Connecting services

Services working together in a federated environment must be able to authenticate and trust one another.

• When using SSL to securely link servers, brokers, and proxies together, each link in the chain must trust the upstream link.
• It is best practice (and mandatory at security level 4) to use ticket-based authentication instead of password-based authentication. This means that each service user for each server in the chain must also have a valid login ticket for the upstream link in the chain.

Managing trust between services

The user that owns the server, broker, or proxy process is typically a service user. As the administrator, you must create a P4TRUST file on behalf of the service user by using the p4 trust command. By default, a user’s P4TRUST file resides in that user's home directory with .p4trust as the file name.

See the "Communicating port information" topic in the Helix Core Server Administrator Guide: Fundamentals.

Managing tickets between services

When linking servers, brokers, and proxies together, each service user must be a valid service user at the upstream link, and it must be able to authenticate with a valid login ticket. Follow these steps to set up service authentication:

1. On the upstream server, use p4 user to create a user of type service, and p4 group to assign it to a group that has a long or unlimited timeout.

   Use p4 passwd to assign the service user a strong password.

2. On the downstream server, use p4 login to log in to the master server as the newly-created service user, and to create a login ticket for the service user that exists on the downstream server.
3. Ensure that the P4TICKETS variable is correctly set when the user (often a script or other automation tool) invokes the downstream service. This enables the downstream service to correctly read the ticket file and authenticate itself as the service user to the upstream service.

Managing SSL key pairs

When configured to accept SSL connections, all server processes (p4d, p4p, p4broker), require a valid certificate and key pair on startup.

The process for creating a key pair is the same as it is for any other server: set P4SSLDIR to a valid directory with valid permissions, and use the following commands to generate pairs of privatekey.txt and certificate.txt files, and make a record of the key’s fingerprint.

• Server: use p4d -Gc to create the key/certificate pair and p4d -Gf to display its fingerprint.
• Broker: use p4broker -Gc to create the key/certificate pair and p4broker -Gf to display its fingerprint.
• Proxy: use p4p -Gc to create the key/certificate pair and p4p -Gf to display its fingerprint.

You can also supply your own private key and certificate. See "Using SSL to encrypt connections to a Helix Server" in Helix Core Server Administrator Guide: Fundamentals.