Page tree
Skip to end of metadata
Go to start of metadata

In ecflow 4.0 we had an option for SSL support. However this was a compile time decision.

It meant that the GUI could not look at SSL and non-SSL servers at the same time.

In ecflow 5.1.0 the default is to allow both to be used, providing the open ssl libraries were found.

Hence we can decide at run time.

Additionally ecFlow_ui is changed , so that the add server dialog, will now prompt the user to signify a SSL enabled server.

To use SSL at the command line choose between:

  1. export ECF_SSL=1                            # search for server.crt otherwise <host>.<port>.crt
  2. export ECF_SSL=<host>.<port> # Use server specific certificates <host>.<port>.***
  3. use --ssl                                                 # argument on ecflow_client/ecflow_server, same as option 1. Typically ssl server can be started with ecflow_start.sh -s\n"
  4. Client.enable_ssl()                            # for python client

ecFlow expects the certificates to be in directory $HOME/.ecflowrc/ssl

The certificates can be shared if you have multiple servers running on the same machine. In this case use ECF_SSL=1, then ecflow_server expects the following files in $HOME/.ecflowrc/ssl

  • dh1024.pem
  • server.crt
  • server.key
  • server.passwd (optional) if this exists it must contain the pass phrase used to create server.key

ecflow_client expects the following files in : $HOME/.ecflowrc/ssl

  • server.crt (this must be the same as server)

Alternatively you can have different setting for each server ECF_SSL=<host>.<port>, then server expect files of the type:

  • <host>.<port>.pem
  • <host>.<port>.crt
  • <host>.<port>.key
  • <host>.<port>.passwd (optional)

and client expect files of the type:

  • <host>.<port>.crt # as before this must be same as the server

When ECF_SSL=1, the server/client will automatically check existence of both variants but will give preference to NON <host>.<port>.*** variants first


The following steps, show you how to create the certificate files.

This may need to be adapted if you want to use <host>.<port>.***

  •  Generate a password protected private key. This will request a pass phrase. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

    openssl genrsa -des3 -out server.key 1024 # Password protected private key
  • Additional security.  If you want additional security, create a file called 'server.passwd' and add the pass phrase to the file. Then set the file permission so that file is only readable by the server process. Or you can choose to remove password requirement. In that case we don't need server.passwd file. code.

    cp server.key server.key.secure
    openssl rsa -in server.key.secure -out server.key # remove password requirement
  • Sign certificate with private key (self signed certificate). Generate Certificate Signing Request(CSR). This will prompt with a number of questions. However please ensure 'common name' matches the host where your server is going to run.

    openssl req -new -key server.key -out server.csr # Generate Certificate Signing Request(CSR)
  • Generate a self signed certificate CRT, by using the CSR and private key

    openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
  • Generate dhparam file. ecFlow expects 1024 key

     openssl dhparam -out dh1024.pem 1024
  • No labels