pvagw + TLS #178
Description
pvagw basically works:
[laci@dev-epicsgw ~]$ ps -ef | grep pgateway
laci 2168465 2168403 0 11:36 pts/3 00:00:00 /sdf/sw/epics/package/anaconda/2024.10/envs/p4p-build-env/bin/python /sdf/group/cds/sw/epics/users/TestStand/modules/p4p/R4.2.0/bin/rhel9-x86_64/pvagw --logging /sdf/group/cds/sw/epics/users/TestStand/pgateway/config/pgwDEVTLS-logconfig.json /sdf/group/cds/sw/epics/users/TestStand/pgateway/config/pgwDEVTLS.json
Checking on dev-pvxs as a client:
[jingchen@dev-pvxs config]$ printenv EPICS_PVA_ADDR_LIST
dev-epicsgw:5163
[jingchen@dev-pvxs config]$ pvxinfo -v condor_WBPM1_A | grep TLS
…
TLS x509:485432e6:13603525715378933403:WIN-TEST Common Root CA -> WIN-TEST Common Issuer 01 CA -> SLAC-EPICS-PVACMS Internal CA/pgateway/dev-epicsgw@134.79.217.70:38297
…
It works. However, there are two outstanding issues with pvagw:
- initial connection via pvxinfo or pvxget from the client to pgateway always times out, and it then works consistently.
[jingchen@dev-pvxs config]$ pvxget condor_WBPM1_A
Timeout with 1 outstanding
I have studied and concluded that the network between dev-pvxs (client) and dev-epicsgw (pgateway) is a not factor.
• Both dev-pvxs and dev-epicsgw on the same subnet – there is no routing path in between.
• I have both client and pgateway running on the same node (dev-epicsgw), still seeing the same problem.
• To cross check, softIOC (on dev-epicsgw) and client (on dev-pvxs) works perfectly
• To completely exclude that the network is a factor, I revoked the client’s certificate, and client on dev-pvxs works with pgateway on dev-epcisgw perfectly without single time out :
pvxcert -R 485432e6:05783978403501536589
Revoke ==> CERT:STATUS:485432e6:05783978403501536589 ==> Completed Successfully
[jingchen@dev-pvxs config]$ pvxget condor_WBPM1_A
2025-06-06T11:44:00.433767612 WARN pvxs.certs.mon Certificate not valid: REVOKED
condor_WBPM1_A
struct "epics:nt/NTScalar:1.0"
value double = 7
It appears that this initial timeout is caused by TLS (e.g., certificate validation delay by pvacms?).
- We have tested ACF extensions for TLS with new rules on softIOC, and it works fine. However, pgateway is not happy with the ACFS extensions:
Here is our ACF file for pgatway:
[jingchen@dev-pvxs config]$ cat pgwDEVTLS.acf
====================================================================
Authorization to connect via Secure EPICS (i.e. PVA+TLS)
====================================================================
AUTHORITY("WIN-TEST Common Root CA") {
AUTHORITY("WIN-TEST Common Issuer 01 CA") {
AUTHORITY(PVA_AUTH, "SLAC-EPICS-PVACMS Internal CA")
}
}
====================================================================
HAG(GWSTATS)
{
dev-epicsgw
}
Hosts: dev-pvxs, s3dflclsdev-rocky9
HAG(PRIVATE) {"134.79.217.222",
"172.24.5.19"
}
ASG(DEFAULT)
{
RULE(1,READ)
}
ASG(PUBLIC)
{
RULE(1,READ)
}
ASG(CANWRITE)
{
RULE(1,READ)
RULE(1,WRITE)
}
ASG(S3DF)
{
RULE(1,READ)
RULE(1,WRITE) {
HAG(PRIVATE)
AUTHORITY(PVA_AUTH)
METHOD("x509")
PROTOCOL(tls)
}
}
ASG(GWSTATS)
{
RULE(1,READ)
RULE(1,WRITE) {HAG(GWSTATS)}
}
[laci@dev-epicsgw ~]$ /sdf/group/cds/sw/epics/users/TestStand/pgateway/script/st.pgwDEVTLS
2025-06-06 07:16:24,309 | p4p.gw: ERROR - In "pgwDEVTLS.acf" : Syntax error on line 4 at or before 'AUTHORITY'
It appears that P4P (or pgateway) doesn't recognize the syntax from the ACF extensions (i.e, new rules) for TLS. After I commented out the extensions, pgateway is back to work again.
Should pgateway use ioc.p12 or server.p12?