Access Secure Programs Using HTTPS
It is possible to connect to a secure server instance by simply using an HTTPS address
when calling feval().
The resulting connection will be encrypted, but not secure. Neither party performs any authentication. Neither can determine if it is communicating with a valid actor or a malignant actor.
To establish a secure connection you must:
install valid certificate authorities for server instance authentication
configure your client application code to use the installed certificate authorities to authenticate the server instance
To ensure an added level of security, you can also verify the server instance host name against the certificate common name.
These steps allow your client to ensure that it is communicating with a valid MATLAB® Production Server™ instance.
In environments where server instances require client authentication, you need to:
Configure the client's environment for SSL.
Make a secure request.
Make a secure request using client authentication.
Configure the Client’s Environment for SSL
At a minimum the client requires the server's root CA (Certificate Authority) in one of the application's certificate stores.
To connect to a server that requires client-side authentication, the client needs a signed certificate in one of the application's certificate stores.
To manage the certificate authorities and certificates on the client machine, use OpenSSL.
Make a Secure Request
To configure your client to authenticate server instances you need to add the following to the client runtime configuration:
server root CA
private key
If the private key is encrypted, you also need to provide the private key password. After adding the necessary information to the client runtime configuration, verify that the client authenticates the server instance.
In addition to the minimum requirements you can also specify:
certificate revocation list to check against
if the client needs to verify the server instance hostname against the certificates common name
You do this using setters on the mpsClientRuntime
structure:
setClientCertFile(mpsClientConfig* sslCfg, const char* cert_file)specifies the client certificatesetPrivateKeyFile(mpsClientConfig* sslCfg, const char* pkFile)specifies the private keysetPrivateKeyPasswd(mpsClientConfig* sslCfg, const char* passwd)specifies the private key passwordsetCAFile(mpsClientConfig* sslCfg, const char* caFile)specifies the certificate authoritysetRevocationListFile(mpsClientConfig* sslCfg, const char* crlFile)specifies the certificate revocation listsetVerifyHost(mpsClientConfig* sslCfg, mpsLogical verifyHost)specifies if the client verifies the server instance hostnamesetVerifyPeer(mpsClientConfig* sslCfg, mpsLogical verifyPeer)specifies if the client authenticates the server instance
The following code configures the client to fully authenticate the server instance. It also configures the client to verify that the server instance hostname matches the certificate common name.
mpsClientRuntime* mpsruntime = mpsInitializeEx(MPS_CLIENT_1_1);
mpsClientConfig* config;
mpsStatus status1 = mpsruntime->createConfig(&config);
const std::string caFile("CERT_AUTH_FILE");
mpsruntime->setCAFile(config, caFile.c_str());
const std::string crlFile("CERT_REVOCATION_LIST_FILE");
mpsruntime->setRevocationListFile(config, crlFile.c_str());
mpsruntime->setVerifyHost(config, static_cast<mpsLogical>(true));
mpsruntime->setVerifyPeer(config, static_cast<mpsLogical>(true));
mpsClientContext* context;
status = mpsruntime->createContext(&context, config);
...
status = mpsruntime->feval(context,
"https://localhost:9911/addmatrix/addmatrix",
numOut, outVal, numIn, (const mpsArray **)inVal);
When the client attempts to evaluate the function, it will exchange certificates with the server instance. The client will verify the server instance certificate against the configured CA. If the certificate is valid, the client will then verify that the server instance hostname matches the common name stored in the server instance certificate. If either check fails, the connection is rejected.
If the server instance is configured to perform client authentication, the connection will also be rejected since the client is not configured with a valid certificate to exchange with the server instance.
Make a Secure Request Using Client Authentication
In some environments, server instances require that clients provide a certificate for authentication. To enable the client to connect with a server instance requiring client authentication:
set the client cert file property using the
setClientCertFile()setter of thempsClientRuntimestructure.Set the private key properties to access the client certificate.
const std::string certFile("CERTFILE");
mpsruntime->setClientCertFile(config, certFile.c_str());
const std::string pkFile("PRIVATE_KEY_FILE");
mpsruntime->setPrivateKeyFile(config, pkFile.c_str());
const std::string pkPass("PRIVATE_KEY_PASSWORD");
mpsruntime->setPrivateKeyPasswd(config, pkPass.c_str());
External Websites
You can also select a web site from the following list
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)
Asia Pacific
- Australia (English)
- India (English)
- New Zealand (English)
- 中国
- 日本Japanese (日本語)
- 한국Korean (한국어)