About SSL and Build Forge components

Build Forge components are set up by default to use certain ports and security settings when SSL is enabled.

Default SSL Setup

Enabling SSL is relatively simple when you use the default certificates. Procedures in this section are based on that scenario.

However, it is generally not wise to use the same certificate (private key) on each system. If the private key on one system is compromised, then the entire infrastructure could be compromised. The chances of compromise can be reduced by enforcing physical security.

A more secure system uses a certificate for each process. In Build Forge that means you do the following:

  • Create a certificate for every agent.
  • Create a certificate for every engine. This is applicable when redundancy is set up. See Configuring redundancy.
This setup requires additional certificate management. You have choices:

The following sections identify the interfaces in the Build Forge system where SSL security is enforced.

Client interfaces

Users access the Build Forge system through client interfaces.

Web Client to Build Forge
Web clients access Build Forge through its Apache web server. When SSL is enabled and a security-enabled web browser is used, the following interfaces are used.
  • Apache web server port 443
    Web clients access Build Forge through its URL. When SSL is enabled, the URL is the following:
    https://host/
    The host is the host where Build Forge runs. If you set up a port other than 443 for secure access to Apache, users must also specify the port:
    https://host:port/

    Web clients are redirected to an authentication servlet running on Apache Tomcat server.

  • Apache Tomcat application server port 8443

    An authentication servlet accepts login credentials and authenticates the user. The servlet encrypts the credentials so they never appear in clear text over the wire.

The configuration for the listener port used by the Apache Tomcat servlet is managed through a configuration file. It is located in <bfinstall>/Apache/tomcat/conf/server.xml. Locate the following connector configuration.
<Connector port="8443" maxHttpHeaderSize="8192" algorithm="IbmX509" 
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="SSL_TLS" 
    keystoreFile="C:\BuildForge71.536\keystore\buildForgeKeyStore.p12"
    keystorePass="password" 
    keystoreType="PKCS12" 
    truststoreFile="C:\BuildForge71.536\keystore\buildForgeTrustStore.p12" 
    truststorePass="password" 
    truststoreType="PKCS12"/>
API Program Client to Build Forge
  • Apache Tomcat application server port 49150

    API clients access Build Forge through its services layer component, an application running on the Apache Tomcat application server. API clients need to have a valid bfclient.conf file.

    The services layer component uses an SSL configuration for inbound communications. It is defined on the Build Forge console at Administration > Security > SSL. The default used is Default JSSE Inbound SSL.

Internal interfaces

Build Forge is made up of a web interface component (Apache web server and PHP), a services layer component, and an engine component. The web interface and engine components are clients of the services layer component. API program clients are also clients of the services layer component.

Services Layer inbound

Apache Tomcat application server port 49150

The services layer component uses an SSL configuration for inbound communications. It is defined on the Build Forge console at Administration > Security > SSL. The default used is Default JSSE Inbound SSL.

Services Layer client outbound

Apache Tomcat application server port 49150

The web interface component (through PHP) and the engine component both use an SSL configuration dedicated for outbound communications to the services layer component. It is defined on the Build Forge console at Administration > Security > SSL. The default used is Default JSSE Outbound SSL.

The SSL properties for the client outbound configuration and services layer inbound configuration need to be compatible for an SSL handshake to be successful. Administration > Security > SSL, the Type and Handshake Protocol properties must match.

Each SSL configuration has a reference keystore configurations:

The configurations are specified by name. You define them in Administration > Security > SSL. Several defaults are provided.

External interfaces

External interfaces are those used by Build Forge to talk to external systems.
  • The Build Forge engine communicates with agents.
  • The Build Forge services layer component communicates with the database.
Build Forge engine to agent communications
Enabling SSL for this interface requires the following:
  • Configuration of the agent. It requires a change in the agent configuration file and placing certificates on the agent host.
  • Enabling SSL communications for each Server resource that uses the agent. You do this on the console in the Servers panel.

See Enabling SSL for agent communications.

Build Forge services layer component to database communications
The SSL configuration for this interface is defined in the device driver for your database.

Feedback