Using Virtualize with SSL
Basic Concepts of Virtualize SSL
There are two roles that Virtualize can play:
1. When Virtualize receives messages from an Application Under Test (AUT), it functions as the server in the SSL model.
2. When Virtualize is acting as a proxy, it function as the client in the SSL model
These two roles require different configurations -
Both roles require:
- A certificate/private key pair contained in a keystore
- Installation of the Unlimited Strength JCE (see Help > Help Contents > Parasoft SOAtest User's Guide > Reference > Preference Settings > Security Settings > JCE Prerequisite)
Configuring SSL when Virtualize is the Server
What you will need:
- A certificate/private key pair that the application will accept. This generally means at minimum a self-signed certificate/private key pair whose common name (CN) parameter matches the fully qualified name of the server. So if your Virtualize server URL is http://myserver.mycompany.com, the CN parameter should be "myserver.mycompany.com". Depending on your company's security policy, you may also need the certificate signed by your company's certificate authority.
- Access to the Virtualize and SOAtest (if you have SOAtest installed) installation directories. If you have SOAtest and Virtualize installed, you will use "SOAtest installation directory" for step 1 below. If you only have Virtualize installed, you will use "Virtualize installation directory" in step 1 below.
To perform the configuration:
- Stop the Virtualize server if it is running
- Navigate to "Virtualize installation directory or SOAtest installation directory"/eclipse/plugins/com.parasoft.xtest.libs.web_/root/tomcat/conf and open server.xml
- Search for the text SSLEnabled="true"
You will see a section that looks like this:
<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" connectionTimeout="20000" enableLookups="false" keyAlias="mykey" keystoreFile="../lib/cacerts" keystorePass="changeit" keystoreType="JKS" maxThreads="150" port="9443" protocol="HTTP/1.1" scheme="https" secure="true" server="Parasoft Server" sslProtocol="TLS" truststoreFile="../lib/cacerts" truststorePass="changeit" truststoreType="JKS"/>
In this section:
Modify keystoreType to one of PKCS12, JKS, BKS, UBER, or PEM depending on the type of keystore you're using
Modify keystoreFile to point to your keystore file. Use forward slashes (/) instead of backward slashes (), Ex: C:/Users/myUser/keystore.jks
Modify keystorePass to be the password to your keystore
Modify keyAlias to point to the alias of the certificate/private key pair
If you are performing 2-way SSL (client-certificate verification), also:
Modify truststoreType to one of PKCS12, JKS, BKS, UBER, or PEM depending on the type of keystore you're using
Modify truststoreFile to point to your keystore file. Use forward slashes (/) instead of backward slashes (), Ex: C:/Users/myUser/keystore.jks
Modify truststorePass to be the password to your keystore
You're done! Go ahead and restart the Virtualize server and the deployed certificate will be used for any SSL connections to port 9443 on your Virtualize server. If you are not able to connect to this port, check the files in "Virtualize installation directory or SOAtest installation directory"/eclipse/plugins/com.parasoft.xtest.libs.web_"version"/root/tomcat/log` for error details.
Configuring SSL when Virtualize is the Server (Message Proxies)
The process of configuring SSL for a message proxy is quite straightforward. Simply add an HTTP connection to your message proxy and perform the following additional steps:
- Switch to the Security tab
- Check Use SSL when connecting to the service
- If you would like to trust all certificates or self-signed certificates, ensure those boxes are checked.
- If you would like to specify a truststore instead, fill out the truststore tab
This is all you need for 1-way SSL. For 2-way SSL, additionally:
1. Fill out the Keystore tab with your keystore file, password, type
2. Click the Load button and select the certificate alias for SOAtest to present to the server from the Certificate dropdown. If the certificate dropdown is not populated when you click load, you may have entered the incorrect password or keystore type