Skip to end of metadata
Go to start of metadata

Matrix de compatibilidade:

Server \ ClientJacORB+SSL!JacORB+SSL?JacORB TAO+SSL!TAO+SSL?TAO Mico+SSL!Mico+SSL?Mico (1) IIOP.NET+SSL!IIOP.NET+SSL?IIOP.NET OiL+SSL!OiL+SSL?OiL
JacORB+SSL!OKOKTRANSIENT OKUnsupportedTRANSIENT UnsupportedOKCOMM_FAILURE (1) OKOKTRANSIENT OKOKTRANSIENT
JacORB+SSL?OKOKOK NO_PERMISSIONUnsupportedOK UnsupportedOKOK (1) OKOKOK OKOKOK
JacORBNO_PERMISSIONOKOK INV_POLICYUnsupportedOK UnsupportedOKOK NO_PERMISSIONOKOK NO_PERMISSIONOKOK
                    
TAO+SSL!

OK

OKNO_PERMISSION OKUnsupportedNO_PERMISSION UnsupportedOKAssertFail OKOKNO_PERMISSION OKOKNO_PERMISSION
TAO+SSL?OKOKOK OKUnsupportedOK UnsupportedOKAssertFail OKOKOK OKOKOK
TAONO_PERMISSIONOKOK INV_POLICYUnsupportedOK UnsupportedOKOK NO_PERMISSIONOKOK NO_PERMISSIONOKOK
                    
Mico+SSL!

COMM_FAILURE

Server: AssertFail

COMM_FAILURE

Server: AssertFail

COMM_FAILURE 

COMM_FAILURE

Server: AssertFail

UnsupportedCOMM_FAILURE Unsupported

OK

Server: AssertFail

AssertFail (2)(2)(2) 

COMM_FAILURE

Server: AssertFail

COMM_FAILURE

Server: AssertFail

COMM_FAILURE
Mico+SSL?UnsupportedUnsupportedUnsupported UnsupportedUnsupportedUnsupported UnsupportedUnsupportedUnsupported (2)(2)(2) UnsupportedUnsupportedUnsupported
MicoNO_PERMISSIONOKOK INV_POLICYUnsupportedOK UnsupportedOKOK (2)(2)(2) NO_PERMISSIONOKOK
                    
IIOP.NET+SSL!OKOKNO_PERMISSION OKUnsupportedNO_PERMISSION (2)(2)(2) OKOKNO_PERMISSION OKOKNO_PERMISSION
IIOP.NET+SSL?OKOKOK OKUnsupportedOK (2)(2)(2) OKOKOK OKOKOK
IIOP.NETNO_PERMISSIONOKOK INV_POLICYUnsupportedOK (2)(2)(2) NO_PERMISSIONOKOK NO_PERMISSIONOKOK
                    
OiL+SSL!OKOKNO_PERMISSION OKUnsupportedNO_PERMISSION UnsupportedOKNO_PERMISSION (1) OKOKNO_PERMISSION OKOKNO_PERMISSION
OiL+SSL?OKOKOK OKUnsupportedOK UnsupportedOKOK (1) OKOKOK OKOKOK
OiLNO_PERMISSIONOKOK INV_POLICYUnsupportedOK UnsupportedOKOK NO_PERMISSIONOKOK NO_PERMISSIONOKOK

 

Legenda:

  • <ORB>+SSL! - Obrigatório uso de SSL
  • <ORB>+SSL? - Opcional o uso de SSL (informa suporte SSL)
  • <ORB> - Nenhuma configuração para uso de SSL

     Execução satisfatória e com resultado esperado e correto.
     Execução satisfatória, mas com resultado inesperado.
     Execução insatisfatória.

Notas:

  1. O Mico sem SSL que foi utilizado é uma versão do ORB cuja compilação foi feita sem suporte a SSL (OpenSSL).
  2. Não realizamos todos testes com o ORB Mico devido a seu suporte ter sido descontinuado desde a vesão 2.0.2.0 do OpenBus SDK C++.

Configurações necessárias para ativar o SSL

JacORB

Adicionar o argumento '-Dcustom.props=<property file>' à JVM que for executar o processo. Onde '<property file>' é um arquivo contendo as propriedades descritas abaixo.

