Tech Tips: Configure 1-way SSL Working with Your Own Single Certificate and use HTTPS TLSv1.2 Communication with DevTest Components

Document created by MarcyNunns Employee on Apr 19, 2017Last modified by MarcyNunns Employee on May 9, 2017
Version 5Show Document
  • View in full screen mode

By default, communication between components uses an un-encrypted protocol. If necessary, the Secure Sockets Layer (SSL) can encrypt the network traffic.

 

Depending on the version of DevTest follow steps in these sections for SSL:

 

1) Using SSL to Secure Communication

2) SSL Certificates and Create Your Own Self-Signed Certificate

When you set the default protocol to SSL and you do not change anything else, you use an "internal DevTest" certificate. All DevTest users (not only your organization) share this internal certificate. Using this certificate encrypts the network traffic, but it does not prevent an unauthorized user from connecting to your simulator on a public cloud. To prevent this type of unauthorized access, use your own certificate. You can also continue to use the "well-known" DevTest certificate, but enable access control.

 

NOTE: Regardless of whether you create your own certificate or have one given to you, make sure the keystore is created with the same JVM Architecture and where it will be accessed. keytool used on one server, may not be the same as keytool used on another server.


Properties Files to Configure

 

dradis.properties file:

 

dradis.webserver.https.enabled=true
dradis.webserver.ssl.keystore.location={{LISA_HOME}}webserver.ks or dradis.webserver.ssl.keystore.location=<<fully qualified path to where your keystore is>>
dradis.webserver.ssl.keystore.password=<<password of keystore>>
dradis.webserver.ssl.keymanager.password=<<key manager password>> (unless it is different the same value as dradis.webserver.ssl.keystore.password)


local.properties file: (of each local.properties file of all components, since Enterprise Dashboard could be on one machine and Registry, Portal, etc are on other machines)

 

devtest.enterprisedashboard.host=<hostname of IP of where your Enterprise Dashboard is running>
devtest.enterprisedashboard.port=1506
devtest.enterprisedashboard.https.enabled=true

lisa.net.default.protocol=ssl
lisa.webserver.https.enabled=true
lisa.webserver.ssl.keystore.location={{LISA_HOME}}webserver.ks or lisa.webserver.ssl.keystore.location=<<fully qualified path to where your keystore is>>
lisa.webserver.ssl.keystore.password=<<password of keystore>>
lisa.webserver.ssl.keymanager.password=<<key manager password>> (unless it is different the same value as lisa.webserver.ssl.keystore.password)
lisa.portal.url.prefix=https://
https.protocols=TLSv1.2
lisa.server.https.cipher.suites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256


phoenix.properties file:

 

registry.https.enabled=true
phoenix.https.enabled=true
phoenix.ssl.keystore={{LISA_HOME}}webserver.ks or phoenix.ssl.keystore=<<fully qualified path to where your keystore is>>
phoenix.ssl.keystore.password=<<password of keystore>>
phoenix.ssl.keymanager.password=<<<<key manager password>> (unless it is different the same value as phoenix.ssl.keystore.password)

 

Note on specifying strong cipher suites:

There will be a dependency on the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files being installed (local_policy.jar and US_export_policy.jar, would normally be in the DEVTEST_HOMEjre\lib\security folder) .

This might not be permitted in some areas. http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

 

 

Refer to DevTest documentation concerning Security.

KB TEC1842159 information used in this document.

 

Additional information:

 

TLSv1.2 was not enabled in Java 7 until update 95.  So if you have DevTest 8.0.0 through 8.5.0, enabling TSLv1.2 will be an issue unless you are able to use Java 7 u95,  which unfortunately, is no longer available for download from Oracle.  Those earlier versions of DevTest did not have the required Java delivered with the product to use TLSv1.2.

 

DevTest 9.0.0 and later will not be a problem since those versions are delivered with Java 8 and TLSv1.2 is enabled by default.

Attachments

    Outcomes