Secure Communications

To secure , use certificates to configure SSL communication between all components.
ra61
To secure
Nolio Release Automation
, use certificates to configure SSL communication between all components.
Complete the following steps to secure
Nolio Release Automation
SSL communication:
This diagram shows the steps to secure Secure Sockets Layer communication
This diagram shows the steps to secure Secure Sockets Layer communication
Verify Prerequisites
Verify the following prerequisites before you secure your installation:
  • Install the same version of Java JDK that is installed with
    Nolio Release Automation
    on a system from which you generate certificates.
  • Set your PATH environment variable to the JDK installation
    bin
    directory on the systems from which you generate the certificates.
  • To use certificates that are signed by a third party, you must have access to a Certificate Authority to sign the certificate. You can also use self-signed certificates.
  • We recommend that you have experience creating and working with certificates. This experience is useful if you deviate from the example certificate creation scenario.
Prepare Certificates and Keystores
To secure communications between
Nolio Release Automation
components, generate certificates, a keystore, and a trust store. Each component (Management Server, Execution Server, and Agent) requires a certificate. You can use the same certificate for all Agents.
The following procedures include examples of how to use the keytool to create self-signed certificates, keystores, and trust stores on the appropriate
Nolio Release Automation
systems. These examples show one of the possible certificate creation scenarios.
Carefully consider the following items before you proceed:
  • If your certificates, keystore, and trust store are prepared, you can skip the steps to create these entities. Each procedure contains information about when the certification creation steps are complete and when the SSL configuration steps begin.
  • You can generate certificates and stores on external systems. You do not have to be on the system where the
    Nolio Release Automation
    components are installed.
  • These procedures assume that you are working with a
    Nolio Release Automation
    distributed installation. This installation can contain multiple Execution Servers and Agents. Read the entire process carefully to understand how the requirements change in the following installations:
    • Single server
    • Multiple component systems
    • Multiple instances of components, for example, a large number of agents
  • Many security scenarios require certificates that are signed by a Certificate Authority. To skip the self-signed certificate steps, work with your security team to generate the certificates, keystores, and trust store. The steps to integrate custom certificates and stores into the product work the same for self-signed certificates. These steps also work for certificates that are signed by a Certificate Authority.
  • For a Certificate Authority signature, ensure that the client certificate allows the use of the "ServerAuth" and "ClientAuth". This feature enables the Agent to Execution Server communication.
  • All certificate, keystore, trust store, and alias names in this process are examples that you can change.
  • If you encounter issues during this process, contact Support or Professional Services for assistance.
Secure UI Communication
You can configure the Management Server so that all connections to Release Operations Center occur over SSL
Your custom keystore and trust store must reside at
RA_HOME\conf
on the Management Server. If you have prepared the necessary certificate, keystore, and trust store, proceed to Step 3.
Use the same password for both the keystore and the trust store.
Follow these steps:
  1. Open a command prompt on the Management Server (or the system from which you are generating certificates).
    If you generate the certificates on the Management Server, navigate to RA_HOME.
  2. Run the following commands to create the required certificates and stores for the Management Server:
    All certificate, keystore, trust store, and alias names are examples that you can change.
    keytool -genkeypair -keyalg RSA -keysize 2048 -keystore conf/custom-keystore.jks -alias ra-ms keytool -exportcert -alias ra-ms -file ms.crt -keystore conf/custom-keystore.jks -v keytool -importcert -alias ra-ms -file ms.crt -keystore conf/custom-truststore.jks -v -rfc
    These commands create a custom certificate, keystore, and trust store for the Management Server. The commands also add the certificate to the custom keystore and trust store.
    Make a note of key values, such as names and passwords.
  3. (Optional) Copy the custom-truststore.jks and custom-keystore.jks files to the RA_HOME\conf directory on the Management Server.
    If you followed this procedure exactly, these files are in the right place. If you create the stores on a separate system, or in a separate directory, ensure that the files are in the right place before you proceed.
  4. (5.5.1 and above only) Generate an encrypted password for custom-keystore.jks by navigating to RA_HOME and running the following command:
    scripts/encrypt_password
    Copy the encrypted password for use in ensuing steps.
  5. (5.5.1 and above only) Open the RA_HOME\conf\catalina.properties file.
  6. (5.5.1 and above only) Uncomment the following two lines. Fill in the keystorePass property with the encrypted password that you generated in Step 4:
    org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.nolio.tomcat.utils.PropertyDecoder keystorePass=<encrypted password>
  7. Locate the RA_HOME\conf\server.xml file and make a copy of the file.
  8. Open the RA_HOME\conf\server.xml file on the Management Server. Make the following changes to the section that starts with
    <Connector port="8443"
    :
    • Set the keyAlias element to the alias you specified when creating the custom-keystore.jks.
