Archived

This forum has been archived. Please start a new discussion on GitHub.

Setting up a CA for Glacier2

Hello!

I trying to set up a CA for use with Glacier2 and SSL. Based on the config files of the chat demo, I am trying to figure out how to sett the following properties:

Ice.Plugin.IceSSL=IceSSL:createIceSSL
#IceSSL.DefaultDir=../../../certs
#IceSSL.DefaultDir=./
IceSSL.CertAuthFile=root-ca.crt
IceSSL.CertFile=root-ca-pub.key
IceSSL.KeyFile=root-ca-priv.key

I have generated the root-ca.crt, root-cat-pub.key and root-ca-priv.key with openssl. I see that the output is in base64 (pem) format. My server and client are in C#.

I see from the documentation that .NET requires another format. Besides a conversion to another format (I will do that later), I wonder what the three last settings are used for.

Do I have to

a) pass the root-keys and the root-certificate to both the client and glacier2, or
b) sign specific certificates for the client and glacier2 respectively (that is new key pairs for each of the two entities) and maybe pass the root certificate as well in IceSSL.CertAuthFile?

When I try to start glacier2 with the configuration mentioned above I get this "missing certificate chain" error:

C:\catalin\chatServer\exe>glacier2router --Ice.Config=config.glacier2
!! 12/09/12 15:53:20.726 glacier2router: error: service caught unhandled excepti
on:
Instance.cpp:520: Ice::PluginInitializationException:
plug-in initialization failed: IceSSL: unable to load certificate chain from
file root-ca-pub.key:
error # = 151441516
message = error:0906D06C:PEM routines:PEM_read_bio:no start line
location = .\crypto\pem\pem_lib.c, 648
data = Expecting: TRUSTED CERTIFICATE

error # = 336445449
message = error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM
lib
location = .\ssl\ssl_rsa.c, 729

Thanks,
Catalin

Comments

  • Hello again!

    Goal: gettign a .NET client to communicate with Glacier2 by means of SSL, on Win 7 64 bits, Enterprise.

    After my previous posting I did some more reading and I have now set up a CA by using the iceca script. I added the CA-certificate to the trust store of Windows (MMC.exe) to both the local machine (trusted CAs) and the personal user stores.

    I also generated a private key, and a certificate request for both Glacier2 and the client. Then I signed the requests and converted the certificates to pfx format. All this using iceca. I also added the Glacier2.pfx certificate to the windows trust store. I don't know if this is necessary, but I wanted to inspect the certificate. I can see the Gladier2 certificate and it links to the CA-certificate added earlier.

    I am now trying to start up Glacier2 with SSL using this command:

    glacier2router --Ice.Config=config.glacier2

    In the config file I have

    Ice.Plugin.IceSSL=C:\<cut>\IceSSL.dll:IceSSL.PluginFactory

    // of course "C:\<cut>" stands for a full path directory (no spaces) containing IceSSL.dll

    I get this error:

    !! 12/11/12 08:47:16.767 glacier2router: error: service caught unhandled exception:
    PluginManagerI.cpp:357: Ice::PluginInitializationException:
    plug-in initialization failed: unable to load entry point `C:\<cut>\IceSSL.dll:IceSSL.PluginFactory': The specified module was not found.

    // I know other IceSSL properties must be defined, but they make no difference so far, since the module is not found. Commenting them in or out makes no difference.

    Any ideas what is going on here?

    Thanks,
    Catalin
  • benoit
    benoit Rennes, France
    Hi,

    I was about to suggest to check the iceca script :). For a description of the IceSSL properties, you can also checkout the Ice manual if not already done: IceSSL Properties

    The value of the Ice.Plugin.IceSSL properties is different depending on the language mapping. Glacier2 is a C++ service so the property should be defined as follow:
    Ice.Plugin.IceSSL=IceSSL:createIceSSL
    

    See Using IceSSL - Ice 3.4 - ZeroC

    Cheers,
    Benoit.
  • Thanks, good point about Glacier2 being implemented in C++. I think I got it working now... thanks again.