Configure secure access on Windows systems

This topic describes how to configure a secure connection to and from OpenText Application Quality Management when it is installed on a Windows system. For the procedure, see Configure a secure connection to the application server (Jetty).

Overview

When the server connects to another server, such as the OpenText Enterprise Performance Engineering server, that requires a secure connection, you must configure trust on the OpenText Application Quality Management server to the authority that issued the remote server certificate.

For more secure communication with the OpenText Application Quality Management server, you can configure Jetty to use TLS 1.3.

When enabling a secure connection, you should also ensure encrypted communication with cookies by setting a site configuration parameter.

Configure trust on the server

Configure trust on the server, when it connects to another server over a secure connection.

  1. Obtain the certificate of the root and any intermediate Certificate Authority that issued the remote server certificate.

  2. On the server, go to the java bin. For example:

     C:\Program Files\Java\jre\bin

  3. Import each certificate into the java truststore by using a keytool command. For example:

    C:\Program Files\Java\jre\bin\keytool -import -trustcacerts -alias myCA -file <path to certificate> -keystore "c:\Program Files\java\jre\lib\security\cacerts"

  4. If your access is denied, run CMD as an administrator.

Configure a secure connection to the application server (Jetty)

  1. Obtain the server certificate issued to the name of this server in java keystore format. It must contain a private key and the certificate authority that issued it. For details on creating certificates using the Certificate Authority, see this KB article.

  2. Verify that all users have logged out of projects and stop the service.

  3. Navigate to the <Deployment folder>\server\conf directory. Make a backup of the jetty.properties file and the keystore file located in this directory.

  4. Copy your keystore file to this directory and rename it keystore.

  5. (Optional) To change the Jetty port, open the jetty-ssl.xml file.

    Copy code 
    <Set name="port"><Property name="jetty.ssl.port" default="<your port>"></Set>

  6. To change keystore related settings, such as passwords and keystore file path, open the jetty.properties file.

    Copy code 
    #ssl
    jetty.sslContext.keyStorePassword=<your password>
    jetty.sslContext.trustStorePassword=<your password>
    jetty.sslContext.KeyManagerPassword=<your password>
    jetty.sslContext.trustStorePath=<your path>
    jetty.sslContext.KeyStorePath=<your path>

  7. (Strongly recommended) To obfuscate the passwords, perform the following steps:

    1. Determine the version of Jetty that you are using. Locate the <Deployment folder>\server\lib\jetty-util-<your-jetty-version>.jar file. <your-jetty-version> is the version of Jetty you are using.

    2. Open Command Prompt (cmd) and run the following commands:

      Copy code 
      $ set JETTY_VERSION=<your-jetty-version>
      <JAVA_HOME>\java -cp <Deployment folder>\server\lib\jetty-util-$JETTY_VERSION.jar 
      org.eclipse.jetty.util.security.Password <password>

      For example, if you run the following command:

      Copy code 
      "C:\Program Files\java\jre\bin\java.exe" -cp <Deployment folder>\server\lib\jetty-util-9.1.4.v20140401.jar 
      org.eclipse.jetty.util.security.Password changeit

      The output will appear as follows:

      changeit
OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0

    3. Replace the plain text password in the jetty.properties file with the OBF prefix.

    4. Save the jetty.properties file.

  8. Open the start.ini file, uncomment the following lines, and save the file.

    jetty-ssl.xml
jetty-ssl-context.xml
  9. Restart the service.
  10. Check the wrapper.log file. If you do not see the "Server is ready!" message, correct the errors shown in the log.

  11. Connect to OpenText Application Quality Management using the SSL connection, such as https://<server>:8443/qcbin.

  12. After ensuring that the SSL connection works, disable non-HTTPS access to the application server.

    1. In the jetty.xml file, locate the following section and comment it out by placing <!-- at the beginning of the section, and --> at the end.

      Note: It is possible that this section in your jetty.xml file is slightly different.

