SSL Configuration for Release Automation 4.x

book

Article ID: 38082

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

Summary:

In this document, we will review how to achieve secured(SSL/TLS) communication for the Automation Studio UI, as well as the Release Operations center UI initially, and then optionally go over the specifics to extend this capability for communication between all Release Automation components.  This particular document and examples contained herein will use self-signed SSL certificates only. However, you may apply the same methods achieving identical results if you have a trusted CA certificate, by simply discarding the examples for using keytool to generate/sign the certificates we use in this demonstration.

 

Instructions: 

Everything we review in terms of examples herein use a linux environment(assuming the default install directory of /usr/local/LISAReleaseAutomationServer is being used as the working directory for all commands unless specified otherwise), although the same basic commands apply to a windows environment(although this has been untested at this time!), they should work considering the portability of java.

Prerequisites, you will need Nolio Server installed, and the Java JDK which includes several required utilities including jarsigner(gjarsigner does not work).

Once this is installed, you will want to update your path, eg: PATH=$PATH:/usr/java/jdk-<version>/bin

Please note, this document assumes you are operating on a new single-server installation using v4.7.1, although this should work on previous versions >=4.0 as well.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Section 1: Configuration of the Web UI Components to use a self-signed certificate.

Although optional, this section is intended to configure LISA RA to use a non-default self-signed SSL certificate for the web UI components.

Step 1, on the NAC/NES:

From the base directory, generate a custom keystore(name is irrelevant, but for the sake of simplicity we will use custom-keystore.jks and custom-truststore.jks throughout). 

  • keytool -genkeypair -keyalg RSA -keysize 2048 -keystore conf/custom-keystore.jks -alias testenv01
    note: After this command is executed it will prompt you for the initial password for the keystore and key, be sure to record these somewhere, then fill out the questions for the keypair.
  • Once this is completed you should have a keystore in conf/custom-keystore.jks, you can verify the contents with "keytool -list -v -keystore conf/custom-keystore.jks" and enter the keystore password from creation.

Step 2, on the NAC/NES:

We will now want to export the public key to a certificate file using keytool:

  • keytool -exportcert -alias testenv01 -file testenv01.crt -keystore conf/custom-keystore.jks -v -rfc

      note: You will be prompted for the keystore password you recorded earlier for custom-keystore.jks, afterwards a file testenv01.crt will be written to the current directory.

Step 3, on the NAC/NES:

We will now want to import the certificate file into a custom truststore, note: just for the web UI components, the truststore must be named nolio.jks. We will also want to import the same certificate file into a new truststore on the NES, conf/custom-truststore.jks.

  • keytool -importcert -alias testenv01 -file testenv01.crt -keystore nolio.jks -v -rfc
  • You will be prompted to enter/re-enter the initial password for this truststore, please make note.
  • keytool -importcert -alias testenv01 -file testenv01.crt -v -rfc -keystore conf/custom-truststore.jks
  • You will be prompted again to enter/re-enter the initial password for the new truststore, please make note. 

Output should be similar to(example for both):

Enter keystore password:
Re-enter new password:
Owner: CN=Jeremy Nelson, OU=Nolio Support, O=CA Inc, L=Plano, ST=Texas, C=US
Issuer: CN=Jeremy Nelson, OU=Nolio Support, O=CA Inc, L=Plano, ST=Texas, C=US
Serial number: 52d83913
Valid from: Thu Jan 16 14:54:59 EST 2014 until: Wed Apr 16 15:54:59 EDT 2014
Certificate fingerprints:
         MD5:  1C:0C:92:8B:EE:18:5F:8D:0E:7C:E8:4F:26:9E:B8:5C
         SHA1: 5D:18:61:59:79:A0:E2:ED:3F:BF:AF:96:10:1A:6E:57:00:11:FC:C8
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing nolio.jks and/or custom-truststore.jks]

Step 4, on the NAC/NES:

Now we will want to create a jar file with nolio.jks, and sign it, then move it to the proper directory, note the jar file must be named custom-truststore.jar for this application:

Create the jar file:

  • jar cvf custom-truststore.jar nolio.jks

Output should upon success be similar to this:

[[email protected] LISAReleaseAutomationServer]# jar cvf custom-truststore.jar nolio.jks
added manifest
adding: nolio.jks(in = 926) (out= 785)(deflated 15%)

Sign the newly created created jar file:

  • jarsigner -keystore conf/custom-keystore.jks -verbose -keypass <plaintext password used to create keypair> custom-truststore.jar testenv01

You will be prompted for the password used to create custom-truststore.jar

Output should be similar to this:

Enter Passphrase for keystore:
 updating: META-INF/MANIFEST.MF
   adding: META-INF/TESTENV0.SF
   adding: META-INF/TESTENV0.RSA
  signing: nolio.jks

Verify the jar is signed and contains correct certificates, and copy/move custom-truststore.jar to the proper directory:

  • jarsigner –verify –verbose –certs custom-truststore.jar

  • mv custom-truststore.jar webapps/nolio-app/apps/v2.0.0/lib

Step 5, on the NAC/NES:

Create a new properties file and set the truststore password.

  • Create the file conf/security-customization.properties, and open it in the text editor of your choice.

Add the following lines:

ui.trustStorePassword=<plaintext password for keystore generated for custom-truststore.jar>
javax.net.ssl.trustStore=conf/custom-truststore.jks
javax.net.ssl.trustStorePassword=<plaintext password for conf/custom-truststore.jks>

Step 6, on the NAC/NES:

Update conf/server.xml Connector information for port 8443, line 85 on release 4.7.1 as follows(noted portions highlighted in red need updating). 