+SSL! ou +SSL?

jacorb.security.support_ssl=on
jacorb.ssl.socket_factory=org.jacorb.security.ssl.sun_jsse.SSLSocketFactory
jacorb.ssl.server_socket_factory=org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory

Server+SSL!

jacorb.security.ssl.server.supported_options=60
jacorb.security.ssl.server.required_options=60
jacorb.security.keystore=server.jks
jacorb.security.keystore_password=123456 # the password for file 'server.jks'
jacorb.security.jsse.trustees_from_ks=on

Client+SSL!

jacorb.security.ssl.client.supported_options=60
jacorb.security.ssl.client.required_options=60
jacorb.security.keystore=client.jks
jacorb.security.keystore_password=123456 # the password for file 'client.jks'
jacorb.security.jsse.trustees_from_ks=on

Server+SSL?

jacorb.security.ssl.server.supported_options=61
jacorb.security.ssl.server.required_options=1
jacorb.security.keystore=server.jks
jacorb.security.keystore_password=123456 # the password for file 'server.jks'
jacorb.security.jsse.trustees_from_ks=on

Client+SSL?

jacorb.security.ssl.client.supported_options=61
jacorb.security.ssl.client.required_options=1
jacorb.security.keystore=client.jks
jacorb.security.keystore_password=123456 # the password for file 'client.jks'
jacorb.security.jsse.trustees_from_ks=on

OiL

Inicializar o ORB com o seguintes comandos:

Server+SSL!

orb = oil.init{
flavor = "cooperative;corba;corba.ssl;kernel.ssl",
options = {
server = {
security = "required",
ssl = {
key = "server.key",
certificate = "server.crt",
cafile = "myca.crt",
},
},
},
}

Client+SSL!

orb = oil.init{
flavor = "cooperative;corba;corba.ssl;kernel.ssl",
options = {
client = {
security = "required",
ssl = {
key = "client.key",
certificate = "client.crt",
cafile = "myca.crt",
},
},
},
}

Server+SSL?

orb = oil.init{
flavor = "cooperative;corba;corba.ssl;kernel.ssl",
options = {
server = {
ssl = {
key = "server.key",
certificate = "server.crt",
cafile = "myca.crt",
},
},
},
}

Client+SSL?

orb = oil.init{
flavor = "cooperative;corba;corba.ssl;kernel.ssl",
options = {
client = {
ssl = {
key = "client.key",
certificate = "client.crt",
cafile = "myca.crt",
},
},
},
}

Mico

Passar através dos argumentos 'argv' e 'argc' do 'CORBA::ORB::init' os seguintes parâmetros:

Server+SSL!

-ORBSSLcert server.crt \
-ORBSSLkey server.key \
-ORBSSLCAfile myca.crt \
-ORBSSLverify 100

Client+SSL?

-ORBSSLcert client.crt \
-ORBSSLkey client.key \
-ORBSSLCAfile myca.crt \
-ORBSSLverify 100

TAO

Server+SSL!

SSL_CERT_FILE=myca.crt

-ORBSvcConf server.conf 

//server.conf 
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey PEM:client.key -SSLCertificate PEM:client.crt" 
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"

Client+SSL!

SSL_CERT_FILE=myca.crt

-ORBSvcConf client.conf

//client.conf 
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey PEM:client.key -SSLCertificate PEM:client.crt" 
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"

Server+SSL?

SSL_CERT_FILE=myca.crt

-ORBSvcConf server.conf 

//server.conf 
dynamic SSLIOP_Factory Service_Object * TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() "-SSLAuthenticate SERVER_AND_CLIENT -SSLPrivateKey PEM:client.key -SSLCertificate PEM:client.crt -SSLNoProtection" 
static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"


IIOP.NET

Server+SSL!

IDictionary sslProps = new Hashtable();
sslProps[IiopChannel.CHANNEL_NAME_KEY] = "SecuredServerIiopChannel";
sslProps[IiopChannel.TRANSPORT_FACTORY_KEY] =
"Ch.Elca.Iiop.Security.Ssl.SslTransportFactory,SSLPlugin";
sslProps[Authentication.CheckCertificateRevocation] = false;
sslProps[IiopServerChannel.PORT_KEY] = "58000";
sslProps[SSLServer.SecurePort] = "58001";
sslProps[SSLServer.ServerEncryptionType] = Encryption.EncryptionType.Required;
sslProps[SSLServer.ClientAuthentication] = SSLServer.ClientAuthenticationType.Required;
sslProps[SSLServer.ServerAuthentication] = SSLServer.ServerAuthenticationType.Supported;
sslProps[SSLServer.ServerAuthenticationClass] = typeof(DefaultServerAuthenticationImpl);
sslProps[DefaultServerAuthenticationImpl.ServerCertificate] =
"ff822f9d6792b54dae9fefd227e8a838c9c518fe";
sslProps[DefaultServerAuthenticationImpl.StoreLocation] = "CurrentUser";

Client+SSL!

