Enabling secure communication

You can enable Remote Debug Service to communicate via a Secure Sockets Layer (SSL) certificate with a private key and self-signed certificate stored in a keystore file or AT-TLS.

Enabling secure communication with a keystore file

You can enable Remote Debug Service to communicate via Secure Sockets Layer (SSL) with a private key and self-signed certificate stored in a keystore file.
  1. Create a JKS keystore file by using the Java runtime utility keytool:
     keytool -genkey -alias rmtd -keyalg RSA -storetype JKS -keystore keystore.jks
  2. Edit /etc/debug/eqarmtd.env and update the keystore variables to use the new keystore file.
  3. To ensure that the keystore file is only readable by the protected user ID STCEQA2, change the owner and permission of the file with:
     chown STCEQA2:STCGROUP keystore.jks
 chmod 640 keystore.jks
  4. Export the SSL certificate with:
     keytool -export -keystore keystore.jks -alias rmtd -storetype JKS -file rmtd.cer -rfc

The SSL certificate can be distributed to remote users to be imported into the client keystore.

Enabling secure communication with AT-TLS

You can also use the TCP/IP service called Application Transparent Transport Layer Security (AT-TLS) to enable secure communication with Remote Debug Service. For a step-by-step guide to setting up AT-TLS itself, see Setting up AT-TLS.

Create an AT-TLS policy for the port used by Remote Debug Service as specified in the eqarmtd.env configuration file. See the following sample policy.
TTLSRule EQARMTD
{
     LocalPortRange               8002
     Direction Inbound
     TTLSGroupActionRef.          EQARMTD_group
     TTLSEnvironmentActionRef     EQARMTD_env
     TTLSConnectionActionRef      EQARMTD_conn
}

TTLSGroupAction  EQARMTD_group
{
     TTLSEnabled                  On
}

TTLSEnvironmentAction EQARMTD_env
{
     HandshakeRole                Server
     TTLSKeyringParms
     {
          # Keyring must be owned by the user id running the EQARMTD started task
          Keyring                 EQARMTD.keyring
     }
}

TTLSConnectionAction  EQARMTD_conn
{
     HandshakeRole                                 Server
     TTLSCipherParmsRef                            EQARMTD_cipherparms
     TTLSConnectionAdvancedParmsRef.               EQARMTD_Conn_adv
     CtraceClearText                               Off
}

TTLSConnectionAdvancedParms EQARMTD_Conn_adv
{
     TLSv1                         Off
     TLSv1.1                       Off
     TLSv1.2                       On
     SSLV3                         Off
     ApplicationControlled         Off
     SecondaryMap                  Off
     HandshakeTimeout.             20
}

TTLSCipherParms   EQARMTD_cipherparms
{
     V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
     V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     V3CipherSuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
     V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
}

Enabling token-based and multi-factor authentications

You can enable Remote Debug Service to authenticate client connections by using either basicAuth or bearerAuth or both. basicAuth requires a user ID and a fixed password whereas bearerAuth requires only a token.

Token-based authentication (bearerAuth) is a prerequisite for multi-factor authentication. The Remote Debug Service delegates this type of authentication to the Debug Profile Service. For more information on enabling token-based and multi-factor authentication in the Debug Profile Service, see Adding support for Authentication Service API.