Skip to content

Using SSL

Jump to bottom Edit New page
jeroenh edited this page Nov 9, 2012 · 7 revisions

First off, you need to generate a certificate and key. This can be done using the standard methodologies for creating self-signed certs. (TODO!)

Once you have the certificates, you need to edit the settings in your opennsa.conf and/or ~/.opennsa-cli config files:

tls=yes
key=<path/to/ssl-key.key|pem>
certificate=<path/to/ssl-cert.crt|pem>
certdir=<path/to/cert-dir/>
verify=no

These settings are the same for the server and the client, but the resulting behavior is different. Below we discuss them separately.

Server

The tls setting will make the server run using TLS so it should be approached using the https protocol. It will also use a different port number, default is 9443. The key and certificate files are used by the server to set up the TLS connections to other clients. The certdir is used to store trusted certificates and can be used to verify them. The verify option will force the server to only use trusted certificates. This means it will not accept requests from self-signed certificates, unless these are specifically added.

Client

The tls setting is used for the connection that the client is hosting for replies. If set to yes, the client will use the key and certificate to setup an https port, and will also tell the server that it should use https to reach the client with replies. The verify option will force the client to only use trusted certificates. This means that it will not use servers with self-signed certificates, unless these are specifically added.

API

If you want to approach a TLS server programmatically yourself, you should use the following code:

from opennsa import ctxfactory, setup
ctx_factory = ctxfactory.ContextFactory("<path/to/ssl-key.key|pem>", "<path/to/ssl-cert.crt|pem>",
                                        "<path/to/cert-dir/>", verify=False)
factory = setup.createService(network, backend, topo, host, port, wsdl_dir,
                              tls=False, ctx_factory=ctx_factory)

Creating the ctx_factory will allow the service to contact TLS services. Setting tls to False will make the local server (the one used for receiving replies) run on plain http.

Add a custom footer
Add a custom sidebar
Clone this wiki locally