    • Set the keystoreFile element to conf/custom-keystore.jks.
    • Enter the string "${keystorePass}" (not the encrypted password itself) for the keystorePass element. This uses the encrypted password that you stored in the catalina.properties file in Step 6.
      Keystore password encryption in this file is only supported for version 5.5.1 and above. For previous versions, enter the password value in plain text.
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" compression="on" compressionMinSize="102400" compressableMimeType="application/x-java-serialized-object" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" keyAlias="ra-ms" keystoreFile="conf/custom-keystore.jks" keystorePass="${keystorePass}" maxSwallowSize="-1">
  9. Close all open
    Nolio Release Automation
    UIs.
  10. (Optional, if Automation Studio is used) Clear the Java WebStart cache on each computer that downloaded the UI with the old security configuration.
    javaws -uninstall
  11. Restart the Nolio Release Automation Server Service.
  12. Access the
    Nolio Release Automation
    UI using HTTPS in the URL:
    https://<ManagementServer>:8443
    .
  13. View the certificate information and verify that it is the certificate that you created.
Secure Management Server to Execution Server Communication
To secure Management Server to Execution Server communication, configure the ActiveMQ connection between the two components to use SSL.
If you have already prepared the necessary certificate and keystore, proceed to Step 3. Either way, your custom keystore must reside at RA_HOME\conf on the Execution Server.
If the Management Server and Execution Server reside on the same system, a separate certificate and keystore is not required for the Execution Server. Perform the file manipulation steps that you did not perform in the previous procedure.
Follow these steps:
  1. Open a command prompt on the Execution Server or on the system from which you generate certificates.
    If you generate the certificates on the Execution Server, navigate to RA_HOME.
  2. Run the following commands to create the required certificate and keystore for the Execution Server:
    All certificate, keystore, trust store, and alias names are examples that you can change. 
    keytool -genkeypair -keyalg RSA -keysize 2048 -keystore conf/custom-keystore.jks -alias ra-es keytool -exportcert -alias ra-es -file es.crt -keystore conf/custom-keystore.jks -v
    These commands create a custom certificate and keystore for the Execution Server. These commands also add the certificate to the custom keystore, and exports the certificate to a file.
    Make a note of key values, such as names and passwords.
  3. (Optional) Copy the custom-keystore.jks file to the RA_HOME\conf directory on the Execution Server.
    If you followed this procedure exactly, this file is in the right place. If you created the keystore on a separate system or in a separate directory, ensure that it is in the right place before you proceed.
  4. Locate the RA_HOME\webapps\execution\WEB-INF\jms.properties file and make a copy of the file.
  5. Open the RA_HOME\webapps\execution\WEB-INF\jms.properties file, and make the following changes:
    • Set the jms.key.store property to conf/custom-keystore.jks.
    • Set the jms.encrypted.key.store.password property to the encrypted password that you specified for the custom-keystore.jks file.
      To encrypt the password, use the encrypt_password utility in the RA_HOME\scripts directory.
      Ensure that the Java instance is in a location where the encryption utility can find the instance. This script checks for an available Java and fails if the instance is not found.
  6. (5.5.1 and above only) Open the RA_HOME\conf\catalina.properties file.
  7. (5.5.1 and above only) Uncomment the following lines, and fill in the keystorePass property with the encrypted password that you generated in Step 5:
    org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.nolio.tomcat.utils.PropertyDecoder keystorePass=<encrypted password>
  8. Locate the RA_HOME\conf\server.xml file and make a copy of the file.
  9. Open the RA_HOME\conf\server.xml file on the Execution Server, and make the following changes:
    • Set the keyAlias element to the alias you specified when creating the custom-keystore.jks file.
    • Set the keystoreFile element to conf/custom-keystore.jks
    • Enter the string "${keystorePass}" (not the encrypted password) for the keystorePass element. This uses the encrypted password that you stored in the catalina.properties file in Step 7.
      Encrypting the keystore password in this file is only supported for 5.5.1 and above. For previous versions, you must enter the password value in plain text.
