SV - Enable TLS 1.2 for DevTest and SSL communication between components

book

Article ID: 140760

calendar_today

Updated On:

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

We  must move to TLS 1.2 with DevTest 10.4. Due to security mandates, we must use TLS 1.2 or higher.  Also , we would like to use SSL communication between DevTest components. 
How to acheive that?  
 
 

Environment

Release : 10.4

Component : CA Service Virtualization

Resolution

Create a signed CA Cert  for the Server  that has   IAM , Registry, VSE , portal, Broker.Coordinator, Simulator .  Make sure you use the FQDN and Short  names  for the Domain name.  

The keystore and trustStore will need to have the entire needed certificate chain (root, intermediate, server). 

 

Here are the configuration that you would do..

**************************************

 

1. Configure IAM for SSL : How to implement a keystore with a CA chain with DevTest IAM



  • 1. Copy your certificate to this folder: DEVTEST_HOME/IdentityAccessManager/certs
  • 2. Made a backup of the DEVTEST_HOME/IdentityAccessManager/standalone/configuration/standalone.xml file.
  • 3. Edit this file and change this line:






Change webreckeys.ks to be your keystore and passphrase to be your password.

 

Restarted IAM and was able to bring up the browser and show the IAM URL as being secured.

 

Bring up Browser and enter URL https://

:51111 for IAM.



Note: Have noticed with Firefox, that the certificate chain is not automatically pulled into the browser, so the root and intermediate certificates had to be manually imported into the Firefox. Chrome and IE work without having to do this.



2. To enable HTTPS with Enterprise Dashboard :

In the Enterprise Dashboard Server, edit the dradis.properties file and uncomment the following properties, provide your own keystore or leave the default:

dradis.webserver.https.enabled=true
dradis.webserver.ssl.keystore.location=keystore.jks (do not provide {{DRADIS_HOME}}, place the keystore under LISA_HOME and provide the keystore name in this property)
dradis.webserver.ssl.keystore.password=yourpassword
dradis.webserver.ssl.keymanager.password=yourpassword


3. This property enables SSL communication between components - Registry, Broker, Coordinator, Simulator, VSE, and Workstation


In the local.properties enabled the following property:

lisa.net.default.protocol=ssl

This property enables SSL communication between components - Registry, Broker, Coordinator, Simulator, VSE, and Workstation

If DevTest is installed in a distributed environment, the property above needs to be enabled in each server.


By default DevTest will use the webreckeys.ks. A self-signed keystore delivered with DevTest issued to Lisa.

To use your own keystore and not the webreckeys.ks, provide your keystore under the properties below in the local.properties file in the Registry server:

lisa.net.keyStore={{LISA_HOME}}keystore.jks
lisa.net.keyStore.password=PlainTextPasswordWilBeConvertedToEncrypted


When you are using your own keystore, you will need to create a truststore with the keypair certificate and provide it with the two properties below:

lisa.net.trustStore={{LISA_HOME}}truststore.ts
lisa.net.trustStore.password=PlainTextPasswordWilBeConvertedToEncrypted


More details to create the truststore in the link below:

https://docops.ca.com/devtest-solutions/10-3/en/administering/security/using-ssl-to-secure-communication/use-your-own-self-signed-certificate/


Without the truststore, the Coordinator, Simulator, VSE and Workstation will not be able to connect to the Registry.

You will start seeing the following messages in the registry.log file:

SEVERE: Could not accept connection : javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown


If you have a distributed environment, the truststore needs to be provided in each remote server as well.

Still in the Registry server, edit the local.properties and enable the following properties:

lisa.webserver.https.enabled=true
lisa.webserver.ssl.keystore.location={{LISA_HOME}}webserver.ks
lisa.webserver.ssl.keystore.password=yourpassword
lisa.webserver.ssl.keymanager.password=yourpassword
lisa.portal.url.prefix=https://

These properties enable HTTPS on port 1505 - the previous DevTest Console.


For TLSv version
in the local.properties add
https.protocols=TLSv1.2

4, In the Portal server, edit the phoenix.properties file, uncomment and configure the following properties:

registry.https.enabled=true
phoenix.https.enabled=true
phoenix.ssl.keystore=${LISA_HOME}/keystore.jks
phoenix.ssl.keystore.password=yourpassword
phoenix.ssl.keymanager.password=yourpassword




Save the modified properties files.



Restart DevTest components.