SSL for On-Premises
SSL for On-Premises includes the following:
- Generate a certificate signing request for SSL
- Install an SSL certificate
- Load an SSL LDAP certificate
Generate a certificate signing request for SSL
Rally On-Premises solution is shipped with a default, self-signed SSL certificate. Customers can generate their own certificate, purchase a certificate from a third party vendor, or use the Rally certificate that is installed by default. The following commands outline how to generate a SSL certificate from a third party vendor:
Note: These steps are based on the assumption that the openssl command is available on the system used to create the private keys. You do not need to be on the Rally machine to do this, but the steps below were created using a Linux machine. The steps may differ on a Windows machine with OpenSSL.
- Generate a private key:
- Generate a Certificate Signing Request (this certificate will be used to generate our ssl certificate on the third party's site):
- Remove the passphrase from the key:
- Submit your request to your third party vendor.
- Verify the format of your certificate by opening the crt file using a text editor. This file should have the same format as the one below:
- Use the crt file the vendor sends you in combination with the key file you generated to upload to your On-Premises Image.
openssl genrsa -des3 -out www.mydomain.com.key 1024
openssl req -new -key www.mydomain.com.key –out www.mydomain.com.csr
cp www.mydomain.com.key www.mydomain.com.key.org
openssl rsa -in www.mydomain.com.key.org -out www.mydomain.com.key
The SSL certificate that is obtained should be a single root or unchained certificate. This file will used in combination with the key generated in Step 1 to upload to our On-Premises image.
-----BEGIN CERTIFICATE----- MIIDdTCCAt6gAwIBAgIJAMCxA1Rf4qmoMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ08xEDAOBgNVBAcTB0JvdWxkZXIxGjAYBgNVBAoT EVJhbGx5IERldmVsb3BtZW50MRQwEgYDVQsxMC4zMi4xJNSuhdoNi44NDEkMCIGCSqG SIb3DQEJARYVaGF6ZXZlZG9AcmFsbHlkZXYuY29tMB4XDTE0MDQxMTAwNTUxNFoX DTE0MDUxMTAwNTUxNFowgYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEQMA4G A1UEBxMHQm91bGRlcjEaMBgGA1UEChMRUmFsbHkgRGV2ZWxvcG1lbnQxFDASBgNV BAMTCzEwLjMyLjE2Ljg0MSKSBdlnQYJKoZIhvcNAQkBFhVoYXpldmVkb0ByYWxseWRl di5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOOLNLGv4d/9oHTrN/a R49Lw5vYKpjZiGu/MoavjRiaCxgAQqha4xaMIDuMoIWzsbu7fNIdysMlmReyhTw5 2Fa5FHx3ZIJLBUtOSWjWbm6IvVdDPTv2Zu9lhq9zFzWgMm59nlG2ALDmJXcbjDVc S2geX1P6zEH3HvmwYV/bC+7tAgMBAAGjgewwgekwHQYDVR0OBBYEFFBVI+GcTu1U 56+9Ekq4ybUK76GBMIG5BgNVHSMEgbEwga6AFFBVI+GcTu1U56+9Ekq4ybUK76GB oYGKpIGHMIGEMQswSOHOVQQGEwJVUzELMAkGA1UECBMCQ08xEDAOBgNVBAcTB0Jv dWxkZXIxGjAYBgNVBAoTEVJhbGx5IERldmVsb3BtZW50MRQwEgYDVQQDEwsxMC4z Mi4xNi44NDEkMCIGCSqGSIb3DQEJARYVaGF6ZXZlZG9AcmFsbHlkZXYuY29tggkA wLEDVF/iqagwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQC7rq/Ts/bW YwTGV/fZ+I029iztg7KNP6dP3jA4DJwVSgnyvbqpGWqEqmLNqRpNOA6FLlmWC8eo mqKH6QLVALgUreAGu5NKyIWDAFDT8Z2jj/8fEz7CxX9fqeZNhrLqfKrAJev2ZS0Q lE1MK2Apss6uzxe9/Oiug48MMZTMwtx7Kw== -----END CERTIFICATE-----
Install an SSL certificate
- Generate or purchase your certificate (this should be a single root or unchained certificate) and copy your certificate (.cert) and key (.key) files to the Rally server.
- Copy them to a convenient place where you may easily access them for installation.
- From the Control Panel, click the Feature menu, then Server Settings.
- Click the SSL Certificate tab.
- Click Choose File next to the SSL Certificate indicator to locate your SSL certificate (.cert) file.
- Click Choose File next to the SSL Key indicator to locate your SSL key (.key) file.
- If your SSL Certificate is a chained certificate, click the Chain Certificate File checkbox.
- Click Choose File next to the SSL Certificate Bundle indicator to locate your SSL Certificate Bundle file.
- Click Upload to upload and install your certificate and key files.
- Restart the server.
Load an SSL LDAP certificate
The SSL certificate used by your LDAP server needs to be copied to a machine that has access to the Rally On-Premises Control Panel. Once this is complete, do the following:
- From the Rally Control Panel, go to Server Settings → Java Keystore → Keystore.
- Click Browse and select the certificate file from the LDAP server, then click Upload.
Once the upload has completed, you will need to restart the Rally Application before the certificate can be used for LDAP Authentication.