Securing Connections to the AE (TLS/SSL)

The communication between the Automation Engine, the Automic Web Interface, the Java API, and the Proxy Client as well as between the Automation Engine, the Java, Windows and UNIX Agents and the TLS Gateway uses TLS/SSL through a secure WebSocket (WSS). These components establish a connection with the Java communication process (JCP) and/or the REST process (REST).

Important! Check Broadcom's Enterprise Software Academy. There is a course available for this topic. For more information, see the Education section at the end of this topic.

This page includes the following:

Overview

The JCP and REST processes use trusted certificates to prove their identity to other communication partners, such as the Java, Windows, and UNIX Agents. To work with these certificates, the processes require a keystore, which must be created beforehand using pkcs12 format.

It is recommended to use properly signed certificates instead of self-signed certificates to ease the installation of agents or other components. Also, you must attach the whole chain of trust (intermediate and root certificate authority) to the certificate. You can use tools such as OpenSSL, KeyStore or Keytool to create such pkcs12 file.

For more information about the different certificate types and for detailed instructions on how to create and use them, see What Kind of Certificates Should I Use for Automic Automation v21.

You then must define the relevant parameters in the configuration (INI) file of each component.

The Java default cipher suite of the JCP is used to configure the TLS/SSL connection. You can change the supported cipher suites in the Java security policy. For more information, see https://www.java.com/en/configure_crypto.html.

Parameters - Automation Engine

For an on-premises installation, define the parameters listed below in the [TLS] section of the configuration (UCSRV.INI) file of the Automation Engine. For more information, see Automation Engine INI file.

  • keystore= Path and file where the keystore for the TLS/SSL certificate is stored

    Default value: ./httpsKeyfile

    This parameter is mandatory and must point to the correct target; otherwise, the process server will terminate.

  • keystorePassword= Password for the keystore file

    Default value: changeit

    If the value is not defined or is left empty, the system uses the default value.

  • keyPassword=Password for the key

    Default value: changeit

    If the value is not defined or is left empty, the system uses the default value.

  • keyAlias= Alias used for the key

    Default value: jetty

    If the value is not defined or is left empty, the system uses the default value.

The keystorePassword and the keyPassword can be encrypted with the UCYBCRYP Utility. For more information, see Encoding Passwords.

In the Automic Automation Kubernetes Edition, the JCP by default uses a generated, self-signed certificate within the Kubernetes cluster. Therefore, you do not have to define these parameters for an AAKE installation.

Parameters - Agents, Java Components, Proxy and TLS Gateway

All Java components as well as the Proxy, the Windows, UNIX and Java Agents and the TLS Gateway can use different parameters in their corresponding INI file to define how to handle the certificates.

TLS/SSL Agents (in containers or on-premises) and the TLS Gateway, when used for the Automic Automation Kubernetes Edition, establish a connection to an ingress / HTTPS load balancer and not the JCP directly. The ingress / HTTPS load balancer must be reachable and requires a certificate for authentication. The address of the load balancer must be defined on both sides: the Automation Engine and the Agent / TLS Gateway.

For more information, see Connecting to AWI, the JCP and REST Processes Using an Ingress.

This applies to the following components and Agents:

Components

Agents

Note: The TLS/SSL implementation does not apply to the HP-UX Agent, as it is no longer supported in this version.

All components and Agents listed above can use the trustedCertFolder= parameter in their respective configuration file to define the path to the folder where the trusted certificates are stored.

If this parameter is not set, the certificates should be installed in the respective store; that is the Java trust store for Java components and Java Agents, the Windows OS store for Windows Agents, or the TLS/SSL store for UNIX Agents.

Furthermore, the Agents can use the following parameters in the [AUTHORIZATION] section of the respective INI file:

  • agentSecurityFolder= Path to the folder where the agent stores security related files such as private keys, signed certificates, root certificates

  • keyPassword= Password for the key

    Default value: changeit

    If the value is not defined or is left empty, the system uses the default value.

    Note: The keyPassword can be encrypted with the UCYBCRYP Utility. For more information, see Encoding Passwords.