      Copy code 
      <!--
      <Call name="addConnector">
          <Arg>
               <New class="org.eclipse.jetty.server.ServerConnector">
                <Arg name="server"><Ref refid="Server" /></Arg>
                <Arg name="factories">
                  <Array type="org.eclipse.jetty.server.ConnectionFactory">
                        <Item>
                       <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                      <Arg name="config"><Ref refid="httpConfig" /></Arg>    
                      </New>
                    </Item>
                  </Array>
                </Arg>
                 <Set name="host"><Property name="jetty.host" /></Set>    
                 <Set name="port"><Property name="jetty.port" default="8080"/></Set>                
                 <Set name="idleTimeout"><Property name="http.timeout" default="30000"/></Set>                                    
              </New>
            </Arg>
      </Call>
      -->
    2. Save the jetty.xml file.

  13. Restart the ALM service and ensure that the non-secure URL (such as http://<ALM server>:8080/qcbin) does not open.

Use TLS 1.3 or TLS 1.2 for secure connection

Use TLS 1.3 or 1.2 for secure connection with the application server and the database server.

Note:  

  • Oracle databases certified by OpenText Application Quality Management do not support TLS 1.3.

  • Use of the TLS 1.1, TLS 1.0, and SSL 3 protocols is deprecated. OpenText recommends that you do not use them.

Use TLS 1.3 or 1.2 for secure connection with the application server

To use TLS 1.3 or 1.2 for secure connection with the server, configure the jetty-ssl-context.xml file as follows:

  1. Prerequisite: JDK/JRE 17.
  2. Verify that all users have logged out of projects and stop the service.

  3. Navigate to the <Deployment folder>\server\conf directory and make a backup of the jetty-ssl-context.xml file.

  4. Open the jetty-ssl-context.xml file.

  5. Uncomment the ExcludeProtocols section in the file:

    <Set name="ExcludeProtocols">

    <Array type="java.lang.String">

    <Item>SSLv3</Item>

    <Item>TLSv1</Item>

    <Item>TLSv1.1</Item>

    </Array>

    </Set>

    Note: You can choose your own set of supported protocols by adding or removing items in this list.

    For example, if you want to use TLS 1.3 only, also add TLS 1.2 in the list.

  6. Save the jetty-ssl-context.xml file.
  7. Start the service.

Use TLS 1.3 or 1.2 for secure connection with the database server

  • To use TLS 1.3:

    1. Prerequisite: Make sure you use SQL Server 2022, with the hotfix for the Bug 2042238 applied.

      About the hotfix for the Bug 2042238: It fixes the following error error that occurs when using the strict encryption option in your connection settings.

      "The incoming tabular data stream (TDS) remote procedure call (RPC) protocol stream is incorrect. Parameter 1 (""): Data type 0x00 is unknown"

      For details, see the Microsoft documentation.

    2. Modify the database connection string by adding Encrypt=strict to the JDBC connection string. For example:

      jdbc:sqlserver://<your server name>:<port>;EncryptionMethod=SSL;Encrypt=strict

  • To use TLS 1.2 for secure connection with the database server, modify the database connection string by adding CryptoProtocolVersion=TLSv1.2 to the JDBC connection string. For example:

    jdbc:sqlserver://<your server name>:<port>;EncryptionMethod=SSL;CryptoProtocolVersion=TLSv1.2

    For details about changing connection string, see the Site Administration help.

    For Oracle databases: Place the Oracle Wallet file in a location on the ALM server where the ALM Service user has read permissions.

Redirect http to https

This procedure describes how to redirect http to https. You need to redirect to https when accessing the server directly, and not through a front-end server.

  1. Edit <Deployment folder>\webapps\qcbin\WEB-INF\web.xml, and add the following at the end (before </web-app>):

    <security-constraint>
	<web-resource-collection>
		<web-resource-name>Everything</web-resource-name>
		<url-pattern>/*</url-pattern>
	</web-resource-collection>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>

  2. Restart OpenText Application Quality Management.

  3. Access the system via http://<server>:8080/qcbin.

    You should be redirected to https://<server>:8443/qcbin. If not, ensure that SecurePort in jetty.xml matches your secure port.

Set up encrypted communication with cookies

  1. In Site Administration, click the Configuration tab.

  2. click the Add New Parameter button. Enter the following information:

    Parameter Value
    SSO_SECURE_ONLY_COOKIE Y