In ecflow 4.0 we had an option for SSL support. However this was a compile time decision.
It meant that the GUI could not look at SSL and non-SSL servers at the same time.
In ecflow 5.1.0 the default is to allow both to be used, providing the open ssl libraries were found.
Hence we can decide at run time.
Additionally ecFlow_ui is changed , so that the add server dialog, will now prompt the user to signify a SSL enabled server.
To use SSL at the command line choose between:
- export ECF_SSL=1 # search for server.crt otherwise <host>.<port>.crt
- export ECF_SSL=<host>.<port> # Use server specific certificates <host>.<port>.***
- use --ssl # argument on ecflow_client/ecflow_server, same as option 1. Typically ssl server can be started with ecflow_start.sh -s\n"
- Client.enable_ssl() # for python client
ecFlow expects the certificates to be in directory $HOME/.ecflowrc/ssl
The certificates can be shared if you have multiple servers running on the same machine. In this case use ECF_SSL=1, then ecflow_server expects the following files in $HOME/.ecflowrc/ssl
- server.passwd (optional) if this exists it must contain the pass phrase used to create server.key
ecflow_client expects the following files in : $HOME/.ecflowrc/ssl
- server.crt (this must be the same as server)
Alternatively you can have different setting for each server ECF_SSL=<host>.<port>, then server expect files of the type:
- <host>.<port>.passwd (optional)
and client expect files of the type:
- <host>.<port>.crt # as before this must be same as the server
When ECF_SSL=1, the server/client will automatically check existence of both variants but will give preference to NON <host>.<port>.*** variants first
The following steps, show you how to create the certificate files.
This may need to be adapted if you want to use <host>.<port>.***
Generate a password protected private key. This will request a pass phrase. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
Additional security. If you want additional security, create a file called 'server.passwd' and add the pass phrase to the file. Then set the file permission so that file is only readable by the server process. Or you can choose to remove password requirement. In that case we don't need server.passwd file. code.
Sign certificate with private key (self signed certificate). Generate Certificate Signing Request(CSR). This will prompt with a number of questions. However please ensure 'common name' matches the host where your server is going to run.
Generate a self signed certificate CRT, by using the CSR and private key
Generate dhparam file. ecFlow expects 1024 key