[Opensim-dev] Using ssl in OpenSim

Justin Clark-Casey jjustincc at googlemail.com
Sat Dec 3 02:57:43 UTC 2011 

Unfortunately, I can't provide much help since I haven't yet had reason to look into the area.  Ordinary server-viewer 
UDP traffic is not encrypted.

On 29/11/11 15:41, Fleep Tuque wrote:
> Following up on this thread, I'm looking into SSL for opensim to increase username and password security, but I'm pretty
> novice at server administration in general so I'm not sure I understand enough to even ask the right questions.
>
> Our Opensim 0.7.2 install is running in grid mode on Windows Server 2008/IIS.  I've found information about installing
> the security certificate and I think I generally understand what to do there, but I just want to make sure I understand
> the process and how it works before I go through the process of requesting a cert from our InfoSec department.
>
> Reading the information in the thread below, I have a couple of questions:
>
> 1)  Is it possible to have Diva's wifi account creation process done through https if I follow these steps?  It's the
> usernames and passwords I'm most concerned about.
>
> 2)  Is this only for remote admin applications or does this encrypt all traffic between the viewer and the server too?
>
> Sorry if these are stupid questions and many thanks in advance if anyone has more information or can explain Opensim SSL
> for Dummies style.  ;)
>
> Sincerely,
>
> - Chris/Fleep
>
> Chris M. Collins (SL/OS: Fleep Tuque)
> Center for Simulations & Virtual Environments Research (UCSIM)
> UCIT Instructional & Research Computing
> University of Cincinnati
> 406A Zimmer Hall
> 315 College Drive
> PO BOX 210088
> Cincinnati, OH 45221-0088
> chris.collins at uc.edu <mailto:chris.collins at uc.edu>
> (513) 556-3018
>
> http://ucsim.uc.edu
>
>
>
>
> On Thu, May 5, 2011 at 10:07 PM, BlueWall <jamesh at bluewallgroup.com <mailto:jamesh at bluewallgroup.com>> wrote:
>
>     SSL support for "out of band" applications is added in OpenSim commit
>     8ca793875318efc8db3339b25bf7fa5ddeeac218 . I have tested the region
>     server with the remote-admin plugin and also completed the lsl function
>     - llRequestSecureURL(). In Robust, I tested using a custom service to
>     expose a service that gets user information over https. I will post the
>     code for that soon as an example.
>
>     *Certificates
>     To use it, you will need a certificate in the PFX/PKCS12 format. These
>     may be certs purchased from someone like VeriSign,  Thawte or others
>     providing CA services. You may also use a self signed cert for testing.
>     If you are using Mono, see http://www.mono-project.com/FAQ:_Security and
>     page down to "Can I make my own certificates ? ",  and Windows users,
>     here: http://blogs.technet.com/b/jhoward/archive/2005/02/02/365323.aspx
>     for instructions. If you have an existing cert that is not in the PFX
>     format, such as *.crt - you may use openssl to copy it into the proper
>     format. See
>     http://security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html for
>     some background information for using openssl to create certs or convert
>     between formats.
>
>     *Configuration
>     The region server may use ssl as an auxiliary port. The options are in
>     the OpenSimDefaults.ini. Copy them to your OpenSim.ini and adjust the
>     settings to your setup...
>
>     [Network]
>     http_listener_port = 9000
>
>     https_listener = True
>     https_port = 9080
>     cert_path = "/home/opensim/etc/os_server.p12"
>     cert_pass = "mypassword"
>
>     [RemoteAdmin]
>     enabled = true
>     port = 9080
>     access_password = "woohooo"
>
>     Then, set your remote-admin client to use the port and make the calls
>     using https. I used code from
>     http://xyzzyxyzzy.net/2008/01/23/using-pythons-xmlrpclib-with-opensim/
>     to test the remote-admin. Modifying it to use my port and https.
>
>     For applications in Robust, you have a couple of options. First, you can
>     add an auxiliary port, as in the region server. But, in-case you want to
>     split out your https application to a separate Robust server, you can
>     make the main listener talk on https. Same options as the region server
>     with one addition - the https_main option. Set that one to True to get
>     your Robust main listener on https. Or set it to False to add an
>     auxiliary https port to the main server. Then, in your application, set
>     the port in your ServiceConnectors line to tell your application to use
>     it...
>
>     [Startup]
>     ServiceConnectors = "8114/WxService.dll:WxServiceConnector"
>     ;                    ^^^^ <-- Here
>     [Network]
>         port = 8113
>         ;;     ^^^^ <-- Main listener
>         https_main = False
>         ;; Create http listener true / false
>         https_listener = True
>         ;; Set our listener to this port
>         https_port = 8114
>         ;;           ^^^^ <-- And Here
>         ;; Path to X.509 cert
>         cert_path = "/home/opensim/etc/os_server.p12"
>         ;; Password for cert
>         cert_pass = "mypassword"
>
>
>     Have fun!
>     BlueWall
>
>     _______________________________________________
>     Opensim-dev mailing list
>     Opensim-dev at lists.berlios.de <mailto:Opensim-dev at lists.berlios.de>
>     https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev


-- 
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc

More information about the Opensim-dev mailing list