  10. Locate the RA_HOME\webapps\execution\WEB-INF\activemq-broker-nes.xml file and make a copy of the file.
  11. Open the RA_HOME\webapps\execution\WEB-INF\activemq-broker-nes.xml file on the Execution Server, and make the following changes:
    • Make sure that the following sections are uncommented:
      <bean class="com.nolio.platform.server.dataservices.StringDecrypter" id="sslPassword"> <property name="originalString" value="${jms.encrypted.key.store.password}"/> </bean> <amq:sslContext> <amq:sslContext> <property name="keyStore" value="${jms.key.store}"/> <property name="keyStorePassword" ref="sslPassword"/> </amq:sslContext> </amq:sslContext>
    • Find the transportConnectors section and comment out the transportConnector element that is not set to SSL. Uncomment the element with the name attribute set to SSL:
      <amq:transportConnectors> <!--<amq:transportConnector uri="nio://0.0.0.0:${jms.transport.port.nes}?daemon=true" />--> <!-- Uncomment the ssl connector below and comment out the openwire connector above to use SSL --> <amq:transportConnector name="ssl" uri="nio+ssl://0.0.0.0:${jms.transport.port.nes}?daemon=true" /> </amq:transportConnectors>
  12. Restart the Execution Server service.
  13. Repeat Steps 1-12 on all Execution Server systems, if you have multiple Execution Servers.
  14. Copy the es.crt file that you generated on the Execution Server to the RA_HOME directory on the Management Server.
  15. Open a command prompt on the Management Server. Navigate to RA_HOME, and import the Execution Server certificate into the truststore on the Management Server:
    keytool –importcert –alias ra-es -file es.crt -keystore /conf/custom-truststore.jks
  16. If you have multiple Execution Servers, repeat Steps 14-15 for each Execution Server.
  17. Locate the RA_HOME\webapps\datamanagement\WEB-INF\jms.properties file on the Management Server and copy the file.
  18. Open the RA_HOME\webapps\datamanagement\WEB-INF\jms.properties file on the Management Server, and make the following changes:
    • Set the jms.trust.store property to conf/custom-truststore.jks, or the name that you gave the custom truststore.
    • Set the jms.encrypted.trust.store.password property to the password you specified when creating the custom truststore.
      Encrypt the password using the encrypt_password utility in the RA_HOME\scripts directory.
  19. Open the RA_HOME\conf\security-customization.properties file that you created when securing UI communication, and add the following lines:
    javax.net.ssl.trustStore=conf/custom-truststore.jks javax.net.ssl.trustStorePassword=<plain text password for custom-truststore.jks>
  20. Restart the Nolio Release Automation Server service on the Management Server, and ensure that all UIs instances are closed.
  21. (Optional, if Automation Studio is used) Clear the Java WebStart cache on the Management Server.
    javaws -uninstall
  22. Open Release Operations Center. In the Administration menu, select Agent Management.
    All previously connected Execution Servers should appear as Unreachable.
  23. Remove the previous Execution Server instance or instances from the Agents pane.
  24. Re-add the Execution Server or servers with the same host name and broker port. Use HTTPS as the protocol and 8443 as the port.
    Give the Execution Server time to connect. When the server connects, it appears as Reachable and shows the updated details that reflect the SSL connection.
Secure Execution Server to Agent Communication
Execution Servers send instructions to Agents. Secure Execution Server to Agent communication to secure the Nimi connection between the components.
Your custom keystore and certificate must reside at RA_HOME\conf on the Agent server. If you prepared the necessary certificate and keystore, skip the certificate generation steps.
Follow these steps:
  1. Open a command prompt on the Agent server (or the system from which you are generating certificates).
    If you are on a server with multiple
    Nolio Release Automation
    components, and you generate the certificates on the Agent server, navigate to RA_HOME, or RA_HOME\NolioAgent.
  2. Run the following commands to create the required certificate and keystore for the Agent:
    All certificate, keystore, trust store, and alias names are examples that you can change.
    keytool -genkeypair -keyalg RSA -keysize 2048 -keystore conf/custom-keystore.jks -alias ra-ag keytool -exportcert -alias ra-ag -file ag.crt -keystore conf/custom-keystore.jks -v -rfc
    These commands create a custom certificate and keystore for the Agent. Add the certificate to the custom keystore, and export the certificate to a file.
    Make a note of key values, such as names and passwords.
  3. (Optional) Copy the custom-keystore.jks file to the RA_HOME\conf directory on the Agent (or RA_HOME\NolioAgent\conf if the server contains multiple
    Nolio Release Automation
    components.
    If you followed this procedure exactly, this file is already in the right location. If you created the keystore on a separate system or in a separate directory, ensure that it is in the right location before you proceed.
  4. if you have multiple Agents, repeat Steps 1-3 on all Agents.
