How to enable HTTPS and SSL between DevTest Components.
Section one is for using your own keystore.
Section two is for using the DevTest default keystore (webreckeys.ks)
Additional Information: Create a New Keystore with OpenSSL and Keystore Explorer
All supported DevTest releases.
N/A
Section one: Enable HTTPS and SSL between All DevTest Components Using Your Own Keystore
NOTE: DevTest does not like the following special characters in keystore passwords: /, \, %
When creating the keystore passwords for DevTest, do not use these characters. Use this rule when creating any keystore password on DevTest regardless of component.
The keystore must have the same passwords for PRIVATEKEY and KEYSTORE. DevTest does not support Keystores that have different passwords for PRIVATEKEY and KEYSTORE.
Make sure the Keystore has a type of JKS. Registry port 1505 does not accept any keystores with a type of P12
The keystore will need to have the entire needed certificate chain (root, intermediate, server).
Put the keystore in the DEVTEST_HOME folder of where each component is running.
Update these properties files and restart DevTest Components:
iam.properties file of where Identity Access Manager (IAM) is running: By default IAM is https enabled.
iam.keystore=${IAM_HOME}certs/<your keystore jks here>
iam.keystore.password=<your keystore password, it gets stored in vault after IAM is started>
iam.truststore=${IAM_HOME}certs/iam-truststore.ks
iam.truststore.password=${VAULT::IAM::IAM_TRUSTSTORE_PASSWORD::1}
NOTE: If configuring LDAPS with IAM, the LDAP server certificate must should be included in the iam-trustore.ks.
dradis.properties file of where your Enterprise Dashboard is running:
dradis.webserver.https.enabled=true
dradis.webserver.ssl.keystore.location=${DRADIS_HOME}YOURKEYSTORE JKS
dradis.webserver.ssl.keystore.password=(your keystore password)
dradis.webserver.ssl.keymanager.password=(your keymanager password)
site.properties file of where Registry is running:
devtest.enterprisedashboard.https.enabled=true
phoenix.properties of where Portal is running:
registry.host=(hostname of your Registry)
registry.https.enabled=true
phoenix.https.enabled=true
phoenix.ssl.keystore=${LISA_HOME}your keystore.jks
phoenix.ssl.keystore.password=(your keystore password)
phoenix.ssl.keymanager.password=(your keymanager password)
reshub.hostname=(hostname of your Portal)
local.properties file of where each DevTest component is installed in case distributed (in case of multiple Simulators and VSEs):
lisa.net.keyStore={{LISA_HOME}}your keystore.jks
lisa.net.keyStore.password=(your keystore password)
lisa.net.trustStore={{LISA_HOME}}your keystore.jks
lisa.net.trustStore.password=(your keystore password)
lisa.net.default.protocol=ssl
lisa.webserver.https.enabled=true
lisa.webserver.ssl.keystore.location={{LISA_HOME}}your keystore.jks
lisa.webserver.ssl.keystore.password=(your keystore password)
lisa.webserver.ssl.keymanager.password=(your keymanager password)
lisa.portal.url.prefix=https://
Workstation: To connect to Registry on SSL, need to configure the below properties in local.properties.
lisa.net.trustStore={{LISA_HOME}}yourtruststore.jks
lisa.net.trustStore.password=yourpassword
VSCatalog
vscatalog.vmoptions (if running as a server) or vscatalogService.vmoptions (if running as a service) of where the VS Catalog is running:
add a truststore in to vscatalog.vmoptions:
-Djavax.net.ssl.trustStore=c:/devtest/WVD009.ks
-Djavax.net.ssl.trustStorePassword=some_password
4) alternatively you can to add cert to cacerts file in vscatalog_install_folder/jre/lib/security
Note: When starting SSL enabled Broker service , if you face any SSL issues, please see the document link below
Limitations in using Your Own Keystore for DevTest Broker Service
For TLSv version
in the local.properties add
https.protocols=TLSv1.2
The DevTest default keystore is webreckeys.ks.
Update the below properties files and restart all DevTest Components.
IAM
By default, IAM is https enable and uses keystore webreckeys.ks, so nothing needs to be done.
