Previous Topic: SecurityNext Topic: SSL Certificates


Using SSL to Secure Communication

By default, communication between components uses an unencrypted protocol. If necessary, the Secure Sockets Layer (SSL) can encrypt the network traffic. For example, if you run a lab in a public cloud and you want to ensure the traffic transmitted from your workstation is encrypted.

The easiest way to enable SSL is to set a DevTest property.

lisa.net.default.protocol=ssl

You cannot specify this property in site.properties; that is too late in the bootstrap phase. This property must be specified in local.properties (or on the command line).

If you then start a registry with no extra parameters - for example, it is listening on port 2010 (the usual port) but it expects clients to use the SSL protocol - the service name for the registry is ssl://hostname:2010/Registry.

If you want to connect to that registry from DevTest Workstation, use ssl://hostname:2010/Registry instead of the usual tcp://hostname:2010/Registry. If you start a simulator on the same computer, it is available on ssl://hostname:2014/Simulator, and it automatically connects to the registry at ssl://hostname:2010/Registry with no property changes.

You can also mix and match SSL and normal TCP protocols. If you leave the lisa.net.default.protocol property at its default setting (tcp), you can enable specific services for SSL by specifying the name of the individual service with the "ssl:" protocol prefix, instead of the default "tcp:" prefix. For example, to start a registry in SSL mode:

Registry --name=ssl://reghost.company.com:2010/Registry

To enable the SSL, use "ssl" in the service names instead of "tcp". For example:

Registry --name=ssl://reghost.company.com:2010/Registry

starts the registry with SSL enabled.

To connect a simulator to this registry, start the simulator with the fully qualified registry address:

Simulator --name=ssl://simhost.company.com:2014/Simulator --registry=ssl://reghost.company.com:2010/Registry

This command tells the simulator to use SSL to talk to the registry while also securing the simulator. If you want the simulator itself to be unsecured, do this:

Simulator --registry=ssl://reghost.company.com:2010/Registry

Mixing secured and unsecured servers is not common. However, you may want to have unsecured servers inside your firewall and secured servers in a public cloud. There is some overhead using SSL encryption, which varies considerably depending on the hardware.

The lisa.net.default.protocol property defines the default protocol for ActiveMQ connections. The property does not influence the protocol that is used when DevTest components start.