Secure PVA: Update to ongoing pvxs developments

kasemir · kasemir · commit 8320c9d47b8e · 2025-03-17T15:30:42.000-04:00
diff --git a/core/pva/README.md b/core/pva/README.md
@@ -92,6 +92,11 @@ To debug connection issues on Linux, it can be helpful to disable the firewall:
 
 To enable access to the first PVA server on a Linux host and list resulting settings:
 
+	# Depending on Linux release, similar to this..
+    sudo firewall-cmd --add-port=5075/tcp
+    sudo firewall-cmd --add-port=5076/udp
+    
+    # .. or this
     sudo firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m udp -p udp --dport 5076 -j ACCEPT
     sudo firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 5075 -j ACCEPT
     sudo firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
diff --git a/core/pva/TLS.md b/core/pva/TLS.md
@@ -1,12 +1,139 @@
 Secure Socket Support
 =====================
 
-By default, the server and client will use plain TCP sockets to communicate.
-By configuring a keystore for the server and a truststore for the client,
-the communication can be switched to secure (TLS) sockets.
-The sockets are encrypted, and clients will only communicate with trusted servers.
-The following describes a minimal setup for initial tests,
-followed by a more elaborate setup later in this document.
+By default, the PV Access server and client will use plain TCP sockets to communicate.
+Secure PV Access uses encrypted Transport Layer Security (TLD) sockets.
+Clients will only communicate with trusted servers, and servers can
+determine the identity of their clients in a trusted way.
+
+TLS relies on private and public encryption key pairs, where public keys are
+exchanged in the form of certificates.
+In a secure EPICS environment, the PV Access Certificate Management Service (pvacms)
+issues certificates for servers and clients and allows online checks of their
+validity.
+
+
+PV Access Certificate Management Service (pvacms)
+=================================================
+
+An EPICS administrator needs to deploy pvacms as a service and maintain
+certificates for servers (IOCs) and clients (users running CS-Studio).
+This is an example recipe for getting started.
+
+1) Build EPICS base and pvxs as described on
+   https://george-mcintyre.github.io/pvxs/spvaqstart.html
+
+2) Start `pvacms -v`. It will create several files, including
+
+ * `~/.config/pva/1.3/admin.p12`: Certificate for the `admin` user
+ 
+3) Request a server (IOC) certificate, note its "Certificate identifier":
+
+   ```
+   $ authnstd --name ioc --cert-usage hybrid
+   Keychain file created   : /home/user/.config/pva/1.3/server.p12
+   Certificate identifier  : e53ed409:15273288300286014953
+   ```
+
+   As `admin`, accept that certificate:
+
+   ```
+   $ EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
+     pvxcert --approve e53ed409:15273288300286014953
+   Approve ==> CERT:STATUS:e53ed409:15273288300286014953 ==> Completed Successfully
+   ```
+
+ * `~/.config/pva/1.3/server.p12`: Our server (IOC) certificate
+
+4) Request a client certificate, note its identifier:
+
+   ```
+   $ authnstd 
+   Keychain file created   : /home/user/.config/pva/1.3/client.p12
+   Certificate identifier  : e53ed409:11521018863975115478
+   ```
+
+   Accept that certificate: 
+
+   ```
+   $ EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
+     pvxcert --approve  e53ed409:11521018863975115478
+   Approve ==> CERT:STATUS:e53ed409:11521018863975115478 ==> Completed Successfully
+   ```
+
+ * `~/.config/pva/1.3/client.p12`: Our client (user) certificate
+
+
+You now have a server and client certificate.
+To check the status:
+
+```
+$ pvxcert -f ~/.config/pva/1.3/client.p12
+...
+Subject        : CN=fred, C=US, O=host.site.org
+...
+Cert Expires   : Wed Apr 16 18:08:58 2025 UTC
+...
+Certificate ID : e53ed409:11521018863975115478
+Status         : VALID
+...
+```
+
+To list certificate details:
+```
+keytool -list -v -keystore ~/.config/pva/1.3/client.p12 -storepass ""
+```
+
+
+For a test setup, all the above can be executed by a single user on one host.
+In a production setup, however, human user clients should only have a client.p12 file.
+Pseudo-users running IOCs would have a server.p12 file,
+and only an admin user on a designated host would have the remaining pvacms files.
+
+
+Secure IOC
+==========
+
+Example for running a secure IOC:
+
+```
+$ EPICS_PVAS_TLS_KEYCHAIN=~/.config/pva/1.3/server.p12  \
+  softIocPVX -m user=fred -d pvxs/test/testioc.db
+```
+
+The command `pvxsr 10` will list all connected clients
+with their connection credentials.
+
+
+Secure Java PVA Client
+======================
+
+Example for running Java PVA client command line tool:
+
+```
+$ export EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/client.p12
+$ pvaclient monitor -v 5 fred:aiExample
+```
+
+Example for running CS-Studio:
+
+```
+$ export EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/client.p12
+$ phoebus.sh
+```
+
+
+
+--------------------------------------------------------
+
+
+Manually creating certificates
+==============================
+
+In this section we describe an earlier approach to creating certificates.
+It is left for reference, the preferred method is now pvacms.
+
+We start with a minimal setup for initial tests.
 
 Step 1: Create a server KEYSTORE that contains a public and private key.
 -------