Enterprise Dashboard
dradis.properties file of where your Enterprise Dashboard is running, only need to uncomment the below property and set to true:
dradis.webserver.https.enabled=true
Registry
site.properties file of where Registry is running, only need to uncomment the below property and set to true:
devtest.enterprisedashboard.https.enabled=true
Portal
phoenix.properties of where Portal is running, only need to uncomment the below properties and set to true:
registry.https.enabled=true
phoenix.https.enabled=true
All components
local.properties file of where each DevTest component is installed in case distributed:
lisa.net.default.protocol=ssl
lisa.webserver.https.enabled=true
lisa.portal.url.prefix=https://
Create a New Keystore with OpenSSL and Keystore Explorer
Software used:
OpenSSL: https://www.openssl.org/
or
OpenSSL : https://sourceforge.net/projects/openssl/
KeyStore Explorer: https://keystore-explorer.org/downloads.html
Need to set System Environment Variable for OpenSSL:
OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf
Create a private key:
openssl req -new -newkey rsa:2048 -nodes -keyout C:\Certificates_and_Keystores\private.key
Example:
C:\Program Files (x86)\GnuWin32\bin>openssl req -new -newkey rsa:2048 -nodes -keyout C:\Certificates_and_Keystores\private.key
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
............................+++
............................................+++
writing new private key to 'C:\Certificates_and_Keystores\private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Plano
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Broadcom
Organizational Unit Name (eg, section) []:IMS
Common Name (eg, YOUR name) []:machine1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ4wDAYD
VQQHEwVQbGFubzERMA8GA1UEChMIQnJvYWRjb20xDDAKBgNVBAsTA0lNUzERMA8G
A1UEAxMIbWFjaGluZTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr
kEf1P55oe0PogeNPkzCDxj18/r1DURDYVVn8wK4IAs5B8ZqA1d1LgAPQtIEYN6Ux
JKHBDNVaMdYQkaYutdgo9Vs334nrmnBmWS18NvQnmILpu+kx+NxhNA38oQp18WuX
zDr64UVHX8P4d3pFrM3JUJWIeGuFBtNtxQDGwZZnb/gGfaym5flGWNwpWKgoOpiD
o/Y7hc8hJt0r1NDkuc3xw+hs0R2orGoJVvs2bJ8xsTZCWP/G2VMAf2pESCxMLZ2B
r+cK4Jt4SnqDQZl6HKYcshDWqbRsfkvJOWX10ykNxlRY81CRWyjY73ySxKEZBXgf
WTVv37dmiPDlkEmshb+HAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAeSYEXQ+o
0i7GALjz4TmGY5R1TdxpxpkYTxta89K+m+8nfnKD0RdsRWcoVzc3WSOaalv4mUu7
Xln0ZWAnzMiROMwQF8Ygs+l7bpAx3oVLLDKoOU6KfTrYkrycVNfxD4mqf3jHHCkm
B4IxfmE0FlWBlYH35zwlFSePWX9sZidGP01dQd0577Pf512//RqvTESa2F7s/kah
4CuLROKP9tC4yHJUBqFHN53eM/Fc49rLgginWW/utWepU5at5lPASYpuroAyTjGV
G5ctQfKQWCPrVqNP/J4OM7tdM7fG1OrBvyjuCIuu9YPsJUq3vJcWh0Wo6W3Wy2d8
TkN6GS/zO8O8Xg==
-----END CERTIFICATE REQUEST-----
Create a Certificate Signing Request:
openssl req -new -sha256 -key C:\Certificates_and_Keystores\private.key -out C:\Certificates_and_Keystores\machine1.csr
Example:
C:\Program Files (x86)\GnuWin32\bin>openssl req -new -sha256 -key C:\Certificates_and_Keystores\private.key -out C:\Certificates_and_Keystores\machine1.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Plano
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Broadcom
Organizational Unit Name (eg, section) []:IMS
Common Name (eg, YOUR name) []:machine1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Send the your.csr to your Certificate Authority (CA).
The CA will send you your certificate: example: machine1.pem or machine1.crt or machine1.cer file. (The extension depends on your company's standards)
Use Keystore Explorer for the remaining steps:
Create a new Keystore
New Keystore Type is JKS
Import Key Pair
Import Key Pair Type is OpenSSL
Browse to get your private.key file
Browse to get your certificate machine1.pem or machine1.crt or machine1.cer file.
Import
Then import the intermediate certificate.
Then import the root certificate.
Your keystore is ready to use with DevTest.
NOTE: The keystore must have the same passwords for PRIVATEKEY and KEYSTORE. DevTest does not support keystores that have different passwords for PRIVATEKEY and KEYSTORE.
Of SSL, SNI, Java and DevTest