         <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                            SSLEnabled="true"
                            maxThreads="150"
                            scheme="https"
                            secure="true"
                            clientAuth="false"
                            sslProtocol="TLS"
                            keyAlias="testenv01"
                            keystoreFile="conf/custom-keystore.jks"
                            keystorePass="[plaintext password for custom-keystore]">
        </Connector>

 

 

Note: If you do not plan on using self-signed certificates for NAG <-> NAG communication or NES <-> NAG communication, you can go ahead and restart the Nolio Server now: ./nolio_server.sh restart

Otherwise, continue on to Section 2(Optional).

If you are not proceeding with Section 2, after Nolio Server starts back up, the server should now be using the generated self-signed certificate for the web UI components.  This completes the configuration of the web UI components using self-signed certificates. Note: you will still use port 8080 to login to Automation Center, as it redirects to 8443.

 

Section 2: Configuration of Nolio Local/Remote Agent(s)

This section assumes from the previous section that there is a Nolio Agent also running on the execution server which we will use as the example, this also applies to remote agents as well.

All operations on the local NAG will be assumed to run in the CWD of <LISA RA Base Install Directory>/NolioAgent (eg: /usr/local/LISAReleaseAutomationServer/NolioAgent), and all operations on the NES will be assumed to in the CWD of the LISA RA Base Install directory,(eg: /usr/local/LISAReleaseAutomationServer) respectively.

Step 1, on the local/remote NAG:

Create a custom keystore for the Nolio Agent, and generate a private/public keypair with a unique alias for the specific agent.

  • keytool -genkeypair -keyalg RSA -keysize 2048 -keystore conf/custom-keystore.jks -alias agent01

This will create the agents new keystore, please take note of the keystore password.

Step 2, on the local/remote NAG and NES:

Export the public certificate into a certificate file, and import it into the NES custom truststore, then update the NAGs custom-truststore.jks

  • keytool -exportcert -alias agent01 -file agent01.crt -keystore conf/custom-keystore.jks -v -rfc
  • You will be prompted for the newly created NAG custom-keystore.jks password.

[NES] Switch directories to the LISA RA Base Install directory.

  • keytool -importcert -alias agent01 -file NolioAgent/agent01.crt -keystore conf/custom-truststore.jks -v -rfc
  • You will be prompted for the NES custom-truststrore.jks password created in Section 1.

Once you have imported the certificate file into the custom-truststore of the NES, you will want to update the NAGs custom-truststore.jks to match the NES, this permits not only the SSL/TLS communication with the NES but also between agents:

  • cp conf/custom-truststore.jks <NOLIO_AGENT_PATH/conf>
  • If operating locally, when prompted to overwrite destination file, select yes.
  • If operating on a new remote NAG, place the file in the conf directory and overwrite as well if prompted.

Step 3, on the local/remote NAG and NES:

We will now want to update conf/nimi_config.xml on both the NAG and the NES, and then restart the NAG and NES/Nolio Server:

  • Switch to the Nolio Server/NES base install directory, open conf/nimi_config.xml and find the security section as shown below:

            <security>
                <enabled>false</enabled>
                <keystore>conf/custom-keystore.jks</keystore>
                <keystore_password>[encrypted password]</keystore_password>
                <trust_store>conf/custom-truststore.jks</trust_store>
                <trustore_password>[encrypted password]</trustore_password>
            </security>

  • Change the enabled section to true
  • Update the keystore to conf/custom-keystore.jks, or whatever filename you used for your custom keystore.
  • Update the keystore password for the NES with the encrypted password you used to originally create the custom keystore on the NES in Section 1(See below note).
  • Update the trust_store to conf/custom-truststore.jks, or whatever filename you used for your custom truststore.
  • Update the truststore password for the NES with the encrypted password you used to originally create the custom truststore in Section 1(See below note).

Note: To do this, from the LISA RA Base Directory, run: scripts/encrypt_nimi_password.sh <plaintext password> - You will be provided with the encrypted version of the password.  The same process applies for getting the custom truststore password created in Section 1 for the NES.

  • Now switch to the NolioAgent directory within the LISA RA base install directory and repeat step 3 to update nimi_config.xml for the keystore files and passwords created for the Nolio Agent.

Step 4, Restart NAG and NES for security changes to take effect, and verify secure SSL/TLS connections are functioning.

  • Within the NolioAgent directory, restart the NAG first: ./nolio_agent.sh restart
  • Next, switch back to the LISA RA base install directory and restart the NES/Nolio Server: ./nolio_server.sh restart

Now, verify the SSL/TLS secure connections are working, by logging into Automation Center

  • Once logged in, select the Administration tab at the bottom, and select 'Agents Management'
  • Add a new execution server, using the following parameters: Host name: 127.0.0.1, Port: 8443, Protocol: HTTPS
  • After a few moments, if everything is configured correctly, the execution server along with the Agent should show up. If so you have successfully configured NAG SSL/TLS intercommunication, and NAG <-> NES secure communications using self-signed certificates.

If they do not show up, please review the configuration files for any mistakes/typos, and/or the logs for the agent(s)(specifically logs/nimi.log) and the NES(specifically logs/nolio_dm_all.log, logs/nimi.log, and logs/nolio_exec_all.log) for any errors.

Note: To add additional remote NAGs with SSL/TLS enabled, simply repeat Section 2, omitting the step to restart the NES, as this is not necessary once the initial configuration is in place.  Just make sure all the agents for a given execution server have a matching custom-truststore.jks from the NES after completion of a new agent configuration. The easiest way to accomplish this is to just copy/push out the updated custom-truststore.jks from the Nolio Server/NES to the agents manually, or implement a process within RA to accomplish this task.

Environment

Release: NOLNAC99000-4.7-Nolio-Automation Center
Component: