Multiple BF Servers connecting to the same Agents using SSL?
Hi,
I have a customer who has two Build Forge (7.1.1.4) engines running and wants to connect to the same set of Agents using SSL. The documentation recommends setting values in the bfagent.conf file and also copying PEM files into the root directory of the Agent (which I take to mean wherever the Agent executable lives).
I take it this type of scenario is supported, but I'm wondering what the best way of proceeding is. Am I just able to create duplicate values in the bfagent.conf file, so instead of just one set of these values:
ssl_key_location buildForgeKey.pem
ssl_key_password password
ssl_cert_location buildForgeCert.pem
ssl_ca_location buildForgeCA.pem
ssl_protocol TLSv1
ssl_cipher_group ALL
and then copy both sets of PEM files into the root folder, or am I better to try and create one set of certificates for both BF engines and then there would only need to be one setup for all agents.
thanks
Andy
I have a customer who has two Build Forge (7.1.1.4) engines running and wants to connect to the same set of Agents using SSL. The documentation recommends setting values in the bfagent.conf file and also copying PEM files into the root directory of the Agent (which I take to mean wherever the Agent executable lives).
I take it this type of scenario is supported, but I'm wondering what the best way of proceeding is. Am I just able to create duplicate values in the bfagent.conf file, so instead of just one set of these values:
ssl_key_location buildForgeKey.pem
ssl_key_password password
ssl_cert_location buildForgeCert.pem
ssl_ca_location buildForgeCA.pem
ssl_protocol TLSv1
ssl_cipher_group ALL
and then copy both sets of PEM files into the root folder, or am I better to try and create one set of certificates for both BF engines and then there would only need to be one setup for all agents.
thanks
Andy
One answer
Hi Andy,
It is probably simpler to use one set of PEM files for all of your agents as you suggest, but it's much less secure. If any system gets compromised, they all are. There are several ways to do this.
One is to get a CA certificate for each machine. This can be an internal or external CA. This minimizes management by only having to need a single root signer in all of the trust stores (console and agent).
The other way is to create self-signed certificates (one per agent), and then make sure the console has each agent's certificate in buildForgeCA.pem and that each agent has the console cert in buildForgeCA.pem.
You want to enable clientAuthentication at the agent so that you can make mutual SSL connections between the agent and the console, which is what you really want to do to make a secure connection to the agent which can run remote commands. There are instructions in the BF installation guide for setting up a set of PEMs with self-signed certificates. Let me know if you need more assistance with this.
Regards,
Pete
It is probably simpler to use one set of PEM files for all of your agents as you suggest, but it's much less secure. If any system gets compromised, they all are. There are several ways to do this.
One is to get a CA certificate for each machine. This can be an internal or external CA. This minimizes management by only having to need a single root signer in all of the trust stores (console and agent).
The other way is to create self-signed certificates (one per agent), and then make sure the console has each agent's certificate in buildForgeCA.pem and that each agent has the console cert in buildForgeCA.pem.
You want to enable clientAuthentication at the agent so that you can make mutual SSL connections between the agent and the console, which is what you really want to do to make a secure connection to the agent which can run remote commands. There are instructions in the BF installation guide for setting up a set of PEMs with self-signed certificates. Let me know if you need more assistance with this.
Regards,
Pete