Enable HTTPS and SSL between All DevTest Components
search cancel

Enable HTTPS and SSL between All DevTest Components

book

Article ID: 109006

calendar_today

Updated On:

Products

CA Application Test CA Continuous Application Insight (PathFinder) Service Virtualization

Issue/Introduction

How to enable HTTPS and SSL between DevTest Components.

Section one is for using your own keystore.

Section two is for using the DevTest default keystore (webreckeys.ks) 

Additional Information: Create a New Keystore with OpenSSL and Keystore Explorer

 

Environment

All supported DevTest releases.

Cause

N/A

Resolution

Section one: Enable HTTPS and SSL between All DevTest Components Using Your Own Keystore

 

NOTE:  DevTest does not like the following special characters in keystore passwords: /, \, %

When creating the keystore passwords for DevTest, do not use these characters.  Use this rule when creating any keystore password on DevTest regardless of component.

The keystore must have the same passwords for PRIVATEKEY and KEYSTORE.  DevTest does not support Keystores that have different passwords for PRIVATEKEY and KEYSTORE.

Make sure the Keystore has a type of JKS. Registry port 1505 does not accept any keystores with a type of P12

 

 

The keystore will need to have the entire needed certificate chain (root, intermediate, server).  


Put the keystore in the DEVTEST_HOME folder of where each component is running.


Update these properties files and restart DevTest Components:

 

iam.properties file of where Identity Access Manager (IAM) is running:  By default IAM is https enabled.

iam.keystore=${IAM_HOME}certs/<your keystore jks here>
iam.keystore.password=<your keystore password, it gets stored in vault after IAM is started>
iam.truststore=${IAM_HOME}certs/iam-truststore.ks
iam.truststore.password=${VAULT::IAM::IAM_TRUSTSTORE_PASSWORD::1}

NOTE: If configuring LDAPS with IAM, the LDAP server certificate must should be included in the iam-trustore.ks.  

 


dradis.properties file of where your Enterprise Dashboard is running: 

dradis.webserver.https.enabled=true 
dradis.webserver.ssl.keystore.location=${DRADIS_HOME}YOURKEYSTORE JKS
dradis.webserver.ssl.keystore.password=(your keystore password) 
dradis.webserver.ssl.keymanager.password=(your keymanager password) 



site.properties file of where Registry is running: 

devtest.enterprisedashboard.https.enabled=true 



phoenix.properties of where Portal is running: 

registry.host=(hostname of your Registry)

registry.https.enabled=true 

phoenix.https.enabled=true 
phoenix.ssl.keystore=${LISA_HOME}your keystore.jks 
phoenix.ssl.keystore.password=(your keystore password) 
phoenix.ssl.keymanager.password=(your keymanager password) 


reshub.hostname=(hostname of your Portal)


local.properties file of where each DevTest component is installed in case distributed (in case of multiple Simulators and VSEs):

lisa.net.keyStore={{LISA_HOME}}your keystore.jks
lisa.net.keyStore.password=(your keystore password) 

lisa.net.trustStore={{LISA_HOME}}your keystore.jks
lisa.net.trustStore.password=(your keystore password) 

lisa.net.default.protocol=ssl 

lisa.webserver.https.enabled=true 
lisa.webserver.ssl.keystore.location={{LISA_HOME}}your keystore.jks
lisa.webserver.ssl.keystore.password=(your keystore password) 
lisa.webserver.ssl.keymanager.password=(your keymanager password) 

lisa.portal.url.prefix=https:// 
 

 

Workstation: To connect to Registry on SSL, need to configure the below properties in local.properties.

lisa.net.trustStore={{LISA_HOME}}yourtruststore.jks
lisa.net.trustStore.password=yourpassword

 

VSCatalog

vscatalog.vmoptions (if running as a server) or vscatalogService.vmoptions (if running as a service) of where the VS Catalog is running:

-Dsvcatalog.auth.host.url=https://IAM_MACHINE:51111/auth                                                  <=== where your IAM is running
-Dserver.ssl.key-store=file:///C:/DevTest10.6.0/VSCatalog/YOURKEYSTORE                        <=== fully qualified path to where your keystore is    (this example on Windows)
-Dserver.ssl.key-password=YOURKEYSTOREPASWD                                                           <=== password of keystore (note it will not get encrypted)
-Dserver.ssl.key-alias=KEYSTOREALIASNAMEOFYOURKEYPAIR                                       <=== make sure the alias name has no spaces 
-Dserver.ssl.key-store-provider=SUN
-Dserver.ssl.key-store-type=JKS
-Dlisa.webserver.https.enabled=true
 

 add a truststore in to vscatalog.vmoptions: 
-Djavax.net.ssl.trustStore=c:/devtest/WVD009.ks 
-Djavax.net.ssl.trustStorePassword=some_password 

4) alternatively  you can to add cert to cacerts file in vscatalog_install_folder/jre/lib/security 

 

Note: When starting SSL enabled Broker service , if you face any SSL issues, please see the document link below

Limitations in using Your Own Keystore for DevTest Broker Service

 

For TLSv version
in the local.properties add
https.protocols=TLSv1.2

 

Section two: Enable HTTPS and SSL between All DevTest Components Using the DevTest Default Keystore (webreckeys.ks)

 

The DevTest default keystore is webreckeys.ks.

