-
Notifications
You must be signed in to change notification settings - Fork 51
Server Security Support
grpc-device
allows clients direct access to NI driver APIs. This allows the client to control connected hardware and, in some cases,
allows unsafe operations and access to the underlying system. Always ensure that your grpc-device
server is secure.
The gRPC server supports both server-side TLS and mutual TLS. Security configuration is accomplished by setting the server_cert
, server_key
and root_cert
values in the server's configuration file. The server expects the certificate files specified in the configuration file to exist in a certs
folder that is located in the same directory as the configuration file being used by the server.
In the default case the server expects the certs
folder to be located in the same folder as the server executable itself:
server_installation_folder/
├── certs/
│ ├── client_self_signed_crt.pem
│ ├── server_privatekey.pem
│ └── server_self_signed_crt.pem
├── ni_grpc_device_server
└── server_config.json
If a path to the configuration file is specified when starting the server then the certs
folder must be located in the same location as the specified configuration file:
server_installation_folder/
└── ni_grpc_device_server
config_file_folder/
├── certs/
│ ├── client_self_signed_crt.pem
│ ├── server_privatekey.pem
│ └── server_self_signed_crt.pem
└── mutual_tls.json
- When none of the security-related configuration values are set then the server defaults to an insecure (no SSL/TLS) configuration. Additionally, if one of the
server_cert
orserver_key
values is set but not the other then the server will also default to an insecure configuration. Specifying one of the two is considered an incomplete configuration. - To configure the server for server-side TLS then set both the
server_cert
andserver_key
values. In this configuration only the identity of the server is verified:
{
"port": 31763,
"security" : {
"server_cert": "server_self_signed_crt.pem",
"server_key": "server_privatekey.pem",
"root_cert": ""
}
}
- To configure the server for mutual TLS then set the
server_cert
,server_key
androot_cert
values. This configuration verifies the identity of the client in addition to the identity of the server. When theroot_cert
is specified the server always requests a client certificate:
{
"port": 31763,
"security" : {
"server_cert": "server_self_signed_crt.pem",
"server_key": "server_privatekey.pem",
"root_cert": "client_self_signed_crt.pem"
}
}
Note: The server's configuration (insecure, server-side TLS or mutual TLS) will always be printed to the terminal when the server starts.
A detailed explanation of security considerations is outside of the scope of this document. To read more about SSL/TLS in gRPC refer to this document.
There are many tools available to produce certificate files for SSL/TLS. One such tool is openssl
and below is a simple example that creates self-signed server and client certificates:
openssl genrsa -passout pass:1111 -des3 -out ca.key 2048
openssl req -passin pass:1111 -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=US/ST=Texas/L=Austin/O=NI/OU=R&D/CN=MachineName"
openssl genrsa -passout pass:1111 -des3 -out server_privatekey.pem 2048
openssl req -passin pass:1111 -new -key server_privatekey.pem -out server_csr.pem -subj "/C=US/ST=Texas/L=Austin/O=NI/OU=R&D/CN=MachineName"
openssl x509 -req -passin pass:1111 -days 3650 -in server_csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out server_self_signed_crt.pem
openssl rsa -passin pass:1111 -in server_privatekey.pem -out server_privatekey.pem
openssl genrsa -passout pass:1111 -des3 -out client_privatekey.pem 2048
openssl req -passin pass:1111 -new -key client_privatekey.pem -out client_csr.pem -subj "/C=US/ST=Texas/L=Austin/O=NI/OU=R&D/CN=MachineName"
openssl x509 -passin pass:1111 -req -days 3650 -in client_csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out client_self_signed_crt.pem
openssl rsa -passin pass:1111 -in client_privatekey.pem -out client_privatekey.pem
The examples in this section make use of the certificates generated in the Creating Certificates section. Your specific configuration (i.e. the certificate files you use) will be dependent on how you generate the certificate files.
