Configure secure access on Linux systems

This topic describes how to configure a secure connection to and from OpenText Application Quality Management when it is installed on a Linux system. For the procedure, see Configure a secure connection to the application server (Jetty).

Overview

When the OpenText Application Quality Management server connects to another server, such as the OpenText Enterprise Performance Engineering server, that requires a secure connection, you must configure trust on the OpenText Application Quality Management server to the authority that issued the remote server certificate.

For more secure communication with the OpenText Application Quality Management server, you can configure Jetty to use TLS 1.2.

When enabling a secure connection, you should also ensure encrypted communication with cookies by setting a site configuration parameter.

Configure trust on the server

Configure trust on the server, when it connects to another server over a secure connection.

  1. Obtain the certificate of the root and any intermediate Certificate Authority that issued the remote server certificate.

  2. On the server, go to the java bin. For example:

     /usr/java/jre/bin

  3. Import each certificate into the java truststore by using a keytool command. For example:

     /usr/java/jre/bin/keytool -import -trustcacerts -alias myCA -file <path to certificate> -keystore "/usr/java/jre/lib/security/cacerts"

Configure a secure connection to the application server (Jetty)

  1. Obtain the server certificate issued to the name of this server in java keystore format. It must contain a private key and the certificate authority that issued it. For details on creating certificates using the Certificate Authority, see this KB article.

  2. Verify that all users have logged out of projects, and stop the service.

  3. Navigate to the <Deployment folder>/server/conf directory. Make a backup of the jetty.properties file and the keystore file located in this directory.

  4. (Optional) To change the Jetty port, open the jetty-ssl.xml file.

    Copy code 
    <Set name="port"><Property name="jetty.ssl.port" default="<your port>"></Set>

  5. To change keystore related settings, such as passwords and keystore file path, open the jetty.properties file.

    Copy code 
    #ssl
    jetty.sslContext.keyStorePassword=<your password>
    jetty.sslContext.trustStorePassword=<your password>
    jetty.sslContext.KeyManagerPassword=<your password>
    jetty.sslContext.trustStorePath=<your path>
    jetty.sslContext.KeyStorePath=<your path>

  6. (Strongly recommended) To obfuscate the password, perform the following steps:

    1. Determine the version of Jetty that you are using. Locate the <Deployment folder>/server/lib/jetty-util-<your-jetty-version>.jar file. <your-jetty-version> is the version of Jetty you are using.

    2. Open Shell Prompt and run the following commands:

      $ export JETTY_VERSION=<your-jetty-version>
<JAVA_HOME>/java -cp <installdir>/server/lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password <password>

      For example, if you run the following command:

                                      
      <JAVA_HOME>/java -cp <ALM deployment path>/server/lib/jetty-util-9.1.4.v20140401.jar org.eclipse.jetty.util.security.Password changeit

      The output will appear as follows:

      changeit
OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0

    3. Replace the plain text password in the jetty.propertiesfile with the OBF prefix.

    4. Save the jetty.propertiesfile.

  7. Open the start.ini file, uncomment the following lines, and save the file.

    jetty-ssl.xml
jetty-ssl-context.xml

  8. Restart the service.

  9. Check the wrapper.log file. If you do not see the "Server is ready!" message, correct the errors shown in the log.

  10. Connect to OpenText Application Quality Management using using the SSL connection.

  11. After ensuring that the SSL connection works, disable non-HTTPS access to the application server.

    1. In the jetty.xml file, locate the following section and comment it out by placing <!-- at the beginning of the section, and --> at the end.

      <!--
<Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.ServerConnector">
            <Arg name="server"><Ref refid="Server" /></Arg>
            <Arg name="factories">
                <Array type="org.eclipse.jetty.server.ConnectionFactory">
                    <Item>
                        <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                            <Arg name="config"><Ref refid="httpConfig" /></Arg>	
                        </New>
                    </Item>
                </Array>
            </Arg>
                <Set name="host"><Property name="jetty.host" /></Set>	
                <Set name="port"><Property name="jetty.port" default="8080"/></Set>				
                <Set name="idleTimeout"><Property name="http.timeout" default="30000"/></Set>									
        </New>
    </Arg>
</Call>
-->

      Note: It is possible that this section in your jetty.xml file is slightly different.

    2. Save the jetty.xml file.

  12. Restart the service and ensure that the non-secure URL does not open.

Use TLS 1.3 or TLS 1.2 for secure connection

Use TLS 1.3 or 1.2 for secure connection with the application server and the database server.

Note:  

  • Oracle databases certified by OpenText Application Quality Management do not support TLS 1.3.

  • Use of the TLS 1.1, TLS 1.0, and SSL 3 protocols is deprecated. It's recommended you do not use them.

Use TLS 1.3 for secure connection with the server

To use TLS 1.3 or 1.2 for secure connection with the server, configure the jetty-ssl-context.xml file as follows:

  1. Prerequisite: JDK/JRE 17.

  2. Navigate to the <Deployment folder>/server/conf directory and make a backup of the jetty-ssl-context.xml file.

  3. Open the jetty-ssl-context.xml file.

  4. Uncomment the ExcludeProtocols section in the file:

    <Set name="ExcludeProtocols">

    <Array type="java.lang.String">

    <Item>SSLv3</Item>

    <Item>TLSv1</Item>

    <Item>TLSv1.1</Item>

    </Array>

    </Set>

    Note: You can choose your own set of supported protocols by adding or removing items in this list.

    For example, if you want to use TLS 1.3 only, also add TLS 1.2 in the list.

  5. Save the jetty-ssl-context.xml file.
  6. Start the service.

Use TLS 1.3 or 1.2 for secure connection with the database

  • To use TLS 1.3:

    1. Prerequisite: Make sure you use SQL Server 2022, with the hotfix for the Bug 2042238 applied.

      About the hotfix for the Bug 2042238: It fixes the following error error that occurs when using the strict encryption option in your connection settings.

      "The incoming tabular data stream (TDS) remote procedure call (RPC) protocol stream is incorrect. Parameter 1 (""): Data type 0x00 is unknown"

      For details, see the Microsoft documentation.

    2. Modify the database connection string by adding Encrypt=strict to the JDBC connection string. For example:

      jdbc:sqlserver://<your server name>:<port>;EncryptionMethod=SSL;Encrypt=strict

  • To use TLS 1.2 for secure connection with the database, modify the database connection string by adding CryptoProtocolVersion=TLSv1.2 to the JDBC connection string. For example:

    jdbc:sqlserver://<your server name>:<port>;EncryptionMethod=SSL;CryptoProtocolVersion=TLSv1.2

    For details about changing connection string, see the Site Administration help.

    For Oracle databases: Place the Oracle Wallet file in a location on the ALM server where the ALM Service user has read permissions.

Redirect http to https

This procedure describes how to redirect http to https. You need to redirect to https when accessing the ALM server directly, and not through a front-end server.

  1. Edit <Deployment folder>/webapps/qcbin/WEB-INF/web.xml, and add the following at the end (before </web-app>):

    <security-constraint>
	<web-resource-collection>
		<web-resource-name>Everything</web-resource-name>
		<url-pattern>/*</url-pattern>
	</web-resource-collection>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>

  2. Restart OpenText Application Quality Management.

  3. Access the system via http://<server>:8080/qcbin.

    You should be redirected to https://<server>:8443/qcbin. If not, ensure that SecurePort in jetty.xml matches your secure port.

Set up encrypted communication with cookies

  1. In Site Administration, click the Site Configuration tab.

  2. click the New Parameter button. Enter the following information:

    Parameter Value
    SSO_SECURE_ONLY_COOKIE Y