Update the below properties files and restart all DevTest Components.

 

IAM

By default, IAM is https enable and uses keystore webreckeys.ks, so nothing needs to be done.

 

Enterprise Dashboard

dradis.properties file of where your Enterprise Dashboard is running, only need to uncomment the below property and set to true:

dradis.webserver.https.enabled=true 

 

Registry

site.properties file of where Registry is running, only need to uncomment the below property and set to true:

devtest.enterprisedashboard.https.enabled=true 

 

Portal

phoenix.properties of where Portal is running, only need to uncomment the below properties and set to true:

registry.https.enabled=true 

phoenix.https.enabled=true 

 

All components

local.properties file of where each DevTest component is installed in case distributed: 

lisa.net.default.protocol=ssl 

lisa.webserver.https.enabled=true 

lisa.portal.url.prefix=https:// 

 

 

Additional Information

Create a New Keystore with OpenSSL and Keystore Explorer

 

Software used:

OpenSSL:  https://www.openssl.org/

or

OpenSSL : https://sourceforge.net/projects/openssl/

KeyStore Explorer: https://keystore-explorer.org/downloads.html

 

Need to set System Environment Variable for OpenSSL:

OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf

 

Create a private key:

openssl req -new -newkey rsa:2048 -nodes -keyout C:\Certificates_and_Keystores\private.key

Example:

C:\Program Files (x86)\GnuWin32\bin>openssl req -new -newkey rsa:2048 -nodes -keyout C:\Certificates_and_Keystores\private.key
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
............................+++
............................................+++
writing new private key to 'C:\Certificates_and_Keystores\private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Plano
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Broadcom
Organizational Unit Name (eg, section) []:IMS
Common Name (eg, YOUR name) []:machine1
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ4wDAYD
VQQHEwVQbGFubzERMA8GA1UEChMIQnJvYWRjb20xDDAKBgNVBAsTA0lNUzERMA8G
A1UEAxMIbWFjaGluZTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr
kEf1P55oe0PogeNPkzCDxj18/r1DURDYVVn8wK4IAs5B8ZqA1d1LgAPQtIEYN6Ux
JKHBDNVaMdYQkaYutdgo9Vs334nrmnBmWS18NvQnmILpu+kx+NxhNA38oQp18WuX
zDr64UVHX8P4d3pFrM3JUJWIeGuFBtNtxQDGwZZnb/gGfaym5flGWNwpWKgoOpiD
o/Y7hc8hJt0r1NDkuc3xw+hs0R2orGoJVvs2bJ8xsTZCWP/G2VMAf2pESCxMLZ2B
r+cK4Jt4SnqDQZl6HKYcshDWqbRsfkvJOWX10ykNxlRY81CRWyjY73ySxKEZBXgf
WTVv37dmiPDlkEmshb+HAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAeSYEXQ+o
0i7GALjz4TmGY5R1TdxpxpkYTxta89K+m+8nfnKD0RdsRWcoVzc3WSOaalv4mUu7
Xln0ZWAnzMiROMwQF8Ygs+l7bpAx3oVLLDKoOU6KfTrYkrycVNfxD4mqf3jHHCkm
B4IxfmE0FlWBlYH35zwlFSePWX9sZidGP01dQd0577Pf512//RqvTESa2F7s/kah
4CuLROKP9tC4yHJUBqFHN53eM/Fc49rLgginWW/utWepU5at5lPASYpuroAyTjGV
G5ctQfKQWCPrVqNP/J4OM7tdM7fG1OrBvyjuCIuu9YPsJUq3vJcWh0Wo6W3Wy2d8
TkN6GS/zO8O8Xg==
-----END CERTIFICATE REQUEST-----

 

Create a Certificate Signing Request:

openssl req -new -sha256 -key C:\Certificates_and_Keystores\private.key -out C:\Certificates_and_Keystores\machine1.csr

Example:

C:\Program Files (x86)\GnuWin32\bin>openssl req -new -sha256 -key C:\Certificates_and_Keystores\private.key -out C:\Certificates_and_Keystores\machine1.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Plano
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Broadcom
Organizational Unit Name (eg, section) []:IMS
Common Name (eg, YOUR name) []:machine1
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

Send the your.csr to your Certificate Authority (CA).

The CA will send you your certificate:  example: machine1.pem or machine1.crt or machine1.cer file.    (The extension depends on your company's standards)

 

Use Keystore Explorer for the remaining steps:

Create a new Keystore

New Keystore Type is JKS

Import Key Pair

Import Key Pair Type is OpenSSL

Browse to get your private.key file

Browse to get your certificate machine1.pem or machine1.crt or machine1.cer file.

Import

Then import the intermediate certificate.

Then import the root certificate.

Your keystore is ready to use with DevTest.

 

NOTE: The keystore must have the same passwords for PRIVATEKEY and KEYSTORE.  DevTest does not support keystores that have different passwords for PRIVATEKEY and KEYSTORE.

 

Of SSL, SNI, Java and DevTest 

https://community.broadcom.com/enterprisesoftware/viewdocument/of-ssl-sni-java-and-devtest?CommunityKey=94bda077-625b-4914-8ac3-c88a06c2cc23&tab=librarydocuments