Skip to content

PVS Server: Check CERT:STATUS:... of client #3618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

PVS Server: Check CERT:STATUS:... of client #3618

wants to merge 1 commit into from

Conversation

@kasemir
Copy link
Collaborator

@kasemir kasemir commented Oct 31, 2025

Secure PVAccess with PVACMS issues certificates with a CERT:STATUS:... PV extension.
While the certificate may be valid by itself, PVACMS serves a CERT:STATUS:... PV for each certificate that it created.

This is most important for PVA servers. A certificate may be valid for a longer time (year?), but PVACMS allows administrators can revoke a certificate in PVACMS. The status PV will then right away tell the PVA server on an IOC that a client certificate has been revoked and the IOC can now consider the user 'anonymous' and appropriately restrict write access.

As the Java implementation of the PVA server can now be used with PVAiFY, this PR adds CERT:STATUS:... monitoring to the java PVA server. For now there is no meaningful authorization implemented, but writable PVs become read-only unless the CERT:STATUS:.. PV indicates a valid cert. Revoking a certificate will right away turn the client in to a read-only state.

Checklist

  • Testing:
    • The feature has automated tests
    • Tests were run

Easy manual test:

First, install PVXS as described in https://george-mcintyre.github.io/pvxs/spvaqstart.html

Terminal 1: Start fresh PVACMS

rm -rf  ~/.config/pva  ~/.local/share/pva
pvacms -v

Terminal 2: Handle certificates

# Create server.p12, note its CERT ID
authnstd -v --name ioc --cert-usage ioc

# Approve that CERT ID
EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
     pvxcert --approve c77c3ac7:18124547852410498497

# Create client.p12, note its CERT ID
authnstd -v

# Approve that CERT ID
EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
     pvxcert --approve c77c3ac7:00185768032390924155

Terminal 3: Run server

export EPICS_PVAS_TLS_KEYCHAIN=~/.config/pva/1.3/server.p12
./serverdemo

Terminal 4: Run client

export EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/client.p12
./pvaclient monitor demo3 -v 5
# Or run CSS, create a display with TextEntry for "pva://demo3"

Now, back in Terminal 2, revoke the client certificate:

EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
     pvxcert --revoke c77c3ac7:00185768032390924155

Note how the PV becomes read-only in CSS, and the pvaclient shows
a corresponding Received 'demo3' CID 2 access rights read-only (0x00)

  • Documentation:
    • The feature is documented .. in the PVXS documentation of secure PVA
    • The documentation is up to date
    • Release notes:
      • Added an entry if the change is breaking or significant
      • Added an entry when adding a new feature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kasemir