Openssl, enables encrypted communication between client and server. For ecflow this can be used for user commands.
To enable this, please ensure you build ecflow with '-DENABLE_SSL'. You will need to ensure that open ssl is installed on your system. To check that you have openssl enabled.
ecflow_client --version # look for a string openssl ecflow_server --version # look for a string openssl
In order to use openssl, we need set up some certificates. (These will self signed certificates).
The ecflow client and server, will look for the certificates in $HOME/.eflowrc/ssl directory.
Ecflow server expects the following files in : $HOME/.eflowrc/ssl
- dh1024.pem
- server.crt
- server.key
- server.passwd (optional) if this exists it must contain the pass phrase used to create server.key.
Ecflow client expects the following files in : $HOME/.eflowrc/ssl
- server.crt ( this must be the same as server)
The following steps, show you how to create these files:
Generate a password protected private key. This will request a pass phrase. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text
Password protected private keyopenssl genrsa -des3 -out server.key 1024
If you want additional security you can embed the pass phrase in a file, called 'server.passwd'. Or you can choose to remove password requirement. In this case we don't need server.passwd file.
cp server.key server.key.secure openssl rsa -in server.key.secure -out server.key
Sign certificate with private key (self signed certificate). This file must be accessible by the client and server.
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Generate dhparam file. ecflow expects 1024 key.
openssl dhparam -out dh1024.pem 1024