8 How to use security in Orber
8.1 Security in Orber
Introduction
Orber SSL provides authentication, privacy and integrity for your Erlang applications. Based on the Secure Sockets Layer protocol, the Orber SSL ensures that your Orber clients and servers can communicate securely over any network. This is done by tunneling IIOP through an SSL connection. To get the node secure you will also need to have a firewall which only lets through connections to certain ports.
Enable Usage of Secure Connections
To enable a secure Orber domain you have to set the configuration variable secure which currently only can have one of two values; no if no security for IIOP should be used and ssl if secure connections is needed (ssl is currently the only supported security mechanism).
The default is no security.
Configurations when Orber is Used on the Server Side
The following three configuration variables can be used to configure Orber's SSL behavior on the server side.
- ssl_server_certfile - which is a path to a file containing a chain of PEM encoded certificates for the Orber domain as server.
- ssl_server_cacertfile - which is a path to a file containing a chain of PEM encoded certificates for the Orber domain as server.
- ssl_server_verify - which specifies type of verification: 0 = do not verify peer; 1 = verify peer, verify client once, 2 = verify peer, verify client once, fail if no peer certificate. The default value is 0.
- ssl_server_depth - which specifies verification depth, i.e. how far in a chain of certificates the verification process shall proceed before the verification is considered successful. The default value is 1.
- ssl_server_keyfile - which is a path to a file containing a PEM encoded key for the Orber domain as server.
- ssl_server_password - only used if the private keyfile is password protected.
- ssl_server_ciphers - which is string of ciphers as a colon separated list of ciphers.
- ssl_server_cachetimeout - which is the session cache timeout in seconds.
There also exist a number of API functions for accessing the values of these variables:
- orber:ssl_server_certfile/0
- orber:ssl_server_cacertfile/0
- orber:ssl_server_verify/0
- orber:ssl_server_depth/0
- orber:ssl_server_keyfile/0
- orber:ssl_server_password/0
- orber:ssl_server_ciphers/0
- orber:ssl_server_cachetimeout/0
Configurations when Orber is Used on the Client Side
When the Orber enabled application is the client side in the secure connection the different configurations can be set per client process instead and not for the whole domain as for incoming calls.
One can use configuration variables to set default values for the domain but they can be changed per client process. Below is the list of client configuration variables.
- ssl_client_certfile - which is a path to a file containing a chain of PEM encoded certificates used in outgoing calls in the current process.
- ssl_client_cacertfile - which is a path to a file containing a chain of PEM encoded CA certificates used in outgoing calls in the current process.
- ssl_client_verify - which specifies type of verification: 0 = do not verify peer; 1 = verify peer, verify client once, 2 = verify peer, verify client once, fail if no peer certificate. The default value is 0.
- ssl_client_depth - which specifies verification depth, i.e. how far in a chain of certificates the verification process shall proceed before the verification is considered successful. The default value is 1.
- ssl_client_keyfile - which is a path to a file containing a PEM encoded key when Orber act as client side ORB.
- ssl_client_password - only used if the private keyfile is password protected.
- ssl_client_ciphers - which is string of ciphers as a colon separated list of ciphers.
- ssl_client_cachetimeout - which is the session cache timeout in seconds.
There also exist a number of API functions for accessing and changing the values of this variables in the client processes.
Access functions:
- orber:ssl_client_certfile/0
- orber:ssl_client_cacertfile/0
- orber:ssl_client_verify/0
- orber:ssl_client_depth/0
- orber:ssl_client_keyfile/0
- orber:ssl_client_password/0
- orber:ssl_client_ciphers/0
- orber:ssl_client_cachetimeout/0
Modify functions:
- orber:set_ssl_client_certfile/1
- orber:set_ssl_client_cacertfile/1
- orber:set_ssl_client_verify/1
- orber:set_ssl_client_depth/1