It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×1,192

question asked: Jul 15 '10, 3:51 a.m.
question was seen: 5,483 times
last updated: Jul 15 '10, 3:51 a.m.

Related questions

Multiple BF Servers connecting to the same Agents using SSL?

0
Andy Rutherford (21128) | asked Jul 15 '10, 3:51 a.m.
Hi,

I have a customer who has two Build Forge (7.1.1.4) engines running and wants to connect to the same set of Agents using SSL. The documentation recommends setting values in the bfagent.conf file and also copying PEM files into the root directory of the Agent (which I take to mean wherever the Agent executable lives).

I take it this type of scenario is supported, but I'm wondering what the best way of proceeding is. Am I just able to create duplicate values in the bfagent.conf file, so instead of just one set of these values:

ssl_key_location buildForgeKey.pem
ssl_key_password password
ssl_cert_location buildForgeCert.pem
ssl_ca_location buildForgeCA.pem
ssl_protocol TLSv1
ssl_cipher_group ALL

and then copy both sets of PEM files into the root folder, or am I better to try and create one set of certificates for both BF engines and then there would only need to be one setup for all agents.

thanks
Andy

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Peter Birk (501145) | answered Jul 15 '10, 8:25 a.m.
JAZZ DEVELOPER
Hi Andy,

It is probably simpler to use one set of PEM files for all of your agents as you suggest, but it's much less secure. If any system gets compromised, they all are. There are several ways to do this.

One is to get a CA certificate for each machine. This can be an internal or external CA. This minimizes management by only having to need a single root signer in all of the trust stores (console and agent).

The other way is to create self-signed certificates (one per agent), and then make sure the console has each agent's certificate in buildForgeCA.pem and that each agent has the console cert in buildForgeCA.pem.

You want to enable clientAuthentication at the agent so that you can make mutual SSL connections between the agent and the console, which is what you really want to do to make a secure connection to the agent which can run remote commands. There are instructions in the BF installation guide for setting up a set of PEMs with self-signed certificates. Let me know if you need more assistance with this.

Regards,
Pete

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.