  5. Copy the ag.crt file that you created for Agent to the RA_HOME directory on the Execution Server.
  6. Open a command prompt on the Execution Server.   To create a trust store on the Execution Server and import the Agent certificate into the trust store, navigate to RA_HOME, run the following command:
    keytool -importcert -alias ra-ag -file ag.crt -v -rfc -keystore conf/custom-truststore.jks
  7. Repeat Steps 5-6 for each Agent that you want to communicate with this Execution Server.
  8. Run the following command to import the previously created Execution Server certificate into the newly create Execution Server trust store:
    keytool -importcert -alias ra-es -file es.crt -v -rfc -keystore conf/custom-truststore.jks
  9. To encrypt the passwords for the Execution Server keystore that were created in the previous procedure and trust store, Run the following command:
    scripts/encrypt_nimi_password
    Make sure that the Java instance is in a place where the encryption utility can find it. This script checks for an available Java and fails if it cannot find one.
  10. Locate the RA_HOME\conf\nimi_config.xml file on the Execution Server and make a copy of the file.
  11. Open the RA_HOME\conf\nimi_config.xml file on the Execution Server, navigate to the config/nimi/network/security element, and make the following changes:
    • Set the enabled element to “true”.
    • Set the keystore element to conf/custom-keystore.jks
    • Set the keystore_password element to the encrypted password of the custom keystore.
    • Set the trust_store element to conf/custom-truststore.jks.
    • Set the truststore_password element to the encrypted password of the custom trust store.
    <security> <enabled>true</enabled> <keystore>conf/custom-keystore.jks</keystore> <keystore_password>E8A1491BD9EF9F79E11C0640C0EC0BA4</keystore_password> <trust_store>conf/custom-truststore.jks</trust_store> <trustore_password>E8A1491BD9EF9F79E11C0640C0EC0BA4</trustore_password> </security>
  12. Repeat Steps 5-11 on extra Execution Servers as needed.
  13. Copy the custom-truststore.jks file from the Execution Server to the RA_HOME\conf directory on the Agent server.
    If the Agent exists on a server with other
    Nolio Release Automation
    components, copy the file to RA_HOME\NolioAgent\conf.
  14. Run the following command to encrypt the passwords for the Agent keystore and trust store:
    scripts/encrypt_nimi_password
    Make sure that the Java instance is in a place where the encryption utility can find it. This script checks for an available Java and fails if it cannot find one.
  15. Locate the RA_HOME\conf\nimi_config.xml file on the Agent and make a copy of the file.
  16. Open the RA_HOME\conf\nimi_config.xml file on the Agent, navigate to the config/nimi/network/security element, and make the following changes:
    • Set the enabled element to “true”.
    • Set the keystore element to conf/custom-keystore.jks
    • Set the keystore_password element to the encrypted password of the custom keystore.
    • Set the trust_store element to conf/custom-truststore.jks.
    • Set the truststore_password element to the encrypted password of the custom trust store.
    <security> <enabled>true</enabled> <keystore>conf/custom-keystore.jks</keystore> <keystore_password>E8A1491BD9EF9F79E11C0640C0EC0BA4</keystore_password> <trust_store>conf/custom-truststore.jks</trust_store> <trustore_password>E8A1491BD9EF9F79E11C0640C0EC0BA4</trustore_password> </security>
  17. Repeat Steps 13-16 on extra Agents as needed.
  18. Restart all Agents and Execution Servers.
    When restarted, Agents automatically reconnect to the appropriate Execution Server with SSL.
Follow these steps to verify the Execution Server to Agent SSL connection:
  1. Open the RA_HOME\conf\nimi_config.xml file on the Agent server.
  2. Under the “supernode” section, change the SSL Execution Server host name to another Execution Server that is not SSL signed.
    The port number in this string can remain the same.
  3. Restart the Nolio Agent service and open Release Operations Center.
  4. In the Administration menu, select Agent Management.
    • If the Agent show as Reachable under the non-SSL Execution Server, the SSL is not properly enabled. An SSL Agent should not be able to connect to and be reachable by a non-SSL Execution Server.
    • If the Agent appears as Unreachable, confirm if the status is due to certification issues. Open the non-SSL Execution Server RA_HOME\logs\nimi.log file, and look for repeated certification errors.
      Example:
      javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
      If there are repeated certification errors, the Agent is confirmed as previously connected to the SSL Execution Server over SSL. Roll back the change in the Agent nimi_config.xml file to return the Agent to the intended Execution Server.