Perforce Public Knowledge Base - Configuring an SSL-enabled Proxy on Windows
× PRODUCTS SOLUTIONS CUSTOMERS LEARN SUPPORT
Downloads Company Partners Careers Contact Free Trials
Menu Search
Perforce
Reset Search
 

 

Article

Configuring an SSL-enabled Proxy on Windows

« Go Back

Information

 
Problem
What must I do to enable 'SSL' for my Proxy? 
I'm using Windows, and plan to run my Perforce Proxy as a Windows Service.
Solution
You need to set at least one more environment variable (P4SSLDIR), change the Proxy's P4PORT to include the protocol 'ssl', and ensure that you have a valid certificate and key-pair (files called "certificate.txt" and "privatekey.txt") before you start the proxy.
You can provide your own certificates or get the proxy to generate these files for you; in either case, they should be in the directory identified by the P4SSLDIR variable set in the proxy's environment. 

Users connecting to this proxy would need to use the 'new' P4PORT value (now with 'ssl:' at the start of the string) and will need to use 'p4 trust' to establish a trust with this proxy. You will need to ensure there is a trust relationship between your proxy and the server if the server is also ssl-enabled. 

As an example, the following instruction will create a brand-new Windows Service called "Perforce Proxy SSL", add environment variables for this ssl-enabled proxy, then starts and checks the proxy connection. Run these in an administrative command prompt on your Windows machine. 

Here are my requirements:
  • my proxy must be ssl-enabled, and it must listen on port '2468' on the current machine;
  • the proxy cache will be in E:\proxyssl\cache;
  • Other related files will be stored in folders below "E:\proxyssl";
  • My server is listening on ssl:myServer:1666.

Create a new Windows Service using 'svcinst'. 
> svcinst create -n "Perforce Proxy SSL" -e "C:\Program Files\Perforce\Proxy\p4ps.exe"

Set the P4PORT and P4TARGET ports for the proxy: 
> p4 set -S "Perforce Proxy SSL" P4PORT=ssl:2468
> p4 set -S "Perforce Proxy SSL" P4TARGET=ssl:myServer:1666

Set the cache location, P4LOG and the location of the SSL files, making directories where needed: 
> p4 set -S "Perforce Proxy SSL" P4PCACHE=E:\proxyssl\cache
> mkdir E:\proxyssl\cache

> p4 set -S "Perforce Proxy SSL" P4LOG=E:\proxyssl\log

> p4 set -S "Perforce Proxy SSL" P4SSLDIR=E:\proxyssl\P4SSLDIR
> mkdir E:\proxyssl\P4SSLDIR

Use 'p4p -Gc' to generate the certificates, first setting P4SSLDIR in the current environment to ensure the certificates are written to the required location. 
> set P4SSLDIR=E:\proxyssl\P4SSLDIR
> "C:\Program Files\Perforce\Proxy\p4p.exe" -Gc

Check the files have been generated: 
> dir /s /b %P4SSLDIR%
E:\proxyssl\P4SSLDIR\certificate.txt
E:\proxyssl\P4SSLDIR\privatekey.txt

Set the location of the proxy's trust file (P4TRUST): 
> p4 set -S "Perforce Proxy SSL" P4TRUST=E:\proxyssl\p4trust

Set P4TRUST in the current environment, and build the trust between proxy and server: 
> set P4TRUST=E:\proxyssl\p4trust

> p4 -p ssl:myServer:1666 trust
The fingerprint of the server of your P4PORT setting
'ssl:myServer:1666' (10.1.0.76:1666) is not known.
That fingerprint is C9:E4:C9:76:E0:.....
Are you sure you want to establish trust (yes/no)? yes
Added trust for P4PORT 'ssl:myServer:1666' (10.1.0.76:1666)

Check the content of the P4TRUST file: 
> type %P4TRUST%
10.1.3.132:1666=**++**:C9:E4:C9:76:E0:.....

Remove the P4SSLDIR and P4TRUST settings in the current environment (no longer required)
> set P4SSLDIR=
> set P4TRUST=

Start the Windows Service (there are alternatives to 'net start'): 
> net start "Perforce Proxy SSL"
The Perforce Proxy SSL service is starting.
The Perforce Proxy SSL service was started successfully.

Create a trust relationship between the user and the Proxy: 
> p4 -p ssl::2468 trust
The fingerprint of the server of your P4PORT setting
'ssl::2468' (127.0.0.1:2468) is not known.
That fingerprint is 53:1A:47:74:5F:......
Are you sure you want to establish trust (yes/no)? yes
Added trust for P4PORT 'ssl::2468' (127.0.0.1:2468)

Check the connection using 'p4 info' - relevant info shown below. 
> p4 -p ssl::2468 info
Server address: myServer:1666
Server encryption: encrypted
Server cert expires: Apr 28 12:17:48 2016 GMT
...
Proxy address: myWorkstation:2468
Proxy encryption: encrypted
Proxy cert expires: Nov  5 11:46:00 2017 GMT

If you have a proxy already installed and running, you need only complete a subset of the above commands. P4PORT will need to be adjusted to include 'ssl' as previously mentioned, but P4LOG, P4TARGET, and P4PCACHE should all be in place already, even if using default values. Check what is already configured, compare with the list below and adjust as required, having first stopped the proxy. 
 
> p4 set -S "Perforce Proxy SSL"
P4LOG=E:\proxyssl\log (set -S)
P4PCACHE=E:\proxyssl\cache (set -S)
P4PORT=ssl:2468 (set -S)
P4SSLDIR=E:\proxyssl\P4SSLDIR (set -S)
P4TARGET=ssl:myServer:1666 (set -S)
P4TRUST=E:\proxyssl\p4trust (set -S)

For more information about SSL, check Encrypting Connections to a Perforce Server; this includes some requirements for the files and folders involved. More general documentation on configuring the proxy can be found in the 'Multi-site Deployment' guide: Perforce Proxy 
Related Links
Perforce Proxy chapter in "Helix Versioning Engine Administrator Guide: Multi-site Deployment"
Encrypting Connections to a Perforce Server (Helix Versioning Engine Administrator Guide: Fundamentals)

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255