decide at run time.

Additionally, ecFlow_ui is changed, so that the add server dialog, will now prompt the user to signify a an SSL enabled server.

To use SSL at the command line choose between:

  1. export ECF_SSL=1                            # search for server.crt otherwise <host>.<port>.crt
  2. export ECF_SSL=<host>.<port> #    # Use server specific certificates <host>.<port>.***
  3. use --ssl                                                 ssl                                           # argument on ecflow_client/ecflow_server, same as option 1. Typically ssl server can be started with ecflow_start.sh -s\n"
  4. Client.enable_ssl()                                                       # for python client

ecFlow expects the certificates to be in directory $HOME/.ecflowrc/ssl

The certificates can be shared if you have multiple servers running on the same machine. In this case use ECF_SSL=1, then ecflow_server expects the following files in $HOME/.ecflowrc/ssl

  • dh2048.pem (checked first) or dh1024.pem
  • server.crt
  • server.key
  • server.passwd (optional) if this exists it must contain the pass phrase used to create server.key

...

  • <host>.<port>.crt # as before this must be same as the server

when When ECF_SSL=1, the server/client will automatically check existence of both variants but will give preference to NON <host>.<port>.*** variants first

...

This may need to be adapted if you want to use <host>.<port>.***

  •  Generate a password-protected private key. This will request a pass phrasepassphrase. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

    Code Block
    languagebash
    openssl genrsa -des3 -out server.key 1024 # Password protected private key


  • Additional security.  If you want additional security, create a file called 'server.passwd' and add the pass phrase passphrase to the file. Then set the file permission so that the file is only readable by the server process. Or you can choose to remove the password requirement. In that case, we don't need server.passwd file. code.

    Code Block
    languagebash
    cp server.key server.key.secure
openssl rsa -in server.key.secure -out server.key # remove password requirement


  • Sign a certificate with a private key (self-signed certificate). Generate Certificate Signing Request(CSR). This will prompt with a number of questions. However please ensure 'common name' matches the host where your server is going to run.

    Code Block
    languagebash
    openssl req -new -key server.key -out server.csr # Generate Certificate Signing Request(CSR)


  • Generate a self-signed certificate CRT, by using the CSR and private key

    Code Block
    languagebash
    openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt


  • Generate dhparam file. ecFlow expects 2048 key, but will accept 1024 key if 2048 not available

    Code Block
    languagebash
     openssl dhparam -out dh1024dh2048.pem 10242048