Perforce Public Knowledge Base - Enabling SSL Support for the Server/Broker/Proxy
Downloads Blog Company Integrations Careers Contact Try Free
Menu Search
Reset Search



Enabling SSL Support for the Server/Broker/Proxy

« Go Back



This article provides a simple step-by-step guide to enabling secure SSL connections among different Perforce components, including the Perforce server (P4D), the Perforce Broker (P4Broker), the Perforce Proxy (P4P), and the Perforce command line client (P4).


In the example procedure below, we will show how to enable SSL connections between different Perforce components, starting with the Perforce Server (P4D).

Note: To support SSL connections, each Perforce component must be at release 2012.1 or higher.

Enable SSL support for P4D, P4Broker, and P4P

  1. Create the sslkeys directory, ensuring the user running the Perforce Server has access to this directory.

    • On Linux:

      mkdir {P4ROOT}/sslkeys
      chmod 700 {P4ROOT}/sslkeys
      export P4SSLDIR={P4ROOT}/sslkeys
      p4d -Gc
      p4d -Gf
      p4d -p ssl::1666 -r {P4ROOT} -d
    • On Windows:

      Open up a Windows command prompt by right-clicking on the Windows Command Prompt icon and selecting "Run as"; select "Administrator".

      mkdir C:\SSLKEYS

      Ensure this directory is accessible by the user who runs the Perforce service:

      p4 set P4SSLDIR="C:\SSLKEYS"
      p4d -Gc
      p4 set -S Perforce P4SSLDIR="C:\SSLKEYS" 
      p4 set -S Perforce P4PORT=ssl::1666
      p4 -p 1666 admin stop 
      net start perforce
  2. Establish the direct trust between the P4D and a client:

    p4 -p ssl:serverip_or_name:1666 trust -y

    Test the SSL connections to P4D directly.  Look for "encrypted" in the output.:

    p4 -p ssl:serverip_or_name:1666 -ztag info
  3. Configure the Perforce Broker to accept SSL connections:

    mkdir sslkeys
    chmod 700 sslkeys
    p4broker -Gc
    p4broker -Gf

    A example of a simple pass-through Perforce Broker configuration file, with SSL support enabled, looks similar to this:

    target		= ssl:localhost:1666;
    listen 		= ssl::1668;
    zeroconf	= false;
    server-name	= "A unique name for your Perforce server";
    server-desc	= "Some telling text to inform users.  See 'p4 help browse'.";
    directory 	= /Users/Perforce/broker;
    logfile 	= broker.log;
    debug-level 	= server=3;
    admin-name 	= "Perforce Admins";
    admin-phone 	= 999/911;
    admin-email 	=;

    Establish a trust relationship between the server and broker on the broker machine:

    p4 -p ssl:localhost:1666 trust -y

    Try the SSL connection from the broker machine:

    p4 -p ssl:localhost:1668 trust -y

    Establish a trust relationship between the broker and client in a client machine:

    p4 -p ssl:brokerip_or_name:1666 trust -y

    Try out the SSL enabled broker and SSL enabled server connections:

    p4 -p ssl:brokerip_or_name:1666 info
  4. Configure Perforce Proxy to accept SSL connections:


    mkdir sslkeys
    chmod 700 sslkeys
    p4p -Gc
    p4p -Gf
    p4p -p ssl::1667 -t ssl:brokerip_or_master:1668 -r ./p4pcache -v 3 -L proxy.log


    mkdir C:\SSLKEYS
    p4p.exe -Gc
    p4p.exe -Gf
    p4 set P4SSLDIR=C:\SSLKEYS
    p4 set -S "Perforce Proxy" P4PORT=ssl::1667
    p4 set -S "Perforce Proxy" P4LOG=proxy.log
    p4 set -S "Perforce Proxy"P4TARGET=ssl:master:1666
    p4 set -S "Perforce Proxy" P4PCACHE="C:\Program Files\Perforce\Proxy"
    p4 set -S "Perforce Proxy" P4SSLDIR="C:\SSLKEYS"
    p4 set -S "Perforce Proxy"
    Next, find the Perforce Proxy service and right-click Properties.  Click the "Log On" tab and log onto "This account" instead of "Local System account". 

    Note that an ssl connection from the client (shown as ssl::1667) is optional.  You can also have a non-SSL connection between your client and proxy.  The p4pcache and proxy.log can have a full or relative path in its name. 

    For example, from a Windows command prompt, the clients connect unencrypted to the proxy, but the connection to the master is encrypted.

    p4p -p 1670 -t ssl:master:1666 -r .\p4pcache -v 3 -L proxy.log

    Establish trust between Proxy or Broker and the master

    p4 -p ssl:master:1666 trust -y

    With a Windows service, you must first set the service to log on to your account so you can establish trust.  Find "Perforce Proxy" or broker service under Services, then right-click Properties.  Select the Log On tab, and chang "Local System Account" to "This account".  Browse to your user name.  Now you can open a "Run as administrator" command prompt and establish trust between the Proxy and the master machine.  Then stop and restart the Perforce Proxy or Broker.

    Establish trust between the proxy and client machine

    p4 -p ssl:broker_or_proxy:1668 trust -y

    Test the proxy's SSL enabled connections in the client machine and look for "Proxy" and "encrypted" in the output

    p4 -p ssl:proxyip_or_name:1667 -ztag info


  5. Clean up the trust relationships on the client machine that are no longer needed:

    p4 -p ssl:brokerip_or_name:1668 trust -d
    p4 -p ssl:serverip_or_name:1668 trust -d


  • Deciding which connections should be encrypted is the responsibility of the Perforce Administrator.

  • If you are considering migrating to SSL Perforce connection, please consult the Migrating to SSL Server.


  • If you see


Remove SSL protocol prefix from P4PORT

but the log shows

Client must add SSL protocol prefix to P4PORT.

then make sure the firewall is not blocking UDP.

Related Links



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255