Enabling server identity verification
Starting with version 188.8.131.52 of the product, you can enable extra security to configure the agents to verify the identity of the server for communication that uses the HTTPS protocol.
- All source configuration plug-ins
- WinRS Agent Install plug-in
- z/OS® Utility plug-in
- MobileFirst Platform Foundation (formerly Worklight) plug-in
- WebSphere® Application Server - Deployment plug-in
Ensure that the keytool utility, which is provided with the Java™ developer kit and is not part of IBM UrbanCode Deploy, is available in the system path.
When you install the IBM UrbanCode Deploy server, a private key and self-signed certificate with the alias server are stored in the server_installation_directory/opt/tomcat/conf/tomcat.keystore file. This certificate is presented to agents, agent relays, and users that connect to the server via HTTPS. Because the certificate that is associated with the private key has a generic distinguished name (DN), you must replace the key so that the agent or agent relay can correctly verify the host name of the server. After you configure the server to present a certificate with a valid host name, you then configure the agents to accept that trusted certificate and to require verification of the host name of the server.
- Stop the IBM UrbanCode Deploy server.
- Open a command-line window, and go to the server_installation_directory/opt/tomcat/conf directory.
Generate a private key that is associated with the correct host name to use for HTTP
communication. Run a command similar to the following command:
keytool -genkeypair -alias serverNewCN -keysize 2048 -sigalg SHA256withRSA -keyalg RSA -keystore tomcat.keystore
The existing key is stored in the tomcat.keystore file with the server alias.
tomcat.key.aliasproperty in the installed.properties file to specify the alias in the keystore that contains the certificate to use.
Edit the following properties in the
secured-installed.propertiesfile to specify the password for the certificate and keystore to use.
server.key.password=<new_certificate_password> tomcat.keystore.password=changeitEnter the passwords in plain text, so that it automatically encrypts once the server runs.
- Optional: Create a certificate signing request that uses the new private key, and then use an internal or external certificate authority to sign it.
Export the server certificate. Run a command similar to the following command:
keytool -exportcert -alias server -keystore tomcat.keystore -file server.cert
- Start the IBM UrbanCode Deploy server.
If you used a certificate authority that is not already trusted by the agents, copy the
server certificate to the agent computer, and then import the certificate into the
keystore of the JRE that is used to run the agent process.
By default, the path to the keystore is $JAVA_HOME/lib/security/cacerts. If you use agent relays, repeat this step for all agent relays.
If you use agent relays, complete the following steps to configure the agents to verify the
identity of the agent relays.
Note: Agent relays use separate keystores for HTTPS and JMS connections. Server identity verification uses the HTTPS, or codestation, keystores for the agent relays.
Open a command-line window on the agent relay computer, and go to the
By default, the agent-relay-install location is
/opt/ibm/agentrelayon Linux™ and
C:\Program Files\IBM\agentrelayon Windows™.
Generate a private key that is associated with the HTTPS connection for the agent relay. Run a
command similar to the following command:
keytool -genkeypair -alias agentrelay -keysize 2048 -sigalg SHA256withRSA -storepass changeit -keypass changeit -keyalg RSA -keystore codestation.keystore
-aliasargument, specify the certificate alias of the codestation keystore for the agent relay. The certificate is in the agentrelay.properties file for the agent relay, in the property codestation.cert.alias. The default value is
Export the agent relay certificate. Run a command similar to the following command:
keytool -exportcert -alias agentrelay -keystore codestation.keystore -file agentrelay.cert
Copy the agent relay certificate to the agent computer, and then import the certificate into
the keystore of the JRE that is used to run the agent process.
By default, the path to the keystore is $JAVA_HOME/lib/security/cacerts.
- Open a command-line window on the agent relay computer, and go to the /agent_relay_install/conf/ directory.
Add verify.server.identity=true to the
file on each agent.
If you use agent relays to cache artifacts, repeat this step for all agent relays.
Upgrade each agent or agent relay to version 184.108.40.206 or later. If an agent is already upgraded,
restart the agent.
Agents can communicate with the server during this process, so you can upgrade agents one at a time.