- To establish a connection to an insecure server then call the
insecure_channel(..)
method:
channel = grpc.insecure_channel(serverAddress)
- To establish a connection to a server configured for server-side TLS then call the
secure_channel(..)
method and setroot_certificates
to point to the server's self-signed certificate:
root_cert = open('server_self_signed_crt.pem', 'rb').read()
creds = grpc.ssl_channel_credentials(root_certificates=root_cert)
channel = grpc.secure_channel(serverAddress, creds)
-
To establish a connection to a server configured for mutual TLS then call the
secure_channel(..)
method and set:-
root_certificates
to point to the server's self-signed certificate -
certificate_chain
to point to the client's self-signed certificate -
private_key
to point to the client's private key
-
root_cert = open('server_self_signed_crt.pem', 'rb').read()
client_cert = open('client_self_signed_crt.pem', 'rb').read()
client_key = open('client_privatekey.pem', 'rb').read()
creds = grpc.ssl_channel_credentials(root_certificates=root_cert , private_key=client_key, certificate_chain=client_cert)
channel = grpc.secure_channel(serverAddress, creds)
Note: When using the grpclib.client
API with supporting files generated using betterproto
the security configuration on the client side is different than the examples above. The grpclib.client
API uses SSLContext
from the Python ssl
module. Below is an example configured for mutual TLS:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_cert_chain("client_self_signed_crt.pem", "client_privatekey.pem")
ctx.load_verify_locations("server_self_signed_crt.pem")
ctx.set_alpn_protocols(['h2'])
channel = Channel(host="localhost", port=31763, ssl=ctx)
- If the server can't find the certificate file at the expected location then the server will fail to start and an error message will be printed to the terminal. In this case verify that the certificate file exists at the correct location and that the user has read permissions for the file.
- If a client fails to connect to the server the cause can be one of many reasons. To determine if the failure is related to the security configuration review the server's terminal output. SSL/TLS error messages will be printed to the terminal where the server is running. Below is an example error message on the server side when the server expects a client certificate but does not receive it:
E0301 12:10:55.011000000 1136 ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE.
- One common error state occurs when a client creates a channel for a configuration different from the server. For example, the server might be configured for mutual TLS and the client configures an insecure channel (no security) or server-side TLS (no client certificate specified). In this case the client will typically see an
UNAVAILABLE
error status on the first RPC call. The gRPC connection utilizes lazy intialization and therefore the connection isn't established until the first RPC called is made. Below is an example call stack from a Python client:
<class 'grpc._channel._InactiveRpcError'>
Traceback (most recent call last):
File "C:\Users\username\Desktop\Demo\client.py", line 22, in <module>
response = server.IsReservedByClient(serverTypes.IsReservedByClientRequest(reservation_id=reservation_id, client_id=client_id))
File "C:\Users\username\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\grpc\_channel.py", line 923, in __call__
return _end_unary_response_blocking(state, call, False, None)
File "C:\Users\username\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\grpc\_channel.py", line 826, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses"
debug_error_string = "{"created":"@1614621623.440000000","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":5391,"referenced_errors":[{"created":"@1614621623.440000000","description":"failed to connect to all addresses","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":398,"grpc_status":14}]}"
Creating and Setting Up a gRPC Server
Session Utilities API Reference
gRPC API Differences From C API
Sharing Driver Sessions Between Clients
C API Docs
NI-DAQmx
- gRPC API Differences From C API
- Task Configuration And Control
- Channel Configuration And Creation
- Timing
