In ecflow 4.0 we had an option for SSL support. However, this was a compile-time decision.
It meant that the GUI could not look at SSL and non-SSL servers at the same time.
In ecflow 5 the default is to allow both to be used, providing the open SSL libraries were found.
Hence we can decide at run time.
Additionally, ecFlow_ui is changed, so that the add server dialog, will now prompt the user to signify an SSL enabled server.
To use SSL at the command line choose between:
- export ECF_SSL=1 # search for server.crt otherwise <host>.<port>.crt
- export ECF_SSL=<host>.<port> # Use server specific certificates <host>.<port>.***
- use --ssl # argument on ecflow_client/ecflow_server, same as option 1. Typically ssl server can be started with ecflow_start.sh -s\n"
- Client.enable_ssl() # for python client
ecFlow expects the certificates to be in directory $HOME/.ecflowrc/ssl
The certificates can be shared if you have multiple servers running on the same machine. In this case use ECF_SSL=1, then ecflow_server expects the following files in $HOME/.ecflowrc/ssl
- dh2048.pem (checked first) or dh1024.pem
- server.crt
- server.key
- server.passwd (optional) if this exists it must contain the pass phrase used to create server.key
ecflow_client expects the following files in : $HOME/.ecflowrc/ssl
- server.crt (this must be the same as server)
Alternatively you can have different setting for each server ECF_SSL=<host>.<port>, then server expect files of the type:
- <host>.<port>.pem
- <host>.<port>.crt
- <host>.<port>.key
- <host>.<port>.passwd (optional)
and client expect files of the type:
- <host>.<port>.crt # as before this must be same as the server
When ECF_SSL=1, the server/client will automatically check existence of both variants but will give preference to NON <host>.<port>.*** variants first
The following steps, show you how to create the certificate files.
This may need to be adapted if you want to use <host>.<port>.***
Generate a password-protected private key. This will request a passphrase. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
openssl genrsa -des3 -out server.key 1024 # Password protected private key
Additional security. If you want additional security, create a file called 'server.passwd' and add the passphrase to the file. Then set the file permission so that the file is only readable by the server process. Or you can choose to remove the password requirement. In that case, we don't need server.passwd file. code.
cp server.key server.key.secure openssl rsa -in server.key.secure -out server.key # remove password requirement
Sign a certificate with a private key (self-signed certificate). Generate Certificate Signing Request(CSR). This will prompt a number of questions. However please ensure 'common name' matches the host where your server is going to run.
openssl req -new -key server.key -out server.csr # Generate Certificate Signing Request(CSR)
Generate a self-signed certificate CRT, by using the CSR and private key
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Generate dhparam file. ecFlow expects 2048 key, but will accept 1024 key if 2048 not available
openssl dhparam -out dh2048.pem 2048