Skip to content

TLS Configuration for TLS 1.2

Jump to bottom
Bill Majurski edited this page Apr 3, 2019 · 5 revisions

Starting at the 2019 NA Connectathon TLS 1.2 will be required. This note offers guidance on configuring Toolkit.

There are several independent configuration issues.

These instructions have been tested on Tomcat 9.

Generating an acceptable certificate

Instructions are available here in Gazelle.

This certificate must include the FQDN for the host running Toolkit. If you are using both the Conformance tool (client) and the simulators (server) one certificate is adequate. On the Test Floor in January Toolkit will be installed with a proper certificate. If you bring a private copy of Toolkit on one of your machines make sure to generate a new certificate reflecting the hostname at Connectathon.

Toolkit ships with a certificate included

Toolkit ships (offered as a download) with a certificate loaded inside as always. This is only a place holder. IT WILL NOT WORK. The FQDN will be wrong for your machine. You must replace it.

Configure the TLS version in Toolkit client

TLS must be configured to use TLS 1.2 only. This is done in toolkit.properties:

Client_SSL_Protocols=TLSv1.2

This is the default setting starting with Toolkit version 7.0.0.

Configure the Cypher suite to be used in Toolkit client

The only acceptable cypher suite (for NA Connectathon 2019) is TLS_RSA_WITH_AES_128_CBC_SHA. This is configured in toolkit.properties:

Client_Cipher_Suites=TLS_RSA_WITH_AES_128_CBC_SHA

This is the default setting starting with Toolkit version 7.0.0.

Configure the TLS version in Toolkit server

This configuration must be added to the conf/server.xml in Tomcat. Our configuration for Tomcat 9 looks like:

<Connector 
        port="8443" 
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" 
        SSLEnabled="true"
        clientAuth="true"
        sslProtocol="TLS"
        keystoreFile="/home/tomcat/ec/environment/default/keystore/keystore"
        keystorePass="changeit"
        truststoreFile="/home/tomcat/ec/environment/default/keystore/keystore"
        truststorePass="changeit"
        SSLVerifyClient="true"
        SSLProtocol="TLSv1.2"
        SSLCipherSuite="TLS_RSA_WITH_AES_128_CBC_SHA"
        >

Configure the Cypher suite to be used in Toolkit server

This is covered in the previous section showing the tomcat/conf/server.xml content.

Certificate from Gazelle CA

This is installed in the default environment of Toolkit which is shown in the above tomcat/conf/server.xml. A second file, keystore.properties is also required in the keystore directory. Its content is:

keyStorePassword=changeit

Yours will reflect the password you choose for the keystore.

Note that it is now possible to have separate keystore and truststores for Toolkit. See here for details.

Slow startup of Tomcat

According to https://wiki.apache.org/tomcat/HowTo/FasterStartUp Tomcat tries to develop entropy and sometimes this can delay startup. The fix that worked for me, detailed in this page, was to add the file

bin/setenv.sh

with content

JAVA_OPTS="$JAVA_OPTS -Djava.security.egd=file:/dev/./urandom"

Toolkit
Downloads
Installing Toolkit
Configuring Toolkit for Imaging Tests
Reporting Toolkit Installation Problems
Environment
Test Session
Conformance Test Tool
Writing Conformance Tests
Overview of Imaging Tests
Test Context Definition
Launching Conformance Tool from Gazelle
Inspector
External Cache
Support Tools
Test Organization
Configuring Test Kits
Managing Multiple Test Kits
SAML Validation against Gazelle
Renaming Toolkit
Toolkit API
Managing system configurations
Configuring Toolkit for Connectathon
Developer's blog

Clone this wiki locally