Configuring SSL for RA repository server

Document ID : KB000111118
Last Modified Date : 15/08/2018
Show Technical Document Details
Introduction:
We want all our components of Release Automation to be configured on SSL using strong ciphers. As per security scan we found that the Management Server and Repository server are communicating on non-SSL by default. We would like to configure SSL for same using our custom key provided by our root CA.
Background:
By default Management Server, retrieval agents and repository server communicate over non-SSL protocol. The document here will be review illustrating how SSL communication can be established among them using your own custom keystores
Environment:
Release Automation 6.3  or higher
Instructions:

Assumption: You must be having respective key and certificate provided by your root CA for repository

Step to be performed on Repository Server
         
          1: Stop the repository server by running command ./<Repo_Install_Dir>/nolio_repo.sh stop
          2: Import the key provided by root CA into custom-keystore of Repository server.
                  
                    Example command will be like below (repokeystore.p12 is the key)
                    keytool -importkeystore -destkeystore conf/repo-keystore.jks -srckeystore repokeystore.p12 -srcstoretype pkcs12 -alias ra-repo

           3: Navigate to <Repo_Install_Dir>/conf and create a backup of server.xml file.
           4: Open <Repo_Install_Dir>/conf /server.xml file and locate <connector port=”8443” *> and modify below lines
              
                Note: repo-keystore.jks is the custom keystore for repository server

                  keyAlias="ra-repo"
                  keystoreFile="conf/repo-keystore.jks"
                  keystorePass="********"

              
                To tune ciphers you can make below configuration

                 Add below line for ciphers in element <connector port=”8443”  *> the entry will look like below
                        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                           compression="on"
                           compressionMinSize="102400"
                           compressableMimeType="application/x-java-serialized-object"
                           SSLEnabled="true"
                           maxThreads="150"
                           scheme="https"
                           secure="true"
                           clientAuth="false"
                           sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
                           keyAlias="ra-repo"
                           keystoreFile="conf/repo-keystore.jks"
                           keystorePass="************"

                           maxSwallowSize="-1"
                           ciphers="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
                           TLS_RSA_WITH_AES_128_CBC_SHA,
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                           TLS_RSA_WITH_AES_128_CBC_SHA256,
                           TLS_RSA_WITH_AES_128_GCM_SHA256,
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                           TLS_RSA_WITH_AES_256_CBC_SHA,
                           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                           TLS_RSA_WITH_AES_256_CBC_SHA256,
                           TLS_RSA_WITH_AES_256_GCM_SHA384,
                           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                           TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
>
                        </Connector>
           4: Save the file and start the repository server by running command ./<Repo_Install_Dir>/nolio_repo.sh start

 Step to be performed on Data Management Server a.k.a. NAC
          
             1: Copy the Certificate of the Repository Server to NAC
           2: Stop the NAC service
           3: Create a backup of NAC trust-store file
           4: Run below command to import the repository server certificate to NAC trust-store

                      keytool -importcert -alias ra-repo -file repo-cert.crt -keystore custom-truststore.jks -v –rfc

           5: Create a backup of <NAC_Install_Dir>/conf/nolio-repo.properties
           6: Open <NAC_Install_Dir>/conf/nolio-repo.properties file and make below changes. Port will be the port on which repository server SSL is configured in your environment

                      hostname=<hostname of repository server>
                      scheme=https
                      port=8443

           7: Start the NAC service


Step to be performed on Agents
Note: The retrieval agents which will be communicating to repository should be having the repository certificate imported in trust-store to establish trust.
          

           1: Copy the Certificate of the Agents
           2: Stop the Agent service
           3: Create a backup of Agent trust-store file
           4: Run below command to import the repository server certificate to Agent trust-store
                      keytool -importcert -alias ra-repo -file repo-cert.crt -keystore custom-truststore.jks -v –rfc
           5: Start the Agent service