Summary

The "NoProtection" security policy

Minimal security policy

Environment

Orbix 6.3.x

All Supported Platforms

Question/Problem Description

How is the "NoProtection" security policy interpreted?

Clarifying Information

For information on the SSL security policies, please see our Orbix Security Guide and Configuration Reference.

Resolution

The "NoProtection" security indicates an application supports, or requires, a minimum of no SSL protection. As this is a minimum value, it does not preclude other SSL protection.
For example, consider the following client and server:

• The client requires "NoProtection"
• The client supports all security policies, including "NoProtection"
• The server requires "NoProtection"
• The server supports all security policies, including "NoProtection"

The relevant configuration settings would look as follows:

policies:iiop_tls:client_secure_invocation_policy:requires = ["NoProtection"];
policies:iiop_tls:client_secure_invocation_policy:supports = ["NoProtection", "EstablishTrustInClient", "Confidentiality", "EstablishTrustInTarget", "DetectMisordering", "DetectReplay", "Integrity"];

policies:iiop_tls:target_secure_invocation_policy:requires = ["NoProtection"];
policies:iiop_tls:target_secure_invocation_policy:supports = ["NoProtection", "EstablishTrustInClient", "Confidentiality", "EstablishTrustInTarget", "DetectMisordering", "DetectReplay", "Integrity"];

The "NoProtection" security is treated as a minimal requirement, rather than an absolute requirement. Additionally, clients and servers will also use all mutually supported policies.

In the above example, the client and server will establish a connection using all security policies. They both require a minimum of NoProtection and they both support NoProtection, plus all other security policies. Therefore, all security policies will be used, in this example.