As secure EPICS remains a work in progress, so is this guide. Additional information will be added to it as additional functionality is implemented.


Work is currently underway to make EPICS 7 more secure. See here for more information on the effort:

https://conference.sns.gov/event/258/contributions/619/attachments/1002/9781/EPICS%20security%20implemenation%20plan%20George.pdf

Note that these changes will only be implement for EPICS 7 so the following guide is only relevant for pvAccess. Channel access is not included in the scope of this work and so will remain unchanged.


Starting from scratch

This part of the guide will be for a user attempting to install and test secure EPICS using their own machine, and thus will not assume any access to SLAC EPICS base or module installations.

This guide will also be for the C++ (pvxs) and Python (p4p) implementation of secure EPICS. Since the python installation requires the C++ installation to work, both will be necessary for anyone wishing to use the Python API. The installation instructions for the Java implementation are currently not included but can be added later.


Install EPICS Base

pvxs will require EPICS base in order to build, so we'll get that installed first. Feel free to install this wherever you'd like on your machine, for this guide we'll use $HOME/EPICS:


Install EPICS base
$ mkdir $HOME/EPICS
$ cd $HOME/EPICS
$ git clone --branch R7.0.3.1 https://github.com/epics-base/epics-base.git  # Note, any EPICS 7 release should work. R7.0.3.1 is chosen here simply because it's the default one at SLAC currently
$ make -C epics-base  # Will take a while to complete


Install pvxs

Next we will install the C++ module that provides an implementation of pvAccess:


If installing this on a Red Hat 7 or CentOS 7 machine, you may run into issues with the make commands below. If the first make command (make -C pvxs/bundle libevent) outputs

Could NOT find OpenSSL

or the second make command (make -C pvxs) outputs 

fatal error: openssl/opensslv.h: No such file or directory

you will need to install OpenSSL from source. While these headers are provided by the openssl-devel package, the version installed with yum is too old to work with pvxs (requires 3.0+)

https://www.openssl.org/source/

A local copy to build against is fine as replacing the system wide OpenSSL version is a rather involved process.



Install pvxs
$ cd $HOME/EPICS  # Continue to use the same directory where you installed EPICS base above
$ git clone --recursive  --branch tls https://github.com/mdavidsaver/pvxs.git
$ echo "EPICS_BASE=\$(TOP)/../epics-base" > pvxs/configure/RELEASE.local  # Tells pvxs where to find EPICS base
$ make -C pvxs/bundle libevent
$ make -C pvxs
$ make -C pvxs runtests  # Both verifies the installation, and generates some test certificates for us to use in the next steps


This is sufficient now to test out the client-based tls as well as setting up a server if needed. If a python interface is preferred, this next code block can be skipped and the steps under Install p4p can be followed.


Using pvxs
$ export EPICS_PVA_TLS_KEYCHAIN="$HOME/EPICS/pvxs/test/O.linux-x86_64/ca.p12"  # Replace $HOME/EPICS as needed
$ export SSLKEYLOGFILE=/tmp/keylog.txt 
$ cd pvxs
$ bin/linux-x86_64/pvxget MY:TEST:PV  # Attempts to communicate using tls. Replace with a real PV you have access to



Install p4p (optional)

As seen above, pvxs is sufficient for both clients and servers which want to use secure EPICS. However if a python interface is preferred, we can install p4p and use it as follows:

Install p4p
$ cd $HOME/EPICS  # Like before wherever EPICS base was installed in the first step
$ git clone --branch master https://github.com/mdavidsaver/p4p.git
$ echo -e "PVXS=$HOME/EPICS/pvxs\nEPICS_BASE=$HOME/EPICS/epics-base" > p4p/configure/RELEASE.local  # Tell p4p where to find pvxs
$ mamba create -n p4p-build-env python=3.9 pip numpy Cython nose2 ply # Can be replaced however you like to create a python virtual environment, as long as it contains these packages
$ mamba activate p4p-build-env
$ make -C p4p


Now to use it:


using p4p
$ export EPICS_PVA_TLS_KEYCHAIN="$HOME/EPICS/pvxs/test/O.linux-x86_64/ca.p12"  # Replace $HOME/EPICS as needed
$ cd $HOME/EPICS/p4p
$ PYTHONPATH=$PWD/python3.9/linux-x86_64 python -m p4p.client.cli get MY:TEST:PV  # Attempts to communicate using tls. Replace with a real PV you have access to




  • No labels