Implementing Secure Sockets Layer (SSL) Encryption

AccuRev supports the use of the Secure Sockets Layer protocol to provide encrypted communication between AccuRev clients and servers. The implementation of this protocol is managed through the use of SSL certificates. Communication between AccuRev servers and clients depends on an agreement (or handshake) between the AccuRev client and server that confirms a pairing of a public key and a private key.

In general, to configure SSL client-server communications, the AccuRev administrator must take the following actions:

  • Generate a private key.
  • Obtain an SSL certificate.
  • Enable SSL on the AccuRev server.

Each of these steps is described in more detail in the following sections.

Generating a Private Key

You can use an SSL toolkit (such as the one available at https://www.openssl.org) to generate a private key. When generating a private key, keep in mind the following points:

  • AccuRev supports the use of RSA private keys
  • AccuRev does not support the use of password-protected private keys
  • AccuRev expects the private key file to have a .pem file extension (*.pem)
  • AccuRev recommends that you generate a private key that is at least of 1024-bit strength

Once you have generated a private key, you can place the private key file anywhere on the server machine.

Note: For security purposes, AccuRev recommends that you set read-only permissions on the private key file.

Back to top

Obtaining an SSL Certificate

Once you have generated a private key, you can obtain an SSL certificate. There are two ways to obtain an SSL certificate:

  • Submit a request for an SSL certificate signed by a trusted authority (either by a trusted authority or by an intermediary)
  • Create a self-signed certificate

AccuRev expects the SSL certificate file to have a .crt extension (*.crt).

When obtaining an SSL certificate, keep in mind that the same certificate can be used for multiple computers or computer names as long as they are specified in the Subject Alternate Name (SAN) field of the certificate. Once you have obtained an SSL certificate, you can place the SSL certificate file anywhere on the server.

AccuRev supports the use of both self-signed and trusted certificates. Regardless of which type of certificate you use, AccuRev prompts the user to accept the certificate the first time the user attempts to connect to an AccuRev server that has been SSL-enabled. If the user then accepts the certificate, the certificate is downloaded from the server to the client and stored in the user’s profile directory which is, by default, the .accurev directory. (The location of the user’s profile directory is determined by the current setting of the USERPROFILE environment variable in Windows and UNIX while, on Linux platforms, the location is in the /home directory.) The user can then connect to that server in future sessions without being prompted to accept that certificate again, unless the certificate expires or SSL is disabled on the server. If, however, the user should attempt to connect to a different AccuRev server that has been SSL-enabled, the user is also prompted to accept the certificate from that server.

Note: Additional configuration is required if you are using a certificate from a trusted authority. See Considerations for Using Trusted Certificates (below) for more information.

Considerations for Using Trusted Certificates

If you are using an SSL certificate from a trusted authority, you need to include the actual certificates in the certificate chain. You do this by appending intermediate and root certificates to the trusted SSL certificate as described here and as shown in the following example.

When adding intermediate and root certificates, note the following:

  • The trusted authority's certificate must be the first one in the certificate file, followed by all intermediate certificates, and ending with the root certificate.

  • Each certificate must be in Base64 encoded format (that is, PEM format).

  • Each certificate must be preceded with ——-BEGIN CERTIFICATE——- and followed with
    ——-END CERTIFICATE——- on their own lines. These demarcations are present in each certificate and should not be removed.

  • When editing the certificate file, make sure the editor you use recognizes non-standard characters like UNIX end-of-line characters. When you are done appending intermediate and root certificates, the format of your certificate file should resemble that shown in the following example.

——-BEGIN CERTIFICATE——-

MIIE0TCCA7mgAwIBAgIQLOmmgpHvkgfaMxBKj9tPojANBgkqhkiG9w0BAQUFADA8

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U

aGF3dGUgU1NMIENBMB4XDTE0MDMxMTAwMDAwMFoXDTE1MDMxMTIzNTk1OVowcDEL

MAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcUB0Nv

bmNvcmQxFDASBgNVBAoUC0FjY3VSZHYgSW5jMSEwHwYDVQQDFBhzZWNyZXR3ZWFw

b24uYWNjdXJldi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5

r5A70M9l6B4alO2A9IKbWLtZ0Tm7xeWJ4SIE1sypxnba3njaN3bx0CXNvhxWP+68

VWRhfaSemti+c/BQ5aRhp6kBUYGQ6NLKtycmME3N+HgwpkUylHkEH7gnUgyCUu7L

PMPJgg3/6WByRykzpHHgX0vCX8EbUaWxsMaglQojJsOUm+L6eTcRBQpywJOidoMQ

hJ6pjlg7AzK8qqMNSpBbG8CrMQMmnixY5qGJ28I3WtJu/LNHAyrPxYq1bNJbsBtM

mYXI6/IHiq0u2ogPnvr5Ud8CV/VRZ6Mdaxllw7o2yfNjncw6dnP6dbHA7g8t0qPp

tXg+3ISiBXOQpVPCC9flAgMBAAGjggGZMIIBlTAJBgNVHRMEAjAAMEIGA1UdIAQ7

MDkwNwYKYIZIAYb4RQEHNjApMCcGCCsGAQUFBwIBFhtodHRwczovL3d3dy50aGF3

dGUuY29tL2Nwcy8wDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaAFKeig7s0RUA9

/NUwTxK5PqEBn/bbMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9zdnItb3YtY3Js

LnRoYXd0ZS5jb20vVGhhd3RlT1YuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr

BgEFBQcDAjBpBggrBgEFBQcBAQRdMFswIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3Nw