- Triggering
- Read Functions
- Write Functions
- Export Hardware Signals
- Scale Configuration
- Internal Buffer Configuration
- Advanced Functions
- System Configuration
- Error Handling
- Buffer Attributes
- Calibration Info Attributes
- Channel Attributes
- Device Attributes
- Export Signal Attributes
- Persisted Channel Attributes
- Persisted Scale Attributes
- Persisted Task Attributes
- Physical Channel Attributes
- Read Attributes
- Scale Attributes
- System Attributes
- Task Attributes
- Timing Attributes
- Trigger Attributes
- Watchdog Attributes
- Write Attributes
NI-DCPOWER
- Setup Functions
- Configure Functions
- Measurement Functions
- Control Functions
- Trigger And Event
- Attribute Functions
- Query Functions
- Calibration Functions
- Utility Functions
- Supported Device
- Source Attributes
- Transient Attributes
- Voltage Attributes
- Current Attributes
- Pulse Voltage Attributes
- Pulse Current Attributes
- Cutoff Attributes
- Measurement Attributes
- Trigger Attributes Functions
- Event Attributes
- Advanced Attributes
- Inherent Ivi Attributes
- Supported Device Attributes
NI-DIGITAL PATTERN DRIVER
- Init And Close Functions
- Session Locking Functions
- Utility Functions
- Error Handling Functions
- Calibration Functions
- Attributes Functions
- Pin Map Functions
- Low Level Functions
- Low Level Action Functions
- Pin Control Functions
- Static IO Functions
- Clock Generator Functions
- Levels And Timing Functions
- TDR Functions
- PPMU Configuration Functions
- DC Voltage Functions
- DC Current Functions
- PPMU Action Functions
- Pattern Configuration Functions
- Pattern Action Functions
- History Ram Functions
- Source Memory Functions
- Capture Memory Functions
- Triggers And Events Functions
- Conditional Jump Trigger Functions
- Sequencer Flag Functions
- Sequencer Register Functions
- Match Fail Combination Functions
- Pattern Results Functions
- Sort Results Functions
- Frequency Measurement Functions
- IVI Inherent Attributes
- Specific Driver Information Attributes, Read Only
- Driver Setup Information Attributes
- Device Attributes
- Pin Control Attributes
- Level Configuration Attributes
- Trigger Configuration Attributes
- PPMU Attributes
- Patterns Attributes
- Pattern Opcode Event Attributes
- Timing Offset Attributes
- Keep Alive Attributes
- Frequency Measurement Attributes
- Clock Generator Attributes
- History RAM
- Synchronization Attributes
- TDR Endpoint Termination Attributes
NI-FGEN
- Setup Functions
- Configuration Functions
- Standard Output Functions
- Arbitrary Waveform Output Functions
- Arbitrary Sequence Output Functions
- Incremental Waveform Write Functions
- Configure Clock Functions
- Trigger And Syncronizations Functions
- 5404 Routing Functions
- Script Output Functions
- Configure Onboard Signal Processing Functions
- Configure Peer To Peer Functions
- Attribute Functions
- Waveform Control Functions
- Error Functions
- Output Attributes
- Arbitrary Waveform Attributes
- Data Transfer Attributes
- Onboard Signal Processing Attributes
- Peer To Peer Attributes
- Standard Function Attributes
- Clock Attributes
- Event Attributes
- Triggering Attributes
- Instrument Specific Attributes
- Inherent IVI Attributes
- 5401 5411 5431
NI-RFmx Bluetooth
- gRPC API Differences From C API
- General Functions
- Configuration Functions
- Set And Get Attribute Functions
- Fetch Results Functions
- Utility Functions
- Build String Functions
- Advanced Functions
- General Attributes
- Trigger Attributes
- Packet Attributes
- Auto Detect Signal Attributes
- Modacc Attributes
- ACP Attributes
- Twenty dB Attributes
- Frequency Range Attributes
- TXP Attributes
- Advanced Attributes
NI-RFmx NR
- gRPC API Differences From C API
- General Functions
- Configuration Functions
- Set And Get Attributes Functions
- Fetch Results Functions
- Utility Functions
- Build String Functions
- Advanced Functions
- General Attributes
- Trigger Attributes
- Signal Detection Attributes
- Component Carrier Attributes
- List Attributes
- Modacc Attributes
- ACP Attributes
- CHP Attributes
- OBW Attributes
- SEM Attributes
- TXP Attributes
- Pvt Attributes
- Advanced Attributes
NI-RFmx LTE
- gRPC API Differences From C API
- General Functions
- Configuration Functions
