Services working together in a multi-server environment must be able to authenticate and trust one another.
- When using SSL to securely link servers, brokers, and proxies together, each link in the chain must trust the upstream link.
- It is best practice to use ticket-based authentication instead of password-based authentication. This means that each service user for each server in the chain must also have a valid login ticket for the upstream link in the chain. Ticket-based authentication is mandatory at Server security levels 4 (and higher).
Managing trust between services
The user that owns the server, broker, or proxy process is typically a
service user (see p4 user in Helix Core Command-Line (P4) Reference). As the administrator, you must create a
P4TRUST file on behalf of the service user by using the
command. By default, a user’s
P4TRUST file resides in that user's home
.p4trust as the file name.
See Telling Helix Server applications which port to connect to.
Managing tickets between services
When linking servers, brokers, and proxies together, each service user must be a valid service user at the upstream link, and it must be able to authenticate with a valid login ticket.
To set up service authentication:
On the upstream server, use
p4 userto create a user of type
p4 groupto assign it to a group that has a long or
p4 passwdto assign the service user a strong password.
- On the downstream server, use
p4 loginto log in to the master server as the newly-created service user, and to create a login ticket for the service user that exists on the downstream server.
P4TICKETSconfigurable for the downstream server is set correctly. This enables the downstream server to correctly read the ticket file to check whether the service user is logged in to the upstream service.
Managing SSL key pairs
When configured to accept SSL connections, all server processes
p4broker), require a valid certificate and key pair
To create a key pair,
- set the directory and
permissions - see
P4SSLDIRin Helix Core Command-Line (P4) Reference)
- generate pairs of
certificate.txtfiles, and make a record of the key’s fingerprint:
- on the server, use
p4d -Gcto create the key/certificate pair and
p4d -Gfto display its fingerprint.
- on the broker, use
p4broker -Gcto create the key/certificate pair and
p4broker -Gfto display its fingerprint.
- on the proxy, use
p4p -Gcto create the key/certificate pair and
p4p -Gfto display its fingerprint.
- on the server, use
You can also supply your own private key and certificate. See Using SSL to encrypt connections to a Helix Server.