Read Bulletin01_UsingSSLinRadBlueTools.fm text version

Bulletin 01

Questions? Comments? Visit us at www.radblue.com or check out our user forum at:

http://radblue.mywowbb.com/

Using SSL in RadBlue Tools

Note

If the RadBlue tool you are using is version 8 or higher, see the Security Options section of the tool's user guide for information on configuring SCEP options. The following instructions pertain to version 7 (released: 03 FEB 2010) and below.

About SSL in RadBlue Tools

Secure Socket Layer (SSL) is a protocol that secures Internet communications by the endtoend encrypting of network connections at the transport layer. All RadBlue tools support SSL, but must be configured to do so. The configuration process depends on the tool. For more information on SSL, see the GSA Point to Point SOAP/HTTPs Transport and Security Specificiation.

Verify a Tool Is Using SSL

RGS When you launch RGS, it automatically listens for connections on ports 31101 for nonSSL and 31201 for SSL on all IP addresses in your computer. To verify that SSL is running in the RGS, point your browser (Firefox 2.x or IE 7) at RGS: https://127.0.0.1:31201/RGS/ Your browser should be presented with a certificate that you can view and then accept. RST When you launch RST, it automatically listens for connections on ports 38101 for nonSSL and 38201 for SSL on all IP addresses in your computer. To verify that SSL is running by pointing your browser (Firefox 2.x or IE 7) at RST: https://127.0.0.1:38201/RST/ Your browser should be presented with a certificate that you can view and then accept. RLT When you launch RLT, it automatically listens for connections on ports 33101 for nonSSL and 33201 for SSL on all IP addresses in your computer. To verify that SSL is running by pointing your browser (Firefox 2.x or IE 7) at RLT: https://127.0.0.1:33201/RLT/ Your browser should be presented with a certificate that you can view and then accept.

Revised: 12 MAY 2010 R5 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved. 1 of 10

www.radblue.com

Bulletin 01: Using SSL in RadBlue Tools

RPA When you launch RPA, it automatically listens for connections on ports 35101 for nonSSL and 35201 for SSL on all IP addresses in your computer. To verify that SSL is running by pointing your browser (Firefox 2.x or IE 7) at RPA: https://127.0.0.1:35201/RPA/ Your browser should be presented with a certificate that you can view and then accept.

Enable SSL in RGS

Before starting RGS, complete the following steps. Once these steps have been completed, RGS listens on port 31101 for nonSSL traffic and port 31201 for SSL traffic.

1. Before starting RGS, navigate to the RGS ../bin directory. 2. Run the ClientKeystoreGenerator.bat script. This generates certificates for all of

the IP addresses on your computer. For more information, see About the ClientKeystoreGenerator.bat Utility.

Enable SSL in the RST SmartEGM

Note

In the following procedure, the notation "[TOOL]" is used in places where you should enter the acronym of the applicable tool (for example, rpa, rst, rgs and rlt).

1. Navigate to the RST ../bin directory, and run the ClientKeystoreGenerator.bat

script. This generates certificates for all of the IP addresses on your computer. Before starting RST, complete the following steps. Once these steps have been completed, RST listens on port 38101 for nonSSL traffic and port 38201 for SSL traffic.

2. Make a copy of the SmartEGM configuration file (RST

../smartconf/smartegm/smartegmconfig.xml), and rename the file to something like smartegmconfigwithSSL.xml.

3. Edit the newly created configuration file with a text editor, and change the

configuration for host 1 (about the fifth line of the file) to https:, and to use port 31101 for nonSSL traffic and port 31201 for SSL traffic. If you are talking to an instance of RGS on the local host, your line would look like this:

<edm:host edm:host-id="1" edm:url="https://127.0.0.1:31201/[TOOL]/api-services/G2SAPI"/>

When running SSL in local mode, use 127.0.0.1, reflected in the example above, rather than "local host."

4. Verify that RST has an SSL port number of 38201:

a. Open RST, and go to the SmartEGM object layout. b. Go to: Configure > Engine > My URL.

2 of 10 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved. Revised: 12 MAY 2010 R5

Bulletin 01: Using SSL in RadBlue Tools

www.radblue.com

c. For the local host, you see: https://localhost:38201/[TOOL]/apiservices/G2SAPI Note that once the above address is entered, it will be the default URL going forward.

Configure SSL to Work with a RadBlue Tool

To configure SSL to work with a RadBlue tool, verify the following information:

1. Verify the SSL Bind Address in RST, RPA and RLT. If the SSL Bind Address

information is incorrect, enter the information shown below. If you make any changes in the tool's Configuration screen, be sure to save by clicking Apply and then OK. You must restart the tool for your changes to take effect. · RST Verify that SSL Port number is 38201.

· RPA Verify that the SSL SOAP Port number is 35201.

· RLT If the host communicating with RLT is using SSL, RLT will automatically communicate using SSL. However, if you want to verify that RLT is using the correct port: Start and then stop RLT. (The webserver.xml file that you will be checking is created the first time RLT is launched. If you have already launched RLT once, skip this step.)