- Ch Configuration Functions
- NB IoT Configuration Functions
- ModAcc Configuration Functions
- ACP Configuration Functions
- CHP Configuration Functions
- OBW Configuration Functions
- SEM Configuration Functions
- PVT Configuration Functions
- SlotPhase Configuration Functions
- SlotPower Configuration Functions
- Set And Get Attribute Functions
- ModAcc Fetch Functions
- ACP Fetch Functions
- CHP Fetch Functions
- OBW Fetch Functions
- SEM Fetch Functions
- PVT Fetch Functions
- SlotPhase Fetch Functions
- SlotPower Fetch Functions
- Utility Functions
- Build String Functions
- Advanced Functions
- General Attributes
- Trigger Attributes
- Component Carrier Attributes
- ModAcc Attributes
- ACP Attributes
- CHP Attributes
- OBW Attributes
- SEM Attributes
- PVT Attributes
- SlotPhase Attributes
- SlotPower Attributes
- Advanced Attributes
NI-RFmx SpecAn
- gRPC API Differences From C API
- General Functions
- Configuration Functions
- Set And Get Attribute Functions
- Read Functions
- Fetch Functions
- Utility Functions
- Marker Functions
- Build String Functions
- Advanced Functions
- General Attributes
- Trigger Attributes
- ACP Attributes
- Cdf Attributes
- CHP Attributes
- Fcnt Attributes
- Harm Attributes
- OBW Attributes
- SEM Attributes
- Spectrum Attributes
- Spur Attributes
- TXP Attributes
- AMPM Attributes
- Dpd Attributes
- IQ Attributes
- IM Attributes
- NF Attributes
- Phasenoise Attributes
- PAVT Attributes
- Advanced Attributes
NI-RFmx WLAN
- gRPC API Differences From C API
- General Functions
- Configuration Functions
- Set And Get Attribute Functions
- Fetch DSSS ModAcc Functions
- Fetch OFDM ModAcc Functions
- Fetch SEM Functions
- Fetch TXP Functions
- Fetch PowerRamp Functions
- Utility Functions
- Build String Functions
- Advanced Functions
- General Attributes
- Trigger Attributes
- OFDM Attributes
- Auto Detect Signal Attributes
- DSSS ModAcc Attributes
- OFDM ModAcc Attributes
- SEM Attributes
- TXP Attributes
- PowerRamp Attributes
- Advanced Attributes
NI-RFSA
- General Functions
- Configuration Functions
- Acquisition Functions
- Utility Functions
- Calibration Functions
- General Attributes
- Vertical Attributes
- Signal Path Attributes
- Acquisition Attributes
- Acquisition Attributes
- Triggers Attributes
- Events Attributes
- Device Characteristics Attributes
- Peer To Peer Streaming Attributes
- Configuration List Attributes
- Inherent IVI Properties Attributes
- De-embedding Attributes
- Self Calibration Attributes
- Factory Calibration Attributes
- External Alignment Attributes
- Device Specific Attributes
NI-RFSG
- General Functions
- Generation Configuration
- Utility Functions
- Calibration Functions
- Arb Attributes
- Clock Attributes
- Configuration List Attributes
- De-embedding Attributes
- Device Characteristics Attributes
- Device Specific Attributes
- Events Attributes
- External Calibration Attributes
- Inherent IVI Attributes Attributes
- IQ Impairment Attributes
- Load Configurations Attributes
- Modulation Attributes
- Obsolete Attributes
- Peer To Peer Attributes
- RF Attributes
- Self Calibration Attributes
- Triggers Attributes
NI-SCOPE
- Setup Functions
- Configure Functions
- Attribute Functions
- Acquisition Functions
- Measurement Functions
- Calibrate Functions
- Utility Funcitons
- Error Handling Functions
- IVI Compliance Or Obsolete Functions
- Vertical Attributes
- Horizontal Attributes
- Trigger Attributes
- Clocking Attributes
- Synchronization Attributes
- Acquisition Attributes
- Waveform Measurements Attributes
- Onboard Signal Processing Attributes
- Peer To Peer Streaming Attributes
- Device Attributes
- IVI Or Obsolete Attributes
- Instrument Capabilities Attributes
- If Digitizer Attributes
NI-XNET
- gRPC API differences from C APIs
- General Functions
- Cluster Properties
- Database Properties
- Device Properties
- ECU Properties
- Frame Properties
- Interface Properties
- LIN Schedule Entry Properties
- LIN Schedule Properties
- PDU Properties
- Session Ethernet Properties
- Session Frame Properties
- Session Interface Properties
- Session Properties
- Session SAE J1939 Properties
- Signal Properties
- Subframe Properties
- System Properties
- IP-Stack Functions
- Socket Options
- Socket Functions