In this document, we will review how to achieve secured(SSL/TLS) communication for the Automation Studio UI, as well as the Release Operations center UI initially, and then optionally go over the specifics to extend this capability for communication between all Release Automation components. This particular document and examples contained herein will use self-signed SSL certificates only. However, you may apply the same methods achieving identical results if you have a trusted CA certificate, by simply discarding the examples for using keytool to generate/sign the certificates we use in this demonstration.
Everything we review in terms of examples herein use a linux environment(assuming the default install directory of /usr/local/LISAReleaseAutomationServer is being used as the working directory for all commands unless specified otherwise), although the same basic commands apply to a windows environment(although this has been untested at this time!), they should work considering the portability of java.
Prerequisites, you will need Nolio Server installed, and the Java JDK which includes several required utilities including jarsigner(gjarsigner does not work).
Once this is installed, you will want to update your path, eg: PATH=$PATH:/usr/java/jdk-<version>/bin
Please note, this document assumes you are operating on a new single-server installation using v4.7.1, although this should work on previous versions >=4.0 as well.
Although optional, this section is intended to configure LISA RA to use a non-default self-signed SSL certificate for the web UI components.
Step 1, on the NAC/NES:
From the base directory, generate a custom keystore(name is irrelevant, but for the sake of simplicity we will use custom-keystore.jks and custom-truststore.jks throughout).
Step 2, on the NAC/NES:
We will now want to export the public key to a certificate file using keytool:
note: You will be prompted for the keystore password you recorded earlier for custom-keystore.jks, afterwards a file testenv01.crt will be written to the current directory.
Step 3, on the NAC/NES:
We will now want to import the certificate file into a custom truststore, note: just for the web UI components, the truststore must be named nolio.jks. We will also want to import the same certificate file into a new truststore on the NES, conf/custom-truststore.jks.
Output should be similar to(example for both):
Enter keystore password:
Re-enter new password:
Owner: CN=Jeremy Nelson, OU=Nolio Support, O=CA Inc, L=Plano, ST=Texas, C=US
Issuer: CN=Jeremy Nelson, OU=Nolio Support, O=CA Inc, L=Plano, ST=Texas, C=US
Serial number: 52d83913
Valid from: Thu Jan 16 14:54:59 EST 2014 until: Wed Apr 16 15:54:59 EDT 2014
Signature algorithm name: SHA1withRSA
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing nolio.jks and/or custom-truststore.jks]
Step 4, on the NAC/NES:
Now we will want to create a jar file with nolio.jks, and sign it, then move it to the proper directory, note the jar file must be named custom-truststore.jar for this application:
Create the jar file:
Output should upon success be similar to this:
[[email protected] LISAReleaseAutomationServer]# jar cvf custom-truststore.jar nolio.jks
adding: nolio.jks(in = 926) (out= 785)(deflated 15%)
Sign the newly created created jar file:
You will be prompted for the password used to create custom-truststore.jar
Output should be similar to this:
Enter Passphrase for keystore:
Verify the jar is signed and contains correct certificates, and copy/move custom-truststore.jar to the proper directory:
jarsigner –verify –verbose –certs custom-truststore.jar
mv custom-truststore.jar webapps/nolio-app/apps/v2.0.0/lib
Step 5, on the NAC/NES:
Create a new properties file and set the truststore password.
Add the following lines:
ui.trustStorePassword=<plaintext password for keystore generated for custom-truststore.jar>
javax.net.ssl.trustStorePassword=<plaintext password for conf/custom-truststore.jks>
Step 6, on the NAC/NES:
Update conf/server.xml Connector information for port 8443, line 85 on release 4.7.1 as follows(noted portions highlighted in red need updating).
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
keystorePass="[plaintext password for custom-keystore]">
Note: If you do not plan on using self-signed certificates for NAG <-> NAG communication or NES <-> NAG communication, you can go ahead and restart the Nolio Server now: ./nolio_server.sh restart
Otherwise, continue on to Section 2(Optional).
If you are not proceeding with Section 2, after Nolio Server starts back up, the server should now be using the generated self-signed certificate for the web UI components. This completes the configuration of the web UI components using self-signed certificates. Note: you will still use port 8080 to login to Automation Center, as it redirects to 8443.
This section assumes from the previous section that there is a Nolio Agent also running on the execution server which we will use as the example, this also applies to remote agents as well.
All operations on the local NAG will be assumed to run in the CWD of <LISA RA Base Install Directory>/NolioAgent (eg: /usr/local/LISAReleaseAutomationServer/NolioAgent), and all operations on the NES will be assumed to in the CWD of the LISA RA Base Install directory,(eg: /usr/local/LISAReleaseAutomationServer) respectively.
Step 1, on the local/remote NAG:
Create a custom keystore for the Nolio Agent, and generate a private/public keypair with a unique alias for the specific agent.
This will create the agents new keystore, please take note of the keystore password.
Step 2, on the local/remote NAG and NES:
Export the public certificate into a certificate file, and import it into the NES custom truststore, then update the NAGs custom-truststore.jks
[NES] Switch directories to the LISA RA Base Install directory.
Once you have imported the certificate file into the custom-truststore of the NES, you will want to update the NAGs custom-truststore.jks to match the NES, this permits not only the SSL/TLS communication with the NES but also between agents:
Step 3, on the local/remote NAG and NES:
We will now want to update conf/nimi_config.xml on both the NAG and the NES, and then restart the NAG and NES/Nolio Server:
Note: To do this, from the LISA RA Base Directory, run: scripts/encrypt_nimi_password.sh <plaintext password> - You will be provided with the encrypted version of the password. The same process applies for getting the custom truststore password created in Section 1 for the NES.
Step 4, Restart NAG and NES for security changes to take effect, and verify secure SSL/TLS connections are functioning.
Now, verify the SSL/TLS secure connections are working, by logging into Automation Center
If they do not show up, please review the configuration files for any mistakes/typos, and/or the logs for the agent(s)(specifically logs/nimi.log) and the NES(specifically logs/nolio_dm_all.log, logs/nimi.log, and logs/nolio_exec_all.log) for any errors.
Note: To add additional remote NAGs with SSL/TLS enabled, simply repeat Section 2, omitting the step to restart the NES, as this is not necessary once the initial configuration is in place. Just make sure all the agents for a given execution server have a matching custom-truststore.jks from the NES after completion of a new agent configuration. The easiest way to accomplish this is to just copy/push out the updated custom-truststore.jks from the Nolio Server/NES to the agents manually, or implement a process within RA to accomplish this task.