Revised: 12 MAY 2010 R5 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved. 3 of 10

www.radblue.com

Bulletin 01: Using SSL in RadBlue Tools

Navigate to: [installation directory]/conf/webserver.xml, rightclick the file and select Edit. Verify that the sslBindAddresses value is 33201.

2. Configure the SSL security options by opening the tool and going to: Configure >

Security Options.

· · · · · · · ·

Verify that Enabled SSL security control is selected. Verify that Approve all certificates is selected. Verify that the Client Key Store File is set to ../conf/client.jks. Verify that the Client Key Store Password is set to password. Verify that the Client Key StoreType is JKS. Verify that the Trusted Key Store File is ../conf/trusted.jks. Verify that the Trusted Key Store Password is password. Verify that the Trusted Key StoreType is JKS.

If you are using Online Certificate Status Protocol (OCSP), select Enable OCSP. OCSP is not required to use SSL. If this option is enabled and the CA certificate contains OCSP information, the tool will try to obtain the certificate's revocation status from the OCSP responder. · gsaOO Type or select the minimum period, in minutes, that the tool will attempt to authenticate a certificate from an OCSP server. Zero (0) disables this setting. gsaOR Type or select the maximum time, in minutes, that the tool can use a certificate without reauthenticating it.

·

4 of 10 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved.

Revised: 12 MAY 2010 R5

Bulletin 01: Using SSL in RadBlue Tools

www.radblue.com

·

gsaOA Type or select the maximum time, in minutes, that the tool can use a good certificate when OCSP servers are offline. Note that the gsaOA value should be greater period than the gsaOR value; The difference between gsaOR and gsaOA is the "accept offline" period.

· Manual Access Location Type the URL location of the OCSP responder.

Create an SSL Certificate

This procedure creates a certificate that allows SSL encryption to work. Applications that require a specific SSL certificate must complete this process.

1. Open a command prompt (Start > All Programs > Accessories > Command

Prompt).

2. Type cd [InstallationDirectory]\conf to change to the conf directory in the

application. For example, the RPA default for windows is: C:\Program Files\RadBlue Protocol Analysis\conf

3. Type keytool and press Enter to verify that keytool is in your path.

If the the keytool is not in your path, for RST or RGS, type:

PATH=%PATH%;..\..\..\jre\bin

for RPA and RLT, type:

PATH=%PATH%;..\..\..\jdk\bin

4. To create the private key for the application, type:

keytool -genkey -v -alias [TOOL] -validity 365 -keystore client.jks -keyalg RSA -keysize 1024

5. You are prompted for the following values. These values may have to be specific to

the certificate signing server. If the certificate authority has specific field requirements, verify that information prior to completing the prompts. · Password: The password for the client.jks file is: password. If that does not work, you can delete the client.jks file completely, and recreate the file by running the command in step 3. When you recreate the client.jks file, the password for the keystore must be password again. What is your first and last name? What is the name of your organizational unit? What is the name of your organization? What is the name of your City or Locality? What is the name of your State or Province? What is the twoletter country code for this unit?

· · · · · ·

Revised: 12 MAY 2010 R5 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved.

5 of 10

www.radblue.com

Bulletin 01: Using SSL in RadBlue Tools

·

Is [your information] correct? [no]: Type yes to confirm the information, or press Enter to reenter the information.

You see:

Enter key password for <ApplicationName>:

6. Enter the same password as you entered in step 4, and press Enter.

Re-enter new password:

7. Enter the password, and press Enter. 8. To create the certificate signing request (.csr) file.

keytool -certreq -alias [TOOL] -file [TOOL].csr -keystore client.jks

9. Transfer the file x.csr, where x is the product name (for example, rpa.csr), to the

signing (CA) system, to sign the x.csr. How the file is signed by the CA depends on the vendor. Once the file is signed, the vendor returns two certificates to you: a certificate for the application and a trusted certificate.

10. Copy certificates to the conf directory.

To create the trusted.jks , type:

keytool -importcert -alias ca -keystore trusted.jks -file ca.cert

To create the client.jks, type:

keytool -importcert -alias ca -keystore client.jks -file ca.cert keytool -importcert -alias [TOOL] -file [TOOL].cert -keystore client.jks

11. To verify the client.keystore file, type:

keytool -list -alias [TOOL] -keystore client.jks

12. Verify that the Owner information is the same information you entered in step 4. 13. Verify that Issuer is the same as the Certificate Authority that signed the

certificate in step 8. References For more information about Sun Microsystem's keytool, go to: http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

6 of 10 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved.

Revised: 12 MAY 2010 R5

Bulletin 01: Using SSL in RadBlue Tools

www.radblue.com

Enable Certificate Authentication

RadBlue tools, by default, do not authenticate the certificates they receive during the handshake process. We made this choice because we feel that the tools are not (at least for now) about SSL certificate authentication; they are about showing how SSL works and making sure that the SSL handshake algorithm is followed on both ends. If you want to enable certificate authentication in either product:

1. Open the tool, and go to: Configure > Security Options. 2. Verify that Approve all certificates is deselected. This change tells the tool to

perform authentication on each received certificate.

