Configuring SSL for RA repository server

book

Article ID: 111118

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

We want all our components of Release Automation to be configured on SSL using strong ciphers. As per security scan we found that the Management Server and Repository server are communicating on non-SSL by default. We would like to configure SSL for same using our custom key provided by our root CA.

By default Management Server, retrieval agents and repository server communicate over non-SSL protocol. The document here will be review illustrating how SSL communication can be established among them using your own custom keystores

Environment

Release Automation 6.3  or higher

Resolution

Assumption: You must be having respective key and certificate provided by your root CA for repository

Step to be performed on Repository Server
         
          1: Stop the repository server by running command ./<Repo_Install_Dir>/nolio_repo.sh stop
          2: Import the key provided by root CA into custom-keystore of Repository server.
                  
                    Example command will be like below (repokeystore.p12 is the key)
                    keytool -importkeystore -destkeystore conf/repo-keystore.jks -srckeystore repokeystore.p12 -srcstoretype pkcs12 -alias ra-repo



           3: Navigate to <Repo_Install_Dir>/conf and create a backup of server.xml file.
           4: Open <Repo_Install_Dir>/conf /server.xml file and locate <connector port=”8443” *> and modify below lines
              
                Note: repo-keystore.jks is the custom keystore for repository server



                  keyAlias="ra-repo"
                  keystoreFile="conf/repo-keystore.jks"
                  keystorePass="********"

              
                To tune ciphers you can make below configuration



                 Add below line for ciphers in element <connector port=”8443”  *> the entry will look like below
                        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                           compression="on"
                           compressionMinSize="102400"
                           compressableMimeType="application/x-java-serialized-object"
                           SSLEnabled="true"
                           maxThreads="150"
                           scheme="https"
                           secure="true"
                           clientAuth="false"
                           sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
                           keyAlias="ra-repo"
                           keystoreFile="conf/repo-keystore.jks"
                           keystorePass="************"

                           maxSwallowSize="-1"
                           ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                           TLS_RSA_WITH_AES_128_CBC_SHA256,
                           TLS_RSA_WITH_AES_128_GCM_SHA256,
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                           TLS_RSA_WITH_AES_256_CBC_SHA,
                           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                           TLS_RSA_WITH_AES_256_CBC_SHA256,
                           TLS_RSA_WITH_AES_256_GCM_SHA384,
                           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                           TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
>
                        </Connector>
           4: Save the file and start the repository server by running command ./<Repo_Install_Dir>/nolio_repo.sh start



 Step to be performed on Data Management Server a.k.a. NAC
          
             1: Copy the Certificate of the Repository Server to NAC
           2: Stop the NAC service
           3: Create a backup of NAC trust-store file
           4: Run below command to import the repository server certificate to NAC trust-store



                      keytool -importcert -alias ra-repo -file repo-cert.crt -keystore custom-truststore.jks -v –rfc



           5: Create a backup of <NAC_Install_Dir>/conf/nolio-repo.properties
           6: Open <NAC_Install_Dir>/conf/nolio-repo.properties file and make below changes. Port will be the port on which repository server SSL is configured in your environment



                      hostname=<hostname of repository server>
                      scheme=https
                      port=8443

           7: Start the NAC service


Step to be performed on Agents
Note: The retrieval agents which will be communicating to repository should be having the repository certificate imported in trust-store to establish trust.
          

           1: Copy the Certificate of the Agents
           2: Stop the Agent service
           3: Create a backup of Agent trust-store file
           4: Run below command to import the repository server certificate to Agent trust-store
                      keytool -importcert -alias ra-repo -file repo-cert.crt -keystore custom-truststore.jks -v –rfc
           5: Start the Agent service