UNIX agents additionally require you to define the SSLCertDir= and SSLCertFile= parameters in the [AUTHORIZATION] section of the INI file to load the certificates from the SSL store.

  • SSLCerDir= location of the trusted CA certificates with each certificate in a separate file, for example,/etc/ssl/certs/

  • SSLCertFile= location of the .pem file with all the trusted CA certificates, for example, /etc/pki/tls/certs/ca-bundle.crt

If you do not define these parameters in the INI file, the Agent searches for certificates in the most common SSL stores.

Examples - SSLCertDir

  • /etc/ssl/certs

    Platforms: Debian/Ubuntu

  • /etc/pki/tls/certs

    Platforms: Fedora/RHEL/CentOS

Examples - SSLCertFile

  • /etc/ssl/certs/ca-certificates.crt

    Platforms: Debian/Ubuntu

  • /etc/pki/tls/certs/ca-bundle.crt

    Platforms: Fedora/RHEL/CentOS

If the Agent does not find any certificates or the paths do not exist in your system, then the Agent is not able to connect to the Automation Engine.

You can use different commands to search for the certificates in your system. Only a privileged user, such as root, can search in these folders.

Examples - SSL_CERT_DIR

sudo find /etc/ssl/ -name '*DigiCert*'

sudo find /etc/ -name 'DigiCert_Global_Root_CA.pem'

Examples - SSL_CERT_FILE

sudo grep -R "DigiCert" /etc/ssl/

sudo grep -R "DigiCert Global Root CA" /etc/

More information:

Adding the Certificates

The JCP and REST processes use keystore as defined in the Automation Engine configuration file.

All connecting components (Agents, AWI, etc.) must verify the identity of the JCP. This is done during the connection handshake in the TLS/SSL protocol. If the certificate does not fulfill the security requirements, the component cannot connect to the Automation Engine. A valid certificate must fulfill the following properties:

  • The common name of the certificate must match the configured endpoint address. If a different address is used, even if they are for the same machine, the certificate will be rejected by the client. If you have multiple domains, hostnames or IP addresses that are secured by the certificate, you can use a SAN (subject alternative name) to include all of them or use a wildcard certificate that matches all your domains.

  • The certificate is not expired, except if it is trusted directly in the trust store.

  • The certificate is either trusted directly by the client or is signed by a trusted certificate authority. It is recommended to use a certificate that is signed by the company’s certificate authority, as those are probably trusted on the machine already. You have to ensure that the signing certificate authority or the certificate itself is part of the trust store. Depending on the component, this can be a java trust store or a folder in the agent directory.

For more information about the different certificate types and for detailed instructions on how to create and use them, see What Kind of Certificates Should I Use for Automic Automation v21.

The system checks the certificate expiration date every 24 hours (at midnight UTC). When one or more certificates is close to expiring, that is, if the expiration date is within 30 days, AWI displays the following notification: "The following JCP certificates will expire within the next 30 days: <certificate name (expiration date)>". The expiration date of the certificate is also written into the JCP log file on startup as well as at midnight (UTC).

The notification is displayed in all Clients but only to users with the privilege Access to Administration, see Granting Automation Engine Privileges .The notification remains visible until the certificate is renewed.

Notes:

  • AWI displays only one notification even if there is more than one certificate about to expire. All relevant certificates are listed one after the other separated by a comma sorted by expiration date; the certificate closest to the expiration date is listed first.

  • It is not necessary to restart the JCP after renewing the certificate.

  • Make sure that the new certificate is set correctly and uses the same definition as the TLS section of the INI file of the Automation Engine, see Automation Engine. Otherwise, the old KeyStore definition is used and the JCP will not start.

Optionally, you can also use the UC_SERVER_TLS_SETTINGS variable to trigger a custom action if one of these certificates is close to expiring. For more information, see UC_SERVER_TLS_SETTINGS - Server Certificate Management.

Education

The Enterprise Software Academy provides a wide range of free online trainings. If you have not already done so, register at Enterprise Software Academy to start profiting from our education offer.

The following course(s) are associated with this topic:

  • Automic Automation TLS and Certificates

  • Automic Automation TLS Gateway

For more information, see Free Online Courses

See also: