Perforce Public Knowledge Base - Enabling SSL Support for the Server/Broker/Proxy
Reset Search
 

 

Article

Enabling SSL Support for the Server/Broker/Proxy

« Go Back

Information

 
Problem

This article provides a simple step-by-step guide to enabling secure SSL connections among different Perforce components, including the Perforce server (P4D), the Perforce Broker (P4Broker), the Perforce Proxy (P4P), and the Perforce command line client (P4).

Solution

In the example procedure below, we will show how to enable SSL connections between different Perforce components, starting with the Perforce Server (P4D).

Note: To support SSL connections, each Perforce component must be at release 2012.1 or higher.

Enable SSL support for P4D, P4Broker, and P4P

  1. Create the sslkeys directory, ensuring the user running the Perforce Server has access to this directory.

    • On Linux:

      mkdir {P4ROOT}/sslkeys
      
      chmod 700 {P4ROOT}/sslkeys
      
      export P4SSLDIR={P4ROOT}/sslkeys
      
      p4d -Gc
      
      p4d -Gf
      
      p4d -p ssl::1666 -r {P4ROOT} -d
      
      
    • On Windows:

      Open up a Windows command prompt by right-clicking on the Windows Command Prompt icon and selecting "Run as"; select "Administrator".

      mkdir C:\SSLKEYS
      
      

      Ensure this directory is accessible by the user who runs the Perforce service:

      p4 set P4SSLDIR="C:\SSLKEYS"
         
      p4d -Gc
      
      p4 set -S Perforce P4SSLDIR="C:\SSLKEYS" 
       
      p4 set -S Perforce P4PORT=ssl::1666
      
      p4 -p 1666 admin stop 
      
      net start perforce
      
  2. Establish the direct trust between the P4D and a client:

    p4 -p ssl:serverip_or_name:1666 trust -y
    
    

    Test the SSL connections to P4D directly.  Look for "encrypted" in the output.:

    p4 -p ssl:serverip_or_name:1666 -ztag info
    
    
  3. Configure the Perforce Broker to accept SSL connections:

    mkdir sslkeys
    
    chmod 700 sslkeys
    
    p4broker -Gc
    
    p4broker -Gf
    
    

    A example of a simple pass-through Perforce Broker configuration file, with SSL support enabled, looks similar to this:

    target		= ssl:localhost:1666;
    listen 		= ssl::1668;
    zeroconf	= false;
    server-name	= "A unique name for your Perforce server";
    server-desc	= "Some telling text to inform users.  See 'p4 help browse'.";
    directory 	= /Users/Perforce/broker;
    logfile 	= broker.log;
    debug-level 	= server=3;
    admin-name 	= "Perforce Admins";
    admin-phone 	= 999/911;
    admin-email 	= perforce-admins@example.com;
    
    

    Establish a trust relationship between the server and broker on the broker machine:

    p4 -p ssl:localhost:1666 trust -y
    
    

    Try the SSL connection from the broker machine:

    p4 -p ssl:localhost:1668 trust -y
    
    

    Establish a trust relationship between the broker and client in a client machine:

    p4 -p ssl:brokerip_or_name:1666 trust -y
    
    

    Try out the SSL enabled broker and SSL enabled server connections:

    p4 -p ssl:brokerip_or_name:1666 info
    
    
  4. Configure Perforce Proxy to accept SSL connections:

    mkdir sslkeys
    chmod 700 sslkeys
    p4p -Gc
    p4p -Gf
    
    

    Start P4P so it accepts SSL connections.

    p4p -p ssl::1667 -t ssl:brokerip_or_name:1668 -r p4pcache -v 3 -L proxy.log -d
    

    Note that an ssl connection from the client (shown as ssl::1667) is optional.  You can also have a non-SSL connection between your client and proxy.  The p4pcache and proxy.log can have a full or relative path in its name.

    p4p -p proxyip_or_name:1667 -t ssl:brokerip_or_name:1668 -r p4pcache -v 3 -L proxy.log -d


    Establish trust between Proxy and Broker in the Proxy machine:

    p4 -p ssl:brokerip_or_name:1668 trust -y
    
    

    Establish trust between the proxy and client machine

    p4 -p ssl:brokerip_or_name:1668 trust -y
    
    

    Test the proxy's SSL enabled connections in the client machine and look for "Proxy" and "encrypted" in the output

    p4 -p ssl:proxyip_or_name:1667 -ztag info
    
    
  5. Clean up the trust relationships on the client machine that are no longer needed:

    p4 -p ssl:brokerip_or_name:1668 trust -d
    
    p4 -p ssl:serverip_or_name:1668 trust -d
    

Notes:

  • Deciding which connections should be encrypted is the responsibility of the Perforce Administrator.

  • If you are considering migrating to SSL Perforce connection, please consult the Migrating to SSL Server.

 

  • If you see

WARNING P4PORT IDENTIFICATION HAS CHANGED!

Remove SSL protocol prefix from P4PORT

but the log shows

Client must add SSL protocol prefix to P4PORT.


then make sure the firewall is not blocking UDP.

Related Links

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255