Home

MultiXTpm Application Server

Secured Socket Layer (SSL) Support
MultiXTpm Application Server provides SSL support using OpenSSL. This support is transparent to the developer, which means that no API is changed or added to support SSL. Existing modules, even binary ones, need not even be recompiled. All SSL support is done thru configuration only. SSL support is integrated into the lower level of the MultiX API and specifically it is implemented in the CMultiXLink and CMultiXL2Link class. The implementation of SSL at this level (far from the TCP/IP socket) enables using SSL on top of other kinds of connections if required. Currently, the MultiX API supports only TCP/IP sockets, but if support for other transports is developed (UDP, X25 for example), SSL integration is done automatically and transparently.

Building and using MultiX DLL with SSL Support
For MultiXTpm Application Server to support SSL, only the MultiX API DLL(MultiX project) should be compiled with SSL support.
For a successful build of the SSL support following steps must be taken:
  • Install the latest version of OpenSSL in the development machine.
  • Make sure that the OpenSSL include directory is on the include path of the compiler.
  • Make sure that the OpenSSL lib directory is on the lib path of the compiler.
  • Make sure that there is a define macro of OPENSSL_SUPPORT on the command line that invokes the compiler for every file in the MultiX project (the supplied project and make files INCLUDE this define by default).

MultiX DLL links dynamically to OpenSSL DLLs. This means that when starting an application that uses MultiX DLL that contains SSL support, that MultiX DLL will try to find the OpenSSL DLLs, if it finds them, SSL support is provided, if not, MultiX DLL write an event log record and continues to work, but with no SSL support. This means that when compiling the MultiX project, it is always better to compile it with OPENSSL_SUPPORT and not worry about the runtime environment, if there is OpenSSL support, MultiX DLL will use it, if not, MultiX DLL will just ignore the non existence of OpenSSL DLLs.

To make use of SSL support at runtime, the runtime machine must have OpenSSL runtime installed and the OpenSSL dlls must be accessible thru the standard PATH environment variable or thru the LD_LIBRARY_PATH on a linux platform.

Configuring SSL Supoort
Application level support for SSL is done thru configuration of the MultiXTpm Application Server environment. This configuration is done by modifying the TpmConfig.xml file used by MultiXTpm Application Server to start and control the entire environment.

SSL support is provided to CMultiXLink derived class, this means that for each Link defined in the configuration file, we can specify different parameters for SSL support if required at all. The SSL support for a specific Link is done thru additional element in the Link attributes called "SSLParams". The following list describes all the attributes used by the MultiX API to support SSL:

Attribute Name Description Default Value
API Specifies which SSL library should be used. Currently the only value allowed is OpenSSL. Any other value implies no SSL support required for the specific Link. Empty - No SSL Support
ClientAuthenticationRequired Specifies if Client Authentication is required when specifying a Server Link.
A parameter value of 1 enforces Client Authentication.
Any other value or when not specified, no Client Authentication takes place.		 false
ServerAuthenticationRequired Specifies if Server Authentication is required when specifying a Client Link.
A parameter value of 1 enforces Server Authentication.
Any other value or when not specified, no Server Authentication takes place.		 false
ServerNameVerificationRequired When requiring Server Authentication in a Client Link, this parameter specifies if we want to verify its certificate name.
A parameter value of 1 enforces host name (specified for the link) and certificate name match, otherwise, no check is done.		 false
TrustStoreFile Specifies the full path of the Trust Store file where all trusted certificates are located. This file is used as the second parameter when MultiXLink calls SSL_CTX_load_verify_locations() function in the OpenSSL API. cacerts.pem
TrustStoreDirectory Specifies the path of the Trust Store directory where all trusted certificates are located. This directory is used as the third parameter when MultiXLink calls SSL_CTX_load_verify_locations() function in the OpenSSL API.
CertificateFile Specifies the full path of the Certificate file used by SSL to identify the application to the remote peer. For SERVER Links, this file MUST be specified or otherwise a CMultiXLink::Listen will fail. This file is used as the second parameter when MultiXLink calls SSL_CTX_use_certificate_file() function in the OpenSSL API. For Client Links, this file is used in the case that the server requires client authentication. LocalMultiXTpmServer.pem
PrivateKeyFile Specifies the full path of the Private Key file used by SSL. This is used by Server Links. LocalMultiXTpmServer.pem
PrivateKeyPassword Specifies the password to use when accessing the Private Key. It is used when the Private Key is password protected. password
PrivateKeyPasswordFile Specifies the password file to use when accessing the Private Key. It is used when the Private Key is password protected and you do not want to store the password in the configuration file.
RSAPrivateKeyFile Specifies the full path of the RSA Private Key file used by SSL. This is used by Server Links and it is optional.
DHFile Specifies the full path of the DH file used by SSL. This is used by Server Links and it is optional.

For a complete description of the OpenSSL related parameters, please refer to OpenSSL documentation.

Summary
As mentioned, SSL support is added at the lower level of the MultiX API and specifically in CMultiXLink and CMultiXL2Link Classes. This architecture implies that in a typical MultiXTpm Application Server environment, SSL handling is done in the "Front End Processes". This means that SSL handling is done in different processes then those who handle the business logic.
From a performance perspective, when implementing a system on a single machine, there is no advantage in implementing the SSL processing in a different process then the business logic one. But, when it comes to implementing an SSL based system on more then one machine, MultiXTpm Application Server has a big advantage. The fact that one can locate all "Front End Processes" on a machine(s) of their own, and all “Business Logic Processes” on different machines, frees the "Business Logic processes" machine(s) to use all resources just for the business logic. Since SSL processing is resources intensive, using MultiXTpm Application Server in SSL based systems, makes these systems more scalable and more manageable. That is because we always know where the resources go to. In systems where SSL processing is linked into the application itself, it is not easy to figure out which part is taking most of the resources, and complicated profiling is required to figure this out. In MultiXTpm Application Server environment, it is always evident which processes and which machines has the load so one can always know which machine needs an upgrade or what kind of machine should be added when the system becomes overloaded.

Download information

MultiXTpm Application Server is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

MultiXTpm Application Server is distributed in source code format and it supports: Windows OS, Linux, Solaris and HP Nonstop Server OSS.

The source code is packed in ZIP file and can be downloaded from SourceForge.net.

To Access the Download Page at SourceForge.net you may click Here
or
Navigate to http://sourceforge.net/projects/multixtpm

Contact information

For more information, Bug Reports, Feature Requests, and Support Requests, please use:
SourceForge.net tracker
or
SourceForge.net Project Forums
or
MultiXTpm group at Yahoo Groups.
or
you may send an email to: Moshe Shitrit
Home