3.3 Installing a Crypto Library

3.3.1 Installing OpenSSL

If you have the license-managed (LM) version of Connext (with "lm" in the package file name): OpenSSL is installed automatically with the LM bundle. The following instructions are only for regular installations.

RTI provides: 

  • An OpenSSL host package, which enables OpenSSL for RTI's applications such as RTI Admin Console, RTI Routing Service, rtiddsspy, etc.
  • An OpenSSL target package, which provides OpenSSL libraries that can be used to secure your applications.

3.3.1.1 Linux and macOS Systems

  1. Make sure you've installed host and target Security Plugins packages as described in 3.2.1 Security Plugins for OpenSSL.
  2. Install an OpenSSL host package from RTI:
    openssl-<1.1.1t or 3.0.8>-7.1.0-host-<host platform>.rtipkg.

    The <host platform> is x64Linux for Linux systems, or darwin for macOS systems. Use the same process that you used for the .rtipkg files in the previous step.

  1. Install an OpenSSL target package from RTI:
    openssl-<1.1.1t or 3.0.8>-7.1.0-target-<target architecture
    >.rtipkg.

    Use the same process that you used for the .rtipkg files in the previous step.

  1. Include the resulting OpenSSL bin directory in your PATH. For example, assuming you want to use the "release" version of the OpenSSL 3.0.8 libraries (enter the command all on one line):
    export PATH=
    <NDDSHOME>/third_party/openssl-3.0.8/<architecture>/release/bin:${PATH}
  1. If you will be using the dynamic libraries, include the resulting OpenSSL lib directory in your LD_LIBRARY_PATH (on Linux systems) or DYLD_LIBRARY_PATH (on macOS systems). For example, assuming you want to use the release version of the OpenSSL 3.0.8 libraries (enter the command all on one line):
    export LD_LIBRARY_PATH=
    <NDDSHOME>/third_party/openssl-3.0.8/<architecture>/release/lib:$LD_LIBRARY_PATH
  1. To verify your installation, enter:
  2. openssl version

    You should see a response similar to:

    OpenSSL 3.0.8

    If you see a version that you didn't expect, your PATH may be pointing with a higher precedence to a different version of OpenSSL. You may need to place the version you just installed first or earlier in your PATH.

    Note: When running the openssl version command, you may run into this OpenSSL warning:

    WARNING: can't open config file: [default openssl built-in path]/openssl.cnf

    To resolve this issue, set the environment variable OPENSSL_CONF to the path to the openssl.cnf file you are using. For example (enter this all on one line):

    export OPENSSL_CONF=
    <NDDSHOME>/third_party/openssl-3.0.8/<architecture>/release/ssl/openssl.cnf
    

3.3.1.2 Windows Systems

  1. Make sure you've installed host and target Security Plugins packages as described in 3.2.1 Security Plugins for OpenSSL.
  2. Install an OpenSSL host package from RTI:
    openssl-<1.1.1t or 3.0.8>-
    7.1.0-host-x64Win64.rtipkg.

    Use the same process that you used for the .rtipkg files in the previous step.

  1. Install an OpenSSL target package from RTI:
    openssl-<1.1.1t or 3.0.8>-
    7.1.0-target-<target architecture>.rtipkg.
  1. Add the resulting OpenSSL bin directory to your Path environment variable. For example (enter the command all on one line):
  2. set PATH=
    <NDDSHOME>\third_party\openssl-3.0.8\<architecture>\release\bin;%PATH%
  1. To verify your installation, enter:
  2. openssl version

    You should see the version that you just installed:

    OpenSSL <version>

    If you see a version that you didn't expect, your PATH may be pointing with a higher precedence to a different version of OpenSSL. You may need to place the version you just installed first or earlier in your PATH.

