Connecting services
Services working together in a multi-site environment must be able to authenticate and trust one another.
- When using SSL to securely link servers, brokers, and proxies together, each link in the chain must trust the upstream link.
- It is best practice to use ticket-based authentication instead of password-based authentication. This means that each service user for each server in the chain must also have a valid login ticket for the upstream link in the chain. Ticket-based authentication is mandatory at Server Security Level 4 (and higher).
Managing trust between services
The user that owns the server, broker, or proxy process is typically a
service user (see User types). As the administrator, you must create a
P4TRUST
file on behalf of the service user by using the
command. By default, a user’s p4 trust
P4TRUST
file resides in that user's home
directory with .p4trust
as the file name.
See the "Communicating port information" topic in the Helix Core Server Administrator Guide: Fundamentals.
Managing tickets between services
When linking servers, brokers, and proxies together, each service user must be a valid service user at the upstream link, and it must be able to authenticate with a valid login ticket.
To set up service authentication:
-
On the upstream server, use
p4 user
to create a user of typeservice
, andp4 group
to assign it to a group that has a long orunlimited
timeout.Use
p4 passwd
to assign the service user a strong password. - On the downstream server, use
p4 login
to log in to the master server as the newly-created service user, and to create a login ticket for the service user that exists on the downstream server. - Ensure that the
P4TICKETS
variable is correctly set when the user (often a script or other automation tool) invokes the downstream service. This enables the downstream service to correctly read the ticket file and authenticate itself as the service user to the upstream service.
Managing SSL key pairs
When configured to accept SSL connections, all server processes
(p4d
, p4p
,
p4broker
), require a valid certificate and key pair
on startup.
To create a key pair,
- set the directory and
permissions - see
P4SSLDIR
in Helix Core P4 Command Reference) - generate pairs of
privatekey.txt
andcertificate.txt
files, and make a record of the key’s fingerprint:- on the server, use
p4d -Gc
to create the key/certificate pair andp4d -Gf
to display its fingerprint. - on the broker, use
p4broker -Gc
to create the key/certificate pair andp4broker -Gf
to display its fingerprint. - on the proxy, use
p4p -Gc
to create the key/certificate pair andp4p -Gf
to display its fingerprint.
- on the server, use
You can also supply your own private key and certificate. See "Using SSL to encrypt connections to a Helix Server" in Helix Core Server Administrator Guide: Fundamentals.
Your search for returned result(s).