IDictionary sslProps = new Hashtable();
sslProps[IiopChannel.CHANNEL_NAME_KEY] = "SecuredClientIiopChannel";
sslProps[IiopChannel.TRANSPORT_FACTORY_KEY] =
"Ch.Elca.Iiop.Security.Ssl.SslTransportFactory,SSLPlugin";
sslProps[Authentication.CheckCertificateRevocation] = false;
sslProps[SSLClient.ClientEncryptionType] = Encryption.EncryptionType.Required;
sslProps[SSLClient.ClientAuthentication] = SSLClient.ClientAuthenticationType.Supported;
sslProps[SSLClient.ServerAuthentication] = SSLClient.ServerAuthenticationType.Required;
sslProps[SSLClient.ClientAuthenticationClass] = typeof(ClientAuthenticationSpecificFromStore);
sslProps[SSLClient.CheckServerName] = false;
// take certificates from the windows certificate store of the current user
sslProps[ClientAuthenticationSpecificFromStore.StoreLocation] =
"CurrentUser";
sslProps[ClientAuthenticationSpecificFromStore.ClientCertificate] =
"f838ccf3cdfa001ed860f94248dc8d603d06935f";

Server+SSL?

IDictionary sslProps = new Hashtable();
sslProps[IiopChannel.CHANNEL_NAME_KEY] = "SecuredServerIiopChannel";
sslProps[IiopChannel.TRANSPORT_FACTORY_KEY] =
"Ch.Elca.Iiop.Security.Ssl.SslTransportFactory,SSLPlugin";
sslProps[Authentication.CheckCertificateRevocation] = false;
sslProps[IiopServerChannel.PORT_KEY] = "58000";
sslProps[SSLServer.SecurePort] = "58001";
sslProps[SSLServer.ServerEncryptionType] = Encryption.EncryptionType.Supported;
sslProps[SSLServer.ClientAuthentication] = SSLServer.ClientAuthenticationType.NotRequired;
sslProps[SSLServer.ServerAuthentication] = SSLServer.ServerAuthenticationType.Supported;
sslProps[SSLServer.ServerAuthenticationClass] = typeof(DefaultServerAuthenticationImpl);
sslProps[DefaultServerAuthenticationImpl.ServerCertificate] =
"ff822f9d6792b54dae9fefd227e8a838c9c518fe"; // identificador do certificado no certificate store do windows
sslProps[DefaultServerAuthenticationImpl.StoreLocation] = "CurrentUser";

Client+SSL?

IDictionary sslProps = new Hashtable();
sslProps[IiopChannel.CHANNEL_NAME_KEY] = "SecuredClientIiopChannel";
sslProps[IiopChannel.TRANSPORT_FACTORY_KEY] =
"Ch.Elca.Iiop.Security.Ssl.SslTransportFactory,SSLPlugin";
sslProps[Authentication.CheckCertificateRevocation] = false;
sslProps[SSLClient.ClientEncryptionType] = Encryption.EncryptionType.Supported;
sslProps[SSLClient.ClientAuthentication] = SSLClient.ClientAuthenticationType.Supported;
sslProps[SSLClient.ServerAuthentication] = SSLClient.ServerAuthenticationType.NotRequired;
sslProps[SSLClient.ClientAuthenticationClass] = typeof(ClientAuthenticationSpecificFromStore);
sslProps[SSLClient.CheckServerName] = false;
// take certificates from the windows certificate store of the current user
sslProps[ClientAuthenticationSpecificFromStore.StoreLocation] =
"CurrentUser";
sslProps[ClientAuthenticationSpecificFromStore.ClientCertificate] =
"f838ccf3cdfa001ed860f94248dc8d603d06935f"; // identificador do certificado no certificate store do windows

  • No labels