p4 trust
Establish trust of an SSL connection to a Perforce service.
If you have not yet established trust with your server, use the p4 trust -h
command to get help for the
server. You must do this
because the command is implemented on the client rather than the server.
When a command begins with p4 help, the client forwards it
to the server to construct the text of what is displayed on the client
machine.
In the case of the trust command, the client might not trust the
server to send any commands to it, so the help must begin with p4
trust
to get it serviced locally by the client rather than have
it forwarded to the server.
Syntax
p4 [g-opts] trust [-l -y -n -d -f -r] [-i fingerprint]
Description
Use p4 trust
to manage the P4TRUST
file. By default, the .p4trust
is in your home directory. This file establishes and manages
the trust of an SSL connection.
The trust file contains the fingerprints of the keys received for SSL
connections. When you first connect to a
Helix Core service, you are prompted with its fingerprint. If the fingerprint is
correct, you can use p4 trust
to add the service’s
fingerprint to your trust file. If the fingerprint changes or expires,
subsequent attempts to connect to that service result in warning or
error messages.
Your system administrator can help you confirm the accuracy of any fingerprint provided to you by a Helix Core service.
Only after you have added an SSL-enabled Helix Core service to your P4TRUST
file can
you connect to it by setting P4PORT
to ssl:
.hostname
:port
SSL connections that do not require P4TRUST
2021.2 and later: P4TRUST is no longer required for SSL connections where the server provides a certificate that can be verified using the client’s list of trusted certificate authorities. Servers, proxies, and brokers can send SSL certificate chains to the client. This happens automatically when multiple certificates are included in the certificate.txt
file. To learn the requirements of this file, see "Certificates from a Certificate Authority" under Key and certificate management in the Helix Core Server Administrator Guide.
Options
|
Delete an existing trusted fingerprint. |
|
Force the replacement of a mismatched fingerprint. |
|
Install the specified |
|
List all known fingerprints on this client workstation. |
|
Automatically refuse any prompts. |
|
List, install, or delete a replacement fingerprint. If a
replacement fingerprint exists for the connection, and the
primary fingerprint does not match (but the replacement
fingerprint does), the replacement fingerprint replaces the
primary. This option can be combined with the |
|
Automatically accept any prompts. |
|
See Global options. |
Usage notes
Can File Arguments Use Revision Specifier? | Can File Arguments Use Revision Range? | Minimal Access Level Required |
---|---|---|
N/A |
N/A |
none because every user can run |
Usage notes for SSL connections that do not require P4TRUST
-
Clients based on the 2021.2 C/C++ P4API, and the APIs derived from it, such as P4Python, P4Ruby, and P4Perl, verify the server's SSL certificate against the local system's CA certificate store and compare the certificate's subjects with the host portion of the P4PORT used by the client. To learn more, see Helix Core C/C++ Developer Guide.
-
If the certificate authority (CA) path is not present in the system's CA store, or if validation against a specific CA is required, the CA path can be specified with the ssl.client.ca.path client-side configurable.
-
To revert to the prior
P4TRUST
mechanism, set the ssl.client.cert.validate client-side configurable to0
. -
To skip the CA validation, and only ensure that the server certificate's subject matches the client's
P4PORT
, setssl.client.cert.validate
to2
. -
The
p4 trust
command can still be used regardless of the server certificate validation, creatingP4TRUST
records for the IP of the server and, if the server's certificate isn't self-signed, also the hostname. The hostname recording can be disabled by setting the ssl.client.trust.name client-side configurable to0
. -
Setting
ssl.client.trust.name
to2
preventsp4 trust
from recording the IP address of the server, butp4 trust
will still only record hostnames for servers without self-signed certificates. -
Both
ssl.client.trust.name
andssl.client.cert.validate
can be set for clients in P4CONFIG files, or passed into the client using-v
of Global options. -
Proxies and Brokers will accept the configurable as part of P4DEBUG or
-v
. -
p4 configure set
can be used to apply to all server-to-server SSL connections. This requires a complete stop and restart of the server for the change to take effect. -
Client-side configuration on servers does not apply to clients connecting to the server.