    Note: When running the openssl version command, you may run into this OpenSSL warning:

    WARNING: can't open config file: [default openssl built-in path]/openssl.cnf

    To resolve this issue, set the environment variable OPENSSL_CONF to the path to the openssl.cnf file you are using. For example (enter this all on one line):

    export OPENSSL_CONF=
    <NDDSHOME>/third_party/openssl-3.0.8/<architecture>/release/ssl/openssl.cnf
    

3.3.2 Building wolfSSL

wolfSSL is only for use with specific architectures noted in the Compatibility section of the RTI Security Plugins Release Notes.

RTI does not distribute wolfSSL. You should get a commercial version of wolfSSL. See the RTI Security Plugins Release Notes for compatible versions.

In a location of your choice, build wolfSSL for your target architecture. Read the chapter on "Building" in the wolfSSL User Manual.

It is important that you build wolfSSL with the following flags:

  • --enable-smime
  • --enable-opensslall
  • --enable-opensslextra
  • --enable-crl
  • --enable-certgen
  • --enable-des3
  • --enable-reproducible-build
  • --enable-aesni
  • -DWOLFSSL_PSS_SALT_LEN_DISCOVER
  • --enable-harden
  • --enable-static

You will need the resulting installation directory when installing wolfSSL in the next section.

We refer to the wolfSSL installation directory as the folder created after building wolfSSL. This folder should contain bin/, include/, lib/, and share/ directories. You can configure it when building wolfSSL by adding the --prefix and --exec-prefix flags during the make install step.

3.3.3 Installing wolfSSL

After you've built wolfSSL for your target architecture:

  1. Make sure you've installed the host and target Security Plugins packages as described in 3.2 Installing a Regular (non-LM) Version.
  2. In your <NDDSHOME>/third_party directory, create wolfssl-5.5.1/<target architecture>/release/. Copy your wolfSSL installation directory under the release/ folder.
  3. (This assumes that you want to use the release version of the wolfSSL libraries, if you want to use the debug version of the libraries, use <NDDSHOME>/third_party/wolfssl-5.5.1/<target architecture>/debug/ instead.)

    You will end up with: 
    <NDDSHOME>/third_party/wolfssl-5.5.1/<target architecture>/[release|debug]/.

  4. (This step isn't necessary for a QNX target, because the tools and services are supported natively on QNX systems.)
  5. If your target architecture is on a Linux, macOS, or Windows system and you want to use RTI Tools and Infrastructure Services: you also need to build the wolfSSL library compiled for your host architecture. To do so, repeat the steps in 3.3 Installing a Crypto Library and create a new wolfSSL installation directory with the library compiled for your host architecture.

    Once you have wolfSSL compiled for your host architecture, copy the dynamic library files (*.so) to the <NDDSHOME>/resource/app/lib/<host architecture>/ directory. The dynamic library files are in the lib/ directory of your wolfSSL installation directory.

    <host architecture> is one of these: darwin, x64Linux, x64Win64.

    You must copy both the release and debug versions, including symbolic links.

  1. Include the wolfSSL bin/ directory in your PATH.
  2. For example, assuming you want to use the "release" version of the wolfSSL libraries (enter the command all on one line):

    export PATH=
    <NDDSHOME>/third_party/wolfssl-5.5.1/<architecture>/release/bin:${PATH}

    If you will be using the dynamic libraries, include the wolfSSL lib/ directory in your library search path (LD_LIBRARY_PATH on Linux systems, DYLD_LIBRARY_PATH on macOS systems, or Path on Windows systems). For example, assuming you want to use the release version of the wolfSSL libraries (enter the command all on one line):

    export LD_LIBRARY_PATH=
    <NDDSHOME>/third_party/wolfssl-5.5.1/<architecture>/release/lib:$LD_LIBRARY_PATH
  3. To verify your installation, enter:
    wolfssl-config  --version

    You should see a response similar to:

    5.5.1

    If you get a version other than wolfSSL 5.5.1, your PATH may be pointing with a higher precedence to a different version of wolfSSL. You may need to place version 5.5.1 first or earlier in your PATH.