Re: [opendds-devel] Use SSL in OpenDDS

[Don B. <bu...@oc...>]

Mario,

Thanks for your interest in OpenDDS.

What you're doing below wouldn't enable SSL in OpenDDS; it would only 
use SSL in the CORBA communication that happens behind the scenes in 
OpenDDS.  OpenDDS readers and writers communicate with the DSPSInfoRepo 
process via CORBA to make associations with each other.  So you could in 
theory enable SSL for that communication, but you'd also have to run the 
DCPSInfoRepo with SSL enabled and with certificates set up appropriately.

However, for performance reasons, OpenDDS samples are published directly 
from a DataWriter to a DataReader on a standard socket; CORBA is not 
involved in that communication.  So SSL would not come into play on a 
DDS write(), at least as OpenDDS is today.

The way you'd implement SSL in OpenDDS would be to create a new 
transport as a sibling of the SimpleTcp, udp, and multicast transports.  
OpenDDS's extensible transport framework is located in 
$DDS_ROOT/dds/DCPS/transports, and there you would see the general 
framework as well as the SimpleTcp, udp, and multicast transports.  It's 
a non-trivial thing to do.

If this is really important to you to the point that your company would 
want to pay for its development, we can provide an estimate to do the 
work on a time-and-materials basis. Or if you decide to do this 
yourself, we'd strongly encourage you to contribute the new transport 
back to the OpenDDS code base.

Again, thanks for your interest.

Best Regards,

    Don Busch

Mario Danelli wrote:
> Hello,
>
> in our software laboratory we are evaluationg OpenDDS.
>
> Especially we would know if it's possible to use cryptography (SSLIOP).
>
> I found the follow links to install, configure and use SSL in OpenDDS:
>
>     * to build and install ACE_SSL -
>       http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/ACE/ACE-INSTALL.html#sslinstall
>     * install SSLIOP in TAO - 
>       https://svn.dre.vanderbilt.edu/viewvc/Middleware/trunk/TAO/docs/Security/SSLIOP-INSTALL.html?view=co
>     * using SSLIOP -
>       http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/TAO/docs/Security/SSLIOP-USAGE.html
>
> I followed the steps specified in the links and started the DCPS 
> repository with a 'tcp.conf' file modified with the new lines to use SSLIOP:
>
> dynamic SSLIOP_Factory Service_Object *
>        TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() ""
>      static Resource_Factory "-ORBProtocolFactory SSLIOP_Factory"
>
> After starting a publisher without specifing the new lines also in the 
> publisher's configurations file it's throwed a "CORBA::NO_PERMISSION" 
> exception.
> So i specified new lines also in the publisher's configurations but in 
> this case it's throwed a "CORBA::INV_POLICY" exception.
>
> In this link (http://www.theaceorb.com/faq/index.html#141) is specified 
> that to correct the problem, protected invocations via the Naming 
> Service's object reference must be disabled.
> I suppose i have to do this task in all the OpenDDS project files and 
> re-build the complete project. Am i wrong?
>
> Finally i would like to konw, from anyone that used OpenDDS with SSL 
> before (or studied this case),  if there is a way to enable SSL in OpenDDS?
> Is the way followed until know correct or is there a simpler way (e.g. 
> set a flag or other from a configuration file/command parameter)?
>
> Thanks in advance.
>
> Regards
> Mario Danelli
>
>   


-- 
----------------------------------------------------------------
  Don Busch, Principal Software Engineer and Partner
  Object Computing, Inc. (OCI)          314-590-0250
  http://www.ociweb.com
  http://www.theaceorb.com
  http://jacorb.ociweb.com

   "Never let what you can't do get in the way of what 
    you can do."
        - John Wooden
----------------------------------------------------------------