Enabling SSL is relatively simple when you use the default certificates. Procedures in this section are based on that scenario.
However, it is generally not wise to use the same certificate (private key) on each system. If the private key on one system is compromised, then the entire infrastructure could be compromised. The chances of compromise can be reduced by enforcing physical security.
A more secure system uses a certificate for each process. In Build Forge that means you do the following:
The following sections identify the interfaces in the Build Forge system where SSL security is enforced.
Users access the Build Forge system through client interfaces.
https://host/
The host is
the host where Build Forge runs. If you set up a port other than 443
for secure access to Apache, users must also specify the port:https://host:port/
Web clients are redirected to an authentication servlet running on Apache Tomcat server.
An authentication servlet accepts login credentials and authenticates the user. The servlet encrypts the credentials so they never appear in clear text over the wire.
<Connector port="8443" maxHttpHeaderSize="8192" algorithm="IbmX509"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSL_TLS"
keystoreFile="C:\BuildForge71.536\keystore\buildForgeKeyStore.p12"
keystorePass="password"
keystoreType="PKCS12"
truststoreFile="C:\BuildForge71.536\keystore\buildForgeTrustStore.p12"
truststorePass="password"
truststoreType="PKCS12"/>
API clients access Build Forge through its services layer component, an application running on the Apache Tomcat application server. API clients need to have a valid bfclient.conf file.
The services layer component uses an SSL configuration for inbound communications. It is defined on the Build Forge console at Default JSSE Inbound SSL.
. The default used isBuild Forge is made up of a web interface component (Apache web server and PHP), a services layer component, and an engine component. The web interface and engine components are clients of the services layer component. API program clients are also clients of the services layer component.
Apache Tomcat application server port 49150
The services layer component uses an SSL configuration for inbound communications. It is defined on the Build Forge console at Default JSSE Inbound SSL.
. The default used isApache Tomcat application server port 49150
The web interface component (through PHP) and the engine component both use an SSL configuration dedicated for outbound communications to the services layer component. It is defined on the Build Forge console at . The default used is Default JSSE Outbound SSL.The SSL properties for the client outbound configuration and services layer inbound configuration need to be compatible for an SSL handshake to be successful. Type and Handshake Protocol properties must match.
, theEach SSL configuration has a reference keystore configurations:
The configurations are specified by name. You define them in
. Several defaults are provided.