Enabling TLS secure sockets protocol in StarTeam Server
Starting with 17.2 StarTeam Server we added support for TLS protocol to provide communication security.
Version: 17.2 and higher
Overview
The TLS protocol is implemented using OpenSSL 1.1.1 and requires setting up digital certificate for the server. StarTeam TLS does not require client certificates.
The certificates must be in PEM format. When using a certificate chain all certificates should be in one file, and certificates must be sorted starting with the subject's certificate (actual server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.
Previous version of StarTeam supported SSL protocol over a TCP/IP connection, these protocols are no longer considered secure enough and have been deprecated by IETF. For backwards compatibility we continue to support all previous TCP/IP protocols - the SSL protocols, as well as the non -secure TCP protocol. TLS connections will use a separate port and are only compatible with 17.2 or higher clients.
Configure TLS secure sockets protocol in StarTeam Server
-
Create the digital certificate for StarTeam Server.
Generate/obtain a digital certificate for your company. Export the certificate and key into PEM format. All the certificates should be concatenated in one file. The certificate should be set as trusted on the server machine.
A self-signed certificate can be used for testing.
Example for creating a self-signed certificate:
set OPENSSL_CONF=C:\Program Files\StarTeam Server 17\openssl.cnf
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout selfcert.key -out selfcert.crt -subj "/CN=computername" -addext "subjectAltName=DNS:computername,IP:computerIP"
Make sure the self-signed certificate is trusted:
certutil -addstore -f "ROOT" selfcert.crt
- Copy the certificate and key files to folder CACertificates, located under server installation folder.
-
Identify the port to be used for TLS. Open up access to the new port in your firewall.
-
Using AdminTool, set up the server configuration:
In Tools > Administration > Configure Server > Protocols, enable TLS protocol, enter the port and select the certificate and key files. Click OK and restart the server. It is possible to keep the TCP/IP port enabled as well.
The server will start if at least one protocol is enabled. If both protocols are enabled, it is possible that there were errors listening on one of the protocols.
-
Check the server log for errors. Server will log certificate details.
-
Test connecting with TLS using CPC 17.0.2 or higher using the correct TLS port. Make sure to check "Use TLS protocol" in Server properties.
-
You can also test if the certificates are verified with this openssl command:
openssl s_client -showcerts -connect serveraddress:port
-
If there are validation errors with the certificates these must be fixed first.
-
CPC will automatically download the server certificate.
Troubleshooting: If there is any issue with the certificates or the port for TLS, and is necessary to change the configuration, the server can be restarted while enabling the TCP/IP unsecure port using the option Admin Tool > Actions > "Start with override"
The server log will indicate the certificate names and basic details. CPC log will contain the full server certificate used to connect.
Enabling TCP/IP port for backwards compatibility
The ideal situation for security is to enable TLS , and disable TCP/IP port . This scenario requires all StarTeam clients to be upgraded to 17.2.
In some situation there are older applications or scripts that cannot be upgraded. In that case it is necessary to keep the TCP/IP port enabled.
In that case it is possible to limit the access to the TCP/IP port to specific machines and users by using two control factors:
-
Limit access to the port through firewall to those specific workstations.
-
Use AppControl configuration file in Starteam Server to define the exact applications that are allowed to login to StarTeam server using older versions of SDK . For more details, see StarTeam SDK connection control .
Note that entries are evaluated in the order in the file.
When access is denied, the server log will contain information about the reason for the deny.
Example of app-Control.xml configuration :
In the following example, older versions of CPC are not permitted, Search is permitted to use SDK 16, ServerAdministration requires 17.2:
<AllowedApp Name="Starteam search service" MinimumSDKVersion="16" /> ## accept Search application with SDK 16.x and higher
<AllowedApp Name="CPC*" MinimumSDKVersion="17.2" /> ## accepting any CPC application with SDK version with first part 17.2 or greater
<AllowedApp Name="ServerAdministration*" MinimumSDKVersion="17.2" />