It is possible to connect to a secure server instance by simply
using an HTTPS address when calling feval()
.
The resulting connection will be encrypted, but not secure. Neither party performs any authentication. Neither can determine if it communicating with a valid actor or a malignant actor.
To establish a secure connection you must:
install valid certificate authorities for server instance authentication
configure your client application code to use the installed certificate authorities to authenticate the server instance
To ensure an added level of security, you can also verify the server instance host name against the certificate common name.
These steps allow your client to ensure that it is communicating with a valid MATLAB® Production Server™ instance.
In some environments, server instances will also require client authentication. In these environments, you will need to
At a minimum the client requires the server's root CA (Certificate Authority) in one of the application's certificate stores.
To connect to a server that requires client-side authentication, the client needs a signed certificate in one of the application's certificate stores.
To manage the certificate authorities and certificates on the client machine, use OpenSSL.
To configure your client to authenticate server instances you need to add the following to the client runtime configuration:
server root CA
private key
If the private key is encrypted, you also need to provide the private key password.
that the client authenticates the server instance
In addition to the minimum requirements you can also specify:
certificate revocation list to check against
if the client needs to verify the server instance hostname against the certificates common name
You do this using setters on the mpsClientRuntime
structure:
specifies the client certificate
setPrivateKeyFile(mpsClientConfig* sslCfg,
const char* pkFile)
specifies the private key
setPrivateKeyPasswd(mpsClientConfig* sslCfg,
const char* passwd)
specifies the private key password
setCAFile(mpsClientConfig* sslCfg, const
char* caFile)
specifies the certificate authority
setRevocationListFile(mpsClientConfig* sslCfg,
const char* crlFile)
specifies the certificate revocation
list
setVerifyHost(mpsClientConfig* sslCfg, mpsLogical
verifyHost)
specifies if the client verifies the server
instance hostname
setVerifyPeer(mpsClientConfig* sslCfg, mpsLogical
verifyPeer)
specifies if the client authenticates the server
instance
The following code configures the client to fully authenticate the server instance. It also configures the client to verify that the server instance hostname matches the certificate common name.
mpsClientRuntime* mpsruntime = mpsInitializeEx(MPS_CLIENT_1_1); mpsClientConfig* config; mpsStatus status1 = mpsruntime->createConfig(&config); const std::string caFile("CERT_AUTH_FILE"); mpsruntime->setCAFile(config, caFile.c_str()); const std::string crlFile("CERT_REVOCATION_LIST_FILE"); mpsruntime->setRevocationListFile(config, crlFile.c_str()); mpsruntime->setVerifyHost(config, static_cast<mpsLogical>(true)); mpsruntime->setVerifyPeer(config, static_cast<mpsLogical>(true)); mpsClientContext* context; status = mpsruntime->createContext(&context, config); ... status = mpsruntime->feval(context, "https://localhost:9911/addmatrix/addmatrix", numOut, outVal, numIn, (const mpsArray **)inVal);
When the client attempts to evaluate the function, it will exchange certificates with the server instance. The client will verify the server instance certificate against the configured CA. If the certificate is valid, the client will then verify that the server instance hostname matches the common name stored in the server instance certificate. If either check fails, the connection is rejected.
If the server instance is configured to perform client authentication, the connection will also be rejected since the client is not configured with a valid certificate to exchange with the server instance.
In some environments, server instances require that clients provide a certificate for authentication. To enable the client to connect with a server instance requiring client authentication:
set the client cert file property using the setClientCertFile()
setter
of the mpsClientRuntime
structure.
Set the private key properties to access the client certificate.
const std::string certFile("CERTFILE"); mpsruntime->setClientCertFile(config, certFile.c_str()); const std::string pkFile("PRIVATE_KEY_FILE"); mpsruntime->setPrivateKeyFile(config, pkFile.c_str()); const std::string pkPass("PRIVATE_KEY_PASSWORD"); mpsruntime->setPrivateKeyPasswd(config, pkPass.c_str());