3. The file ../conf/trusted.jks contains the certificates that are to be trusted when

the products connect to a host. This file takes the place of a call out to a CA server. To add a certificate to ../conf/trusted.jks you need to have the certificate in either DER a binary encoded X.509 file or a Base64 encoded X.509 file. Your CA tool will be able to generate these files for you. The command to import the certificate is as follows (assumes you are in the ../bin directory):

keytool ­import ­storepass password ­keypass password ­keystore ../conf/trusted.jks ­file {your-certificate-file}

This imports the certificate into the trusted keystore. Once you restart the product, the logger panel lists the trusted certificate. Check this information to make sure it is correct. To list the contents of the trusted keystore, execute the following:

keytool ­list ­v ­keystore ../conf/trusted.jks ­storepass password

More documentation on how the keytool utility works can be found here: http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html If you enable certificate authentication, you can check the debug log in either tool to see the results of each authentication. The tools each print out information about the certificate and about the attempt to authenticate the certificate.

Disable SSL

1. Open the tool, and go to: Configure > Security Options. 2. Deselect the Enabled SSL security control option. Deselecting this option

prevents the tool from listening on any SSL ports, effectively disabling SSL.

3. Click Save.

Revised: 12 MAY 2010 R5 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved.

7 of 10

www.radblue.com

Bulletin 01: Using SSL in RadBlue Tools

Change the SSL Port

If you need to change the port on which the product listens for inbound SSL connections, edit the following configuration file: ../conf/securitymanager.xml Change the values in the sslBindAddresses parameter. Here is a common configuration:

<parameter name="sslBindAddresses" type="Set"> <value type="String">192.168.1.100:31201</value> <value type="String">127.0.0.1:31201</value> </parameter>

If you want to change the port to the traditional 443, the following would be the result:

<parameter name="sslBindAddresses" type="Set"> <value type="String">192.168.1.100:443</value> <value type="String">127.0.0.1:443</value> </parameter>

Enable SSL Debugging

To enable SSL debugging information:

1. Modify the bin/rstlauncher.xml file, and add the following line after the last

jvmarg element.

<jvmarg value= "-Djavax.net.debug=ssl" />

2. Open a command prompt. 3. Change directories to the tool's bin directory. 4. To run the tool and capture the SSL debug information to a file, type:

[toolname]-debug>output.txt

For example: rst-debug>output.txt

8 of 10 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved.

Revised: 12 MAY 2010 R5

Bulletin 01: Using SSL in RadBlue Tools

www.radblue.com

About the ClientKeystoreGenerator.bat Utility

The ClientKeystoreGenerator.bat utility is used to create the client side keystore. By default the file resides in ../conf/client.keystore. You can list the contents of the file with this command (assuming you are in the ../bin directory):

../../../jre/bin/keytool ­list ­v ­keystore ../conf/client.jks ­storepass password

You can manage this file using the keytool utility: http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html The ClientKeystoreGenerator.bat utility has some flexibility built into it through command line arguments. Normally, you would use command line arguments if you wanted to use different encryption algorithms for generating the clientside certificates.

Note

If you change the password for the clientside keystore, you need to change the keyStorePassword value in the configuration file ../conf/securitymanager.xml.

The supported command line arguments are:

Command Line Option keystore keystorefilename Description Changes the location of the clientside keystore file. Changes the DN of the root issuer. You would change this option if you wanted to use the DN used in your production deployments. Default Value ../conf/client.jks

rootissuerdn rootissuerdn

CN=Certificate Authority, OU=Engineering, O=Radical Blue Gaming, Inc., L=Reno, ST=NV, C=US CN=Intermediate Certificate Authority, OU=Engineering, O=Radical Blue Gaming, Inc., L=Reno, ST=NV, C=US password

intermediateissuerdn intermediateissuerdn

Changes the DN of the intermediate issuer. You would change this option if you wanted to use the DN used in your production deployments. Sets the password on the keystore. If you change this option, you need to tell the tool about it.

password password

Revised: 12 MAY 2010 R5 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved.

9 of 10

www.radblue.com

Bulletin 01: Using SSL in RadBlue Tools

Command Line Option provider provider

Description Changes the provider of the encryption algorithms. The values supported are: SUN BC Providers are software packages that provide implementations of various encryption algorithms. The RadBlue tools ship with the providers from Sun (SUN) and from Bouncy Castle (BC).

Default Value BC

signaturealgorithm signaturealgorithm

Changes the signature algorithm to use when signing each algorithm. The values supported are: SHA1withRSA SHA1withDSA SHA1withRSAEncryption There are a number of other algorithms available. Please see the documentation for the Sun and Bouncy Castle providers for a full list.

SHA1withRSA

keypairtype

Changes the algorithm used to generate the key pairs. The values supported are: RSA DSA There are a number of other algorithms available. Please see the documentation for the Sun and Bouncy Castle providers for a full list.

RSA

help

Prints some command line help information.

10 of 10 Copyright 2010 Radical Blue Gaming, Inc. All rights reserved.

Revised: 12 MAY 2010 R5

Information

Bulletin01_UsingSSLinRadBlueTools.fm

10 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

1108092