1、任何ICE的程序如果试图使用SSL的安全连接,那么对应的应用必须加载SSL插件
2、配置程序在启动过程中加载SSL插件:
Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.DefaultDir=/opt/certs
IceSSL.CertFile=pubkey.pem
IceSSL.KeyFile=privkey.pem
IceSSL.CertAuthFile=ca.pem
IceSSL.Password=password
Ice.Override.Secure=1
3、程序中获取ssl插件对象:
Ice::PluginManagerPtr pluginMgr = communicator->getPluginManager();
Ice::PluginPtr plugin = pluginMgr->getPlugin("IceSSL");
IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast(plugin);
4、设置个性化的ssl校验机制:
class Verifier : public IceSSL::CertificateVerifier
{
public:
bool verify(const IceSSL::NativeConnectionInfo& info)
{
if (!info.nativeCerts.empty())
{
string dn = info.nativeCerts[0].getIssuerDN();
transform(dn.begin(), dn.end(), dn.begin(), ::tolower);
if (dn.find("zeroc") != string::npos)
{
return true;
}
}
return false;
}
};
sslPlugin->setCertificateVerifier(new Verifier);
5、在NativeConnectionInfo中包含了对应的SSL证书信息,其结构如下:
class NativeConnectionInfo : public ConnectionInfo
{
public:
std::vector<CertificatePtr> nativeCerts;
};
class Certificate : public IceUtil::Shared
{
public:
Certificate(X509*);
static CertificatePtr load(const string&);
static CertificatePtr decode(const string&);
bool operator==(const Certificate&) const;
bool operator!=(const Certificate&) const;
PublicKeyPtr getPublicKey() const;
bool verify(const PublicKeyPtr&) const;
string encode() const;
bool checkValidity() const;
bool checkValidity(const IceUtil::Time&) const;
IceUtil::Time getNotAfter() const;
IceUtil::Time getNotBefore() const;
string getSerialNumber() const;
DistinguishedName getIssuerDN() const;
vector<pair<int, string> > getIssuerAlternativeNames();
DistinguishedName getSubjectDN() const;
vector<pair<int, string> > getSubjectAlternativeNames();
int getVersion() const;
string toString() const;
X509* getCert() const;
};
6、动态密码的设置(设置属性Ice.InitPlugins=0)
class PasswordPrompt : public IceUtil::Shared
{
public:
virtual std::string getPassword() = 0;
};
Ice::PluginManagerPtr pluginMgr = communicator->getPluginManager();
Ice::PluginPtr plugin = pluginMgr->getPlugin("IceSSL");
IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast(plugin);
sslPlugin->setPasswordPrompt(new Prompt);
pluginMgr->initializePlugins();
7、证书的申请创建(注意设置环境变量ICE_CA_HOME)
python iceca init [--no-password] [--overwrite]
python iceca request [--overwrite] [--no-password] file common-name [email]
python iceca sign [--overwrite] --in <req> --out <cert> [--ip <ip> --dns <dns>]
2、配置程序在启动过程中加载SSL插件:
Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.DefaultDir=/opt/certs
IceSSL.CertFile=pubkey.pem
IceSSL.KeyFile=privkey.pem
IceSSL.CertAuthFile=ca.pem
IceSSL.Password=password
Ice.Override.Secure=1
3、程序中获取ssl插件对象:
Ice::PluginManagerPtr pluginMgr = communicator->getPluginManager();
Ice::PluginPtr plugin = pluginMgr->getPlugin("IceSSL");
IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast(plugin);
4、设置个性化的ssl校验机制:
class Verifier : public IceSSL::CertificateVerifier
{
public:
bool verify(const IceSSL::NativeConnectionInfo& info)
{
if (!info.nativeCerts.empty())
{
string dn = info.nativeCerts[0].getIssuerDN();
transform(dn.begin(), dn.end(), dn.begin(), ::tolower);
if (dn.find("zeroc") != string::npos)
{
return true;
}
}
return false;
}
};
sslPlugin->setCertificateVerifier(new Verifier);
5、在NativeConnectionInfo中包含了对应的SSL证书信息,其结构如下:
class NativeConnectionInfo : public ConnectionInfo
{
public:
std::vector<CertificatePtr> nativeCerts;
};
class Certificate : public IceUtil::Shared
{
public:
Certificate(X509*);
static CertificatePtr load(const string&);
static CertificatePtr decode(const string&);
bool operator==(const Certificate&) const;
bool operator!=(const Certificate&) const;
PublicKeyPtr getPublicKey() const;
bool verify(const PublicKeyPtr&) const;
string encode() const;
bool checkValidity() const;
bool checkValidity(const IceUtil::Time&) const;
IceUtil::Time getNotAfter() const;
IceUtil::Time getNotBefore() const;
string getSerialNumber() const;
DistinguishedName getIssuerDN() const;
vector<pair<int, string> > getIssuerAlternativeNames();
DistinguishedName getSubjectDN() const;
vector<pair<int, string> > getSubjectAlternativeNames();
int getVersion() const;
string toString() const;
X509* getCert() const;
};
6、动态密码的设置(设置属性Ice.InitPlugins=0)
class PasswordPrompt : public IceUtil::Shared
{
public:
virtual std::string getPassword() = 0;
};
Ice::PluginManagerPtr pluginMgr = communicator->getPluginManager();
Ice::PluginPtr plugin = pluginMgr->getPlugin("IceSSL");
IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast(plugin);
sslPlugin->setPasswordPrompt(new Prompt);
pluginMgr->initializePlugins();
7、证书的申请创建(注意设置环境变量ICE_CA_HOME)
python iceca init [--no-password] [--overwrite]
python iceca request [--overwrite] [--no-password] file common-name [email]
python iceca sign [--overwrite] --in <req> --out <cert> [--ip <ip> --dns <dns>]