SSL configuration#

With Secure Sockets Layer (SSL) technology, clients and servers can communicate securely by encrypting all communications. Data is encrypted before it is sent and decrypted by the recipient. This communication cannot be deciphered or modified by third-parties. In addition to encryption, SSL can also support authentication.

HCL™ Launch servers and agents communicate via HTTP. Typically, HTTP is used for file transfers between the server and an agent. For example, HTTP is used when an agent is downloading a new plug-in, or when an agent is uploading or downloading version artifacts.

• Enabling server identity verification
  Starting with version 6.2.1.1 of the product, you can enable extra security to configure the agents to verify the identity of the server for communication that uses the HTTPS protocol.
• Supported TLS and SSL protocols and ciphers
  HCL Launch supports multiple SSL protocols and ciphers for communication between servers.
• Enforcing the use of a security protocol or set of ciphers
  For security reasons ensure that all SSL connections to and from the HCL Launch server uses the TLSv1.2 protocol. Support for TLSv1.0 and TLSv1.1 is deprecated. To configure SSL globally, follow these instructions under jdk.tls.disabledAlgorithms here.
• Configuring SSL on Apache Tomcat and LDAP servers
  The steps for configuring secure HTTP connections with the HCL Launch server are similar to the steps for any Java™ Platform, Enterprise Edition server.
• Implementing custom trust stores
  A trust store defines the roots of the certificate trust chain. Typically, these are the certificate authority root certificates that sign other certificates. It can also be end entity certificates that are directly trusted. Java® includes a default trust store that contains certificate authority root certificates for many well-known authorities. This trust store is a file called cacerts and is contained in the Java installation. The file has the same format as a keystore, but it never contains a private key. It is possible to modify or replace this file to alter the trust roots with the keytool program. Otherwise, a custom trust store must be used instead.

Parent topic: Managing security

Parent topic: Administering