Perforce Public Knowledge Base - Setting up a Sidetrack server for SSL and non-SSL connections
Reset Search
 

 

Article

Setting up a Sidetrack server for SSL and non-SSL connections

« Go Back

Information

 
Problem
How do I set up both a non-SSL connection for internal users and a non-SSL connection for external users?

How do I set up a connection using different server configurables?
Solution
You can use a "side-track" server to utilize the same Perforce database that listens on two ports.  For example, you may have internal users connecting to a non-SSL port for improved performance, and external users connecting to an SSL port for security.

For example, say the main Perforce server runs on P4PORT "gabriel:1666". On the same machine, one can then start up a side-track server on P4PORT "gabriel:1777" with this command:
 
p4d -p computer:1777

Be sure all other Perforce server configuration variables, including P4PORT, are set the same as the main server settings, or include them on the p4d command line.

To clarify, the side-track server operates against the main Perforce database files. In other words, the side-track server shares the same Perforce server root (P4ROOT) and the same journal file. If the side-track server used a different P4ROOT location, it would be a different server entirely.

Similarly, if a separate journal location was specified for the side-track server, then two journal files would exist, each recording different transactions against the same server. However, only the journal file associated with the main server is ever truncated in a checkpoint operation of the main server. Although the resultant checkpoint will be complete, the associated journal file will not be (it will be missing whatever was recorded in the other journal). Whichever journal was not truncated will continue to grow. Therefore, do not attempt to specify a separate journal file location when configuring and starting a side-track server.  Using a separate log file for recording errors from the side-track server can be useful for diagnostic purposes.


The side-track server should pick up the P4ROOT and P4JOURNAL environment variable values from the main Perforce server. Log entries for it can be sent to either the main Perforce server log (P4LOG) or to a separate log file, by specifying it in the side-track server command invocation. For example:
 

 
p4d -p gabriel:1777 -L p4sidetrack.log

On the client side, one can redirect requests on-the-fly to the side-track server by using the global -p flag with p4 commands to change the Perforce port setting for that command. For example:

p4 -p gabriel:1777 diff -se
 

SSL / non-SSL Example

You can use a sidetrack server to run Perforce with SSL and non-SSL simultaneously. Internal users may connect through one port using the standard non-SSL connection
 
1. Set up a sidetrack server on the Perforce master on port 2666
 
There is no need for downtime.
 
On the master server, start Perforce with ssl and the -f flag
 
A. Make an sslkeys directory
 
mkdir sslkeys

B. Change the sslkeys permissions
 
chmod 770 sslkeys

C. Create the P4SSLDIR variable
 
export P4SSLDIR=/home/bruno/20131/sslkeys

D. Generate a private key and certificate
 
./p4d -Gc

E. Display the fingerprint of the public key
 
./p4d -Gf

F.  Start a Perforce sidetrack server on port 2666 with the -f flag

This sidetrack server will use the same Perforce db files as the master p4d.  Note that there is no requirement to use the p4d -f flag.
 
./p4d -p ssl::2666 -r `pwd` -J journal -d

G. Check that users have connectivity to the sidetrack server

Note ssl in "-p ssl:perforce:2666"
 
[bruno@gabriel perl_proj]$ p4 -p ssl:perforce:2666 info
User name: bruno
Client name: my_workspace
Client host: gabriel
Client root: /home/bruno/my_workspace
Current directory: /home/bruno/my_workspace/main/release1/perl_proj
Peer address: 127.0.0.1:41255
Client address: 127.0.0.1
Server address: perforce:2666
Server root: /home/bruno/20131
Server date: 2013/10/03 13:15:22 -0700 PDT
Server uptime: 00:24:37
Server version: P4D/LINUX26X86_64/2013.1/710548 (2013/09/20)
Server encryption: encrypted
Server cert expires: Oct 3 19:21:42 2015 GMT
Server license: Perforce Software 10000 users (expires 2013/12/31)
Server license-ip: 10.20.0.123
Case Handling: sensitive

H. Check that users have connectivity through non-SSL
 
Internal users will not be using SSL.
Note there is no ssl in "-p perforce:1666"
 
[bruno@gabriel perl_proj]$ p4 -p perforce:1666 info
User name: bruno
Client name: my_workspace
Client host: gabriel
Client root: /home/bruno/my_workspace
Current directory: /home/bruno/my_workspace/main/release1/perl_proj
Peer address: 127.0.0.1:34326
Client address: 127.0.0.1
Server address: perforce:1666
Server root: /home/bruno/20131
Server date: 2013/10/03 13:16:11 -0700 PDT
Server uptime: 24:36:19
Server version: P4D/LINUX26X86_64/2013.1/710548 (2013/09/20)
Server license: Perforce Software 10000 users (expires 2013/12/31)
Server license-ip: 10.20.0.123
Case Handling: sensitive

I. Change your firewall so external users cannot connect to perforce:1666.

 
2. Optional: Set up a broker at the remote location on port 1668
 
You can have external users can connect without SSL through an SSL-enabled P4Broker.
 
On the broker machine, set up ssl connectivity

A. Configure broker.conf

Note that the broker port is 1668.
 
target = ssl:perforce:2666;
listen = ssl::1668;
zeroconf = false;
server-name = "Broker";
server-desc = "Broker server for Perforce";
directory = /home/bruno/broker;
logfile = /home/bruno/broker/broker.log;
debug-level = server=3;
admin-name = "Perforce Admins";
admin-phone = 510-123-1666;
admin-email = bruno@perforce.com<mailto:bruno@perforce.com>;

B. Set up ssl connectivity in P4Broker to the sidetrack server
 
cd P4BrokerRoot
mkdir sslkeys
cd sslkeys
export P4SSLDIR=/home/bruno/broker/sslkeys
./p4broker -Gc
./p4broker -Gf
p4 -p ssl:perforce:2666 trust -Y

C. Configure external users to connect through the broker port 1668
 
Note that the client is NOT using ssl in "-p gabriel:1668".

However, there is SSL connectivity between the broker and the
Perforce server. This is why the broker is at the end user's site.
 
[bruno@gabriel broker]$ p4 -p gabriel:1668 info
User name: bruno
Client name: broker
Client host: gabriel
Client root: /home/bruno/broker
Current directory: /home/bruno/broker
Peer address: 127.0.0.1:41218
Client address: 127.0.0.1
Server address: perforce:2666
Server root: /home/bruno/20131
Server date: 2013/10/03 12:56:32 -0700 PDT
Server uptime: 00:05:47
Server version: P4D/LINUX26X86_64/2013.1/710548 (2013/09/20)
Server encryption: encrypted
Server cert expires: Oct 3 19:21:42 2015 GMT
Server license: Perforce Software 10000 users (expires 2013/12/31)
Server license-ip: 10.20.0.123
Case Handling: sensitive
Broker address: gabriel:1668
Broker version: P4BROKER/LINUX26X86_64/2012.1/473528


Configurables Example

Refer to the 2010 Perforce Users Conference where a sidetrack server can be configured with different configurables (tunables) for testing or performance reasons.  See Performance Conference Videos, click the 2010 Conference tab, and choose the White Paper in Perforce Tunables.
Related Links

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255