KBEC-00084 - Configuring agents to allow connections from one Flow server only

Description

Enabling certificate verification between the Flow Server and Agent processes when communicating over SSL.

Solution

The following solution describes how to make the agent accept connections from hosts that present a certificate signed by a private certificate authority (CA) only.

Assuming the following directories are set up to point to wherever the Flow server is actually installed:


set PROGDIR=c:\Program Files\Electric Cloud\ElectricCommander
set DATADIR=c:\Documents and Settings\All Users\Application Data\Electric Cloud\ElectricCommander
set CADIR=%TEMP%\ssl-ca
PATH=%PROGDIR%\bin;%PROGDIR%\jre\bin;%PATH%

Create a certificate authority

Update the values in the root_ca_distinguished_name section in ssl-ca.conf to reflect the organization's name.

  • Initialize the CA

    cd %CADIR%
    mkdir crl newcerts private
    touch index
    echo 01>serial
    openssl req -nodes -config ssl-ca.conf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
    openssl x509 -in ca-cert.pem -out ca-cert.der -outform der

    If "touch" is not available, just create an empty index file. To do this from the Windows command prompt:


    fsutil file createnew junk 0

Configure the server for certificate verification

  • Generate a new self-signed server certificate

    cd %DATADIR%\server\conf
    del keystore
    keytool -genkey -keystore keystore -storepass <password1>

    This code prompts for a number of values that must be set to values appropriate for the organization.
    For example:


    What is your first and last name?
    [Unknown]: chronic3.electric-cloud.com # This should be the server host
    What is the name of your organizational unit?
    [Unknown]:
    What is the name of your organization?
    [Unknown]: Electric Cloud
    What is the name of your City or Locality?
    [Unknown]: Menlo Park
    What is the name of your State or Province?
    [Unknown]: CA
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN=chronic3.electric-cloud.com, OU=Unknown, O=Electric Cloud, L=Menlo Park, ST=CA, C=US correct?
    [no]: yes

    Enter key password for <mykey>
    (RETURN if same as keystore password):
  • Sign the server certificate with the CA key

    keytool -certreq -keystore keystore -storepass <password1> >server.csr
    cd %CADIR%
    openssl ca -batch -config ssl-ca.conf -in "%PROGDIR%\server\conf\server.csr" -out "%PROGDIR%\server\conf\server.pem"
    cd %PROGDIR%\server\conf
    openssl x509 -in server.pem -out server.der -outform der
  • Import the CA certificate and signed server certificate into the keystore

    keytool -import -keystore keystore -storepass <password1> -file %CADIR%\ca-cert.der -trustcacerts -alias cacert
    keytool -import -keystore keystore -storepass <password1> -file server.der
  • Restart the server

Configure the agent for certificate verification

  • Add the private CA certificate to the trusted CA list for the agent

    copy ca-cert.pem "%DATADIR%\conf\agent_trust.crt"
  • Enable certificate verification in the agent
    Edit %DATADIR%\conf\agent.conf to contain (update paths as necessary):

    keyFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.key
    certFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.crt
    verifyPeer = true
    caFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent_trust.crt
  • Restart the agent
Have more questions? Submit a request

Comments

Powered by Zendesk