Enabling certificate verification between the Flow Server and Agent processes when communicating over SSL.
The following solution describes how to make the agent accept connections from hosts that present a certificate signed by a private certificate authority (CA) only.
Assuming the following directories are set up to point to wherever the Flow server is actually installed:
set PROGDIR=c:\Program Files\Electric Cloud\ElectricCommander set DATADIR=c:\Documents and Settings\All Users\Application Data\Electric Cloud\ElectricCommander set CADIR=%TEMP%\ssl-ca PATH=%PROGDIR%\bin;%PROGDIR%\jre\bin;%PATH%
- Copy ssl-ca.conf into %CADIR%
Update the values in the root_ca_distinguished_name section in
ssl-ca.conf to reflect the organization’s name.
Initialize the CA
cd %CADIR% mkdir crl newcerts private touch index echo 01>serial openssl req -nodes -config ssl-ca.conf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM openssl x509 -in ca-cert.pem -out ca-cert.der -outform der
If “touch” is not available, just create an empty index file. To do this from the Windows command prompt:
fsutil file createnew junk 0
Generate a new self-signed server certificate
cd %DATADIR%\server\conf del keystore keytool -genkey -keystore keystore -storepass
This code prompts for a number of values that must be set to values appropriate for the organization.
What is your first and last name? [Unknown]: chronic3.electric-cloud.com # This should be the server host What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Electric Cloud What is the name of your City or Locality? [Unknown]: Menlo Park What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=chronic3.electric-cloud.com, OU=Unknown, O=Electric Cloud, L=Menlo Park, ST=CA, C=US correct? [no]: yes Enter key password for (RETURN if same as keystore password):
Sign the server certificate with the CA key
keytool -certreq -keystore keystore -storepass >server.csr cd %CADIR% openssl ca -batch -config ssl-ca.conf -in "%PROGDIR%\server\conf\server.csr" -out "%PROGDIR%\server\conf\server.pem" cd %PROGDIR%\server\conf openssl x509 -in server.pem -out server.der -outform der
Import the CA certificate and signed server certificate into the keystore
keytool -import -keystore keystore -storepass -file %CADIR%\ca-cert.der -trustcacerts -alias cacert keytool -import -keystore keystore -storepass -file server.der
Restart the server
Add the private CA certificate to the trusted CA list for the agent
copy ca-cert.pem "%DATADIR%\conf\agent_trust.crt"
Enable certificate verification in the agent
%DATADIR%\conf\agent.confto contain (update paths as necessary):
keyFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.key certFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.crt verifyPeer = true caFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent_trust.crt
- Restart the agent