The Security panel allows you to enable security services:
- SSL: enabling SSL in this panel is only one part of enabling the
SSL security feature throughout the system. Additional work is needed
before turning it on and after.
- Password encryption: enabling password encryption is only one
part of enabling password encryption throughout the system.
To view the Security panel, select .
Important: Only some of the setup is done in the Security
panel. For additional information, see
Security features.
Enabling SSL
Prerequisites in installation:
During installation you specify two things that are used by the SSL
configuration:
- SSL port, specified in the Web and Application
Server panel. That port must match the port specified in the configurations
you choose below. The default during installation and in the configurations
is port 8443. This port is used by the authentication servlet on Apache
Tomcat during login to encode or encrypt user login credentials.
- Certificate, specified in the Web and Application
Server panel. You either provided your own or allowed the installer
to create a self-signed certificate for you. The certificate is stored
in the default keystore. The keystore location is defined in named
SSL configurations.
- Set SSL Enabled to Yes. Additional properties
are shown:
- LDAP Outbound: specifies the configuration
used for outbound communication through LDAP. The default is Default
JSSE Outbound SSL.
- Engine to Agent Default Outbound: specifies
the configuration used for communications from the engine component
to agents. The default is Default OpenSSL Outbound SSL.
- Services Layer Inbound: specifies the configuration
used by the Services Layer component to accept communications from
the web interface component and engine component. The default is Default
JSSE Inbound SSL.
- Services Layer Outbound (JSSE): specifies
the JSSE configuration used by the engine component and web interface
component Services Layer component to communicate with databases.
The default is Default JSSE Outbound SSL.
- Services Layer Outbound (OpenSSL): specifies
the OpenSSL configuration used by the engine component and web interface
component Services Layer component to communicate with databases.
The default is Default OpenSSL Outbound SSL.
- Click Save.
- Click Update Master BFClient.conf. This
step edits the BFClient.conf file using these property settings.
- Restart Build Forge. Secure communications are not in effect until
the system starts using these settings.
The configurations you select are defined in the SSL panel.
Requirements
after SSL is enabled in this panel:
- Certificate distribution: certificates must be installed in keystores
on agent hosts, the database host, and any additional Build Forge
installations that are running (redundant configuration).
- Agent SSL enablement: if you intend to use SSL for communication
between the engine component and agents, each agent must be configured
to use SSL.
- API client enablement: all API clients must configure SSL to communicate
with the services layer component.
Enabling password encryption
Prerequisites:
- SSL port, specified in the Web and Application
Server panel. That port must match the port specified in the configurations
you choose below. The default during installation and in the configurations
is port 8443. This port is used by the authentication servlet on Apache
Tomcat during login to encode or encrypt user login credentials.
- Certificate, specified in the Web and Application
Server panel. You either provided your own or allowed the installer
to create a self-signed certificate for you. The certificate is stored
in the default keystore. The keystore location is defined in named
SSL configurations.
- Set Password Encryption Enabled to Yes.
- Click Save.
- Click Update Master BFClient.conf. This
step edits the BFClient.conf file using these property settings.
- Restart Build Forge. Password encryption is not in effect until
the system starts using these settings.
- Once it is enabled, any new passwords entered at the console are
encrypted, including Server Auth passwords and user passwords for
users created at the console.
Additional Requirements:
After you have enabled
encryption, you need to do the following
- Enable encryption on all agents. Export the key and use it to
update the server auth password in each agent's configuration. The
password must be manually updated in BFAgent.conf.
- Enable an encrypted password for database access. Export the key
and use it to update the database password that Build Forge uses to
log on to the database. The password must be manually updated in buildforge.conf.