Main Content

Access Secure Programs Using HTTPS

It is possible to connect to a secure server instance by simply using an HTTPS address when calling feval().

The resulting connection will be encrypted, but not secure. Neither party performs any authentication. Neither can determine if it is communicating with a valid actor or a malignant actor.

To establish a secure connection you must:

  • install valid certificate authorities for server instance authentication

  • configure your client application code to use the installed certificate authorities to authenticate the server instance

To ensure an added level of security, you can also verify the server instance host name against the certificate common name.

These steps allow your client to ensure that it is communicating with a valid MATLAB® Production Server™ instance.

In environments where server instances require client authentication, you need to:

  1. Configure the client's environment for SSL.

  2. Make a secure request.

  3. Make a secure request using client authentication.

Configure the Client’s Environment for SSL

At a minimum the client requires the server's root CA (Certificate Authority) in one of the application's certificate stores.

To connect to a server that requires client-side authentication, the client needs a signed certificate in one of the application's certificate stores.

To manage the certificate authorities and certificates on the client machine, use OpenSSL.

Make a Secure Request

To configure your client to authenticate server instances you need to add the following to the client runtime configuration:

  • server root CA

  • private key

If the private key is encrypted, you also need to provide the private key password. After adding the necessary information to the client runtime configuration, verify that the client authenticates the server instance.

In addition to the minimum requirements you can also specify:

  • certificate revocation list to check against

  • if the client needs to verify the server instance hostname against the certificates common name

You do this using setters on the mpsClientRuntime structure:

  • setClientCertFile(mpsClientConfig* sslCfg, const char* cert_file) specifies the client certificate

  • setPrivateKeyFile(mpsClientConfig* sslCfg, const char* pkFile) specifies the private key

  • setPrivateKeyPasswd(mpsClientConfig* sslCfg, const char* passwd) specifies the private key password

  • setCAFile(mpsClientConfig* sslCfg, const char* caFile) specifies the certificate authority

  • setRevocationListFile(mpsClientConfig* sslCfg, const char* crlFile) specifies the certificate revocation list

  • setVerifyHost(mpsClientConfig* sslCfg, mpsLogical verifyHost) specifies if the client verifies the server instance hostname

  • setVerifyPeer(mpsClientConfig* sslCfg, mpsLogical verifyPeer) specifies if the client authenticates the server instance

The following code configures the client to fully authenticate the server instance. It also configures the client to verify that the server instance hostname matches the certificate common name.

mpsClientRuntime* mpsruntime = mpsInitializeEx(MPS_CLIENT_1_1);

mpsClientConfig* config;
mpsStatus status1 = mpsruntime->createConfig(&config);

const std::string caFile("CERT_AUTH_FILE");
mpsruntime->setCAFile(config, caFile.c_str());

const std::string crlFile("CERT_REVOCATION_LIST_FILE");
mpsruntime->setRevocationListFile(config, crlFile.c_str());

mpsruntime->setVerifyHost(config, static_cast<mpsLogical>(true));
mpsruntime->setVerifyPeer(config, static_cast<mpsLogical>(true));

mpsClientContext* context;
status = mpsruntime->createContext(&context, config);

...
status = mpsruntime->feval(context,
               "https://localhost:9911/addmatrix/addmatrix",
               numOut, outVal, numIn, (const mpsArray **)inVal);

When the client attempts to evaluate the function, it will exchange certificates with the server instance. The client will verify the server instance certificate against the configured CA. If the certificate is valid, the client will then verify that the server instance hostname matches the common name stored in the server instance certificate. If either check fails, the connection is rejected.

If the server instance is configured to perform client authentication, the connection will also be rejected since the client is not configured with a valid certificate to exchange with the server instance.

Make a Secure Request Using Client Authentication

In some environments, server instances require that clients provide a certificate for authentication. To enable the client to connect with a server instance requiring client authentication:

  • set the client cert file property using the setClientCertFile() setter of the mpsClientRuntime structure.

  • Set the private key properties to access the client certificate.

const std::string certFile("CERTFILE");
mpsruntime->setClientCertFile(config, certFile.c_str());

const std::string pkFile("PRIVATE_KEY_FILE");
mpsruntime->setPrivateKeyFile(config, pkFile.c_str());

const std::string pkPass("PRIVATE_KEY_PASSWORD");
mpsruntime->setPrivateKeyPasswd(config, pkPass.c_str());

External Websites