LnRoYXd0ZS5jb20wNQYIKwYBBQUHMAKGKWh0dHA6Ly9zdnItb3YtYWlhLnRoYXd0

ZS5jb20vVGhhd3RlT1YuY2VyME0GA1UdEQRGMESCGnNlY3JldHdlYXBvbi5hY2N1

cmV2LmxvY2FsggxzZWNyZXR3ZWFwb26CGHNlY3JldHdlYXBvbi5hY2N1cmV2LmNv

bTANBgkqhkiG9w0BAQUFAAOCAQEAC2Xw1KcxXLCd1ffy3OdOBbopfrqFGeK9k3Kg

LaLZfdmc8Ncg996abVh2phDl+09eKNIpMKBESvyD6DWGEoUBY04Ql13+tHKnFfdb

jxxQHgCF1diyZmEx4buMG0oOkmMZay+FlUJxk3U1c0vqpNpQiXggWsqvT8++UIQc

2l3O56IKHGeWoe/ITvwzqn55XxfOLIyOys8Xy1//8N1lT5FLG/RdWo3eSJgU+vyv

FTN3xRlwWGxIJIWVg1efxgRgFO8b6PvelV5C4xGaMPzEsRYDcve7wZK+S8XFTCQi

WXkazTQiEdwF086RmBUdkfC9+ukWowp6GFLI4checd/Acu0SdA==

——-END CERTIFICATE——-

——-BEGIN CERTIFICATE——-

MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB

qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf

Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw

MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV

BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw

MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu

MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A

MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM

WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX

7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD

7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ

pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY

XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB

BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB

Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl

LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w

GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38

1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ

KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en

S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq

2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp

EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y

3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf

huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4=

——-END CERTIFICATE——-

——-BEGIN CERTIFICATE——-

MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB

qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf

Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw

MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV

BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw

NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j

LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG

A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl

IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG

SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs

W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta

3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk

6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6

Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J

NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA

MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP

r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU

DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz

YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX

xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2

/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/

LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7

jVaMaA==

——-END CERTIFICATE——-

Back to top

Enabling SSL Encryption on the AccuRev Server

After you have obtained an SSL certificate, ensure that you have placed both the private key file and the SSL certificate file in any location on the AccuRev server before attempting to enable SSL encryption.

To enable SSL encryption on an AccuRev server, add the following three parameters to the acserver.cnf file:

  • SSL_ENABLED = TRUE

    Enable the server for SSL encryption by setting the SSL_ENABLED parameter to TRUE.

  • SSL_CERTIFICATE = C:\Program Files (x86)\AccuRev\bin\ServerCert\AccuRev.crt

    In this example, C:\Program Files (x86)\AccuRev\bin\ServerCert\AccuRev.crt represents the absolute path to the server's certificate file, AccuRev.crt. This path name cannot contain quotes.

  • SSL_PRIVATE_KEY = C:\Program Files (x86)\AccuRev\bin\ServerCert\AccuRev.pem

    In this example, C:\Program Files (x86)\AccuRev\bin\ServerCert\AccuRev.pem represents the absolute path to the server's private key file, AccuRev.pem. This path name cannot contain quotes.

After editing the acserver.cnf file, you must restart the AccuRev server to complete the process of encrypting communication between the server and its clients.

Back to top

Managing SSL

The following sections describe methods of managing the process of SSL encryption in AccuRev.

Using the —thumbprint Option

In public key encryption, a certificate's thumbprint (also known as a "fingerprint") is the SHA1 hash of the binary representation of the certificate converted to a hexadecimal string; it is this string that is used to authenticate a longer public key. The —thumbprint option allows you to specify the certificate's thumbprint which, if it matches that of the SSL certificate on the AccuRev server, allows the certificate to be accepted automatically. This option is available for both the enable_ssl command and the get_certificate command. This feature is particularly useful in situations where a user is not present to accept an SSL certificate.

The —thumbprint option can be used to enable SSL on unattended machines by using a script that executes a command, for example, such as the following:

accurev enable_SSL —thumbprint="30 9b 7a f1 44 5f 8b 1f ac 7b 6f 8b aa bc 3f 7b b6 56 da c9"

For more information about the thumbprint command, refer to the descriptions of the get_certificate and enable_ssl commands in the AccuRev CLI Help.

Implementing SSL for Replicas

If replicas are being used, SSL encryption must be enabled on all machines. This means that:

  • The master server must be SSL-enabled
  • All clients must be SSL-enabled
  • All replicas must be SSL-enabled as both a client (to the master server) and as a server (to all clients)

Replacing an Expired Certificate

If an SSL certificate expires, the AccuRev administrator must obtain a new SSL certificate. The existing private key can be used to obtain a new SSL certificate as long as its security has not been compromised. Otherwise, the administrator can generate a new private key and use that to obtain a new SSL certificate.

If the certificate name or location on the server has changed, the SSL_CERTIFICATE parameter of the acserver.cnf file must be updated to reflect the new file name or file path. Likewise, the SSL_PRIVATE_KEY parameter of the acserver.cnf file must be updated if the private key file name or location has been changed.

Disabling SSL Encryption on the AccuRev Server

To disable SSL encryption on the server, set the SSL_ENABLED parameter to FALSE in the acserver.cnf file:

SSL_ENABLED = FALSE

You could also delete this parameter or comment it out to disable SSL encryption on the server.

After editing the acserver.cnf file, you must restart the server to complete the process of disabling SSL.

When an SSL-enabled client attempts to connect to this server, the user is prompted to disable SSL on the client or exit the interface.

Back to top