Versions Compared

Old Version 3

changes.mady.by.user Mark Spruiell

Saved on

compared with

New Version Current

changes.mady.by.user Mark Spruiell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Znav
nextIceGrid Administrative Utilities
prevIceGrid and the Administrative Facility

IceGrid's registry and node services expose multiple network endpoints that a malicious client could use to gain access to IceGrid functionality and interfere with deployed applications. This presents a significant security risk in network environments that are exposed to untrusted clients. For example, a malicious client could connect to a node and use IceGrid's internal interfaces to deploy and run its own server executable.

This page describes the steps you can take to secure your IceGrid application.

On this page:

Table of Contents
maxLevel3

IceGrid Security Overview

...

The Ice distribution includes a C++ example that demonstrates how to configure a secure IceGrid deployment in the {{demo/IceGrid/secure}} subdirectory. This example includes a script to generate certificates for a registry, a node, a Glacier2 router, and a server. For more information, see the README file provided with the example.

Ztop

Understanding the Registry Endpoints

The IceGrid registry has three mandatory endpoints representing the client, server, and internal endpoints. The registry also has two optional endpoints (the session manager and administrative session manager endpoints) that are only useful when accessing IceGrid via Glacier2.

Ztop

Client Endpoint

The registry client endpoint is used by Ice applications that create client sessions in order to use the resource allocation facility. It is also used by administrative clients that create sessions for managing the registry. Finally, the client endpoint is used by Ice applications that use the IceGrid::Query interface or resolve indirect proxies via the IceGrid locator.

...

It is not necessary to restrict SSL access to the client endpoints (using the property IceSSL.TrustOnly.Server.IceGrid.Registry.Client) as long as you use client and administrative permission verifiers for authentication. This property is only useful for restricting access to client and administrative sessions when using null permission verifiers. Note however that if both client and administrative sessions are enabled, you will only be able to restrict access to one set of clients since you cannot distinguish clients that create client sessions from clients that create administrative sessions.

Ztop

Server Endpoint

Ice servers use the registry's server endpoint to register their object adapter endpoints and send information to administrative clients connected via the registry.

...

Wiki Markup
{zcode}
IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
{zcode}

Ztop

Internal Endpoint

IceGrid nodes and registry replicas use the internal endpoint to communicate with the registry. For example, nodes connect to the internal endpoint of each active registry, and registry slaves establish a session with their master via this endpoint.

...

Wiki Markup
{zcode}
IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="IceGrid Node";CN="IceGrid Registry"
{zcode}

Ztop

Session Manager Endpoint

The session manager endpoint is used by Glacier2 to create IceGrid client sessions. The functionality exposed by this endpoint is unrestricted so you must either secure it or disable it (this endpoint is disabled by default). The property shown below demonstrates how to configure IceSSL so that only Glacier2 routers are accepted by this endpoint:

...

In this example, Glacier2 Router Client is the common name of the Glacier2 router used by clients to create IceGrid client sessions.

Ztop

Administrative Session Manager Endpoint

...

Wiki Markup
{zcode}
IceSSL.TrustOnly.Server.IceGrid.Registry.SessionManager=CN="Glacier2 Router Client"
IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2 Router Client"
{zcode}

Ztop

Outgoing Connections

The registry establishes outgoing connections to other registries and nodes. You should configure the IceSSL.TrustOnly.Client property to restrict connections to these trusted peers:

...

The registry can also connect to Glacier2 routers and permission verifier objects. To allow connections to these services, you must include in this property the common names of Glacier2 routers that create client or administrative sessions, as well as the common names of servers that host the permission verifier objects.

Ztop

Understanding the Node Endpoints

...

Wiki Markup
{zcode}
IceSSL.TrustOnly.Client=CN="Server";CN="IceGrid Registry"
{zcode}

Ztop

Understanding the Administrative Endpoints with IceGrid

...

If your server invokes on other servers, you will need to modify this setting to allow secure connections to them.

Ztop

See Also

Zret
Znav
nextIceGrid Administrative Utilities
prevIceGrid and the Administrative Facility