Perforce Public Knowledge Base - Migrating to SSL Server
× PRODUCTS SOLUTIONS CUSTOMERS LEARN SUPPORT
Downloads Company Partners Careers Contact Free Trials
Menu Search
Perforce
Reset Search
 

 

Article

Migrating to SSL Server

« Go Back

Information

 
Problem

How can you migrate users to a Perforce SSL enabled server gracefully?
 

Solution

In order to connect to a SSL-enabled server, the server and client software releases both need to be at Perforce server version 2012.1 and later. To manage this transition, you may deploy the new SSL-enabled server along with the Perforce broker so that the broker can allow older clients to connect to the new SSL server, and to manage the change notification to your users after all client upgrades are completed.

SSL Server Connection Example

  1. Start P4D with SSL support:

    [server]$ p4d -p ssl:1666 -r {P4ROOT} -d
    
  2. Define the appropriate target server and alternate servers in the broker configuration:

    target  = ssl:1666;
    listen  = 1668;
    [...]
    
  3. Define this catch-all command handler for all commands in the broker (sslonly.conf) configuration:

    command: *
    {
    action  = filter;
    execute = "perl /path/to/sslonly.pl";
    }
  4. Add the following filter program to the above path, making appropriate changes for your system:

    sslonly.pl

    #!/usr/bin/path/to/perl
    # Use the appropriate path to Perl in the preceding line
    #
    use strict;
    use warnings;
    use Data::Dumper;; # Can comment out this line if debug=0 (disabled)
    
    # Debug goes to Output file
    my $debug  = 1;  # debug=1 is ON
    open(D,">debug.out") if $debug;
    #
    # Log ssl connection status to Output file
    my $log  = 1;  # log=1 is ON
    open(L,">>ssl.out") if $log;
    
    # Must first read in all command details from STDIN
    my %cmd_info = map { /(.*?)\s*:\s*(.*)/ ; ($1, $2) }<STDIN>;
    print D Dumper(\%cmd_info) if $debug;
    
    my $user = $cmd_info{user};
    my $ip = $cmd_info{clientIp};
    my $prog = $cmd_info{clientProg};
    my $protocol = $cmd_info{clientProtocol};
    
    # New dictionary-like response format
    # client 2012.1 or later will be redirected to the sslserver
    if ($protocol > 70) {
    print "action: PASS\n";
    print "altserver: sslserver\n";
    print "message: * * * $user update to P4PORT=ssl:hostname:20121 for connecting to the SSL-enabled server!\n";
    print L "message: $user uses $prog\@$ip is connected to SSL-enabled server via non-SSL broker!\n" if $log;
    } else {
    print "action: PASS\n";
    print "message: * * * $user please upgrade $prog\@$ip to 2012.1 or later for connecting to SSL-enabled server!\n";
    print L "message: $user please upgrade $prog\@$ip to 2012.1 or later for connecting to SSL-enabled server!\n" if $log;
    };
    
    close(D) if $debug;
    exit(0);
    
  5. Start P4Broker to accept non-SSL connections:

    [broker]$ p4broker -c sslonly.conf -d
    
  6. Establish trust between P4Broker and P4D:

    [broker] p4 -p ssl:serverip:1666 trust -y
    
  7. Testing with different Perforce client versions:

    Using 2010.2 or older clients

    [client]$ p4 -V
    Perforce - The Fast Software Configuration Management System.
    Copyright 1995-2011 Perforce Software.  All rights reserved.
    Rev. P4/DARWIN90U/2010.2/295040 (2011/03/14).
    
    [client]$ p4 -p brokerip:1668 info
    * * * bruno please upgrade p4@hostname to 2012.1 or later for connecting to SSL-enabled server!
    User name: bruno
    Client name: bruno_ws
    [...]
    Server address: serverip:1666
    Server root: .
    Server date: 2012/03/15 10:33:18 +1100 EST
    Server uptime: 01:09:30
    Server version: P4D/DARWIN90X86_64/2012.1/411339 (2012/02/01)
    ServerID: master-20121
    Server license: none
    Case Handling: insensitive
    Broker address: brokerip:20128
    Broker version: P4BROKER/DARWIN90X86_64/2012.1/411339
    

    Using 2012.1 or later p4 clients

    [client]$ p4 -V
    Perforce - The Fast Software Configuration Management System.
    Copyright 1995-2012 Perforce Software.  All rights reserved.
    This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit (http://www.openssl.org/)
    
    Version of OpenSSL Libraries: OpenSSL 1.0.0e 6 Sep 2011
    Rev. P4/DARWIN90X86_64/2012.1/411339 (2012/02/01).
    
    [client]$ p4 -p hostname:20128 info
    * * * bruno update to P4PORT=ssl:hostname:20121 for connecting to the SSL-enabled server!
    User name: bruno
    Client name: bruno_ws
    [...]
    Server address: hostname:20121
    Server root: .
    Server date: 2012/03/15 10:36:01 +1100 EST
    Server uptime: 01:12:13
    Server version: P4D/DARWIN90X86_64/2012.1/411339 (2012/02/01)
    Server encryption: encrypted
    ServerID: master-20121
    Server license: none
    Case Handling: insensitive
    Broker address: hostname:20128
    Broker version: P4BROKER/DARWIN90X86_64/2012.1/411339
    
  • Client 2012.1 or later update their P4PORT to connect to SSL-enabled server directly

    [client]$ p4 -p p ssl:serverip:1666 trust -y
    
    [client]$ p4 -p ssl:serverip:20121 info
    User name: bruno
    Client name: bruno_ws
    [...]
    Server address: hostname:20121
    Server root: .
    Server date: 2012/03/15 10:40:44 +1100 EST
    Server uptime: 01:16:56
    Server version: P4D/DARWIN90X86_64/2012.1/411339 (2012/02/01)
    Server encryption: encrypted
    ServerID: master-20121
    Server license: none
    Case Handling: insensitive
    

Note: Refer to Enable SSL Support for Server/Broker/Proxy for more details in establishing the SSL trust relationships.

For more background information, refer to Advanced Perforce administration in Chapter 3 of System Administrator's Guide. 

Related Links

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255