- 22 Mar 2023
-
DarkLight
-
PDF
TLS
- Updated on 22 Mar 2023
-
DarkLight
-
PDF
What is a TLS handshake?
TLS is an authentication protocol used to establish a secure form of communication between machines, devices, applications, and servers.
Generally, TLS handshake protocol includes the following processes:
- Authentication of client and server.
- Negotiation of cipher suites and TLS version.
- Exchange of key.
Authentication of Client and Server
As a part of TLS protocol, SSL certificates are exchanged between the client and server to establish trust. This process may also include having a CA file to validate the SSL certificate against. Once certificates are exchanged and validated, there will be a secure connection between the client and server.
An example of this process is when an Itential Adapter makes a request to an external system that is using SSL, the external system will respond with an SSL certificate.
In development and testing environments, self-signed certificates are often used because getting CA files is more complicated than just telling the adapter to accept invalid certificates. The practice of telling the adapter to accept invalid certifications means that the adapter will no longer validate the certificate, it will just automatically accept it. Never use this practice in production environments.
Methods to validate an SSL certificate
-
Using a Publicly-Signed Certificate: obtain a CA for the certificate and place it into the
ssl.ca_file
property in the IAP Service Instance Configuration for the adapter. -
Using a Self-Signed Certificate: obtain a CA for the certificate and place it into the
ssl.ca_file
property in the IAP Service Instance Configuration for the adapter. -
Setting the
ssl.accept_invalid_certs
property totrue
in the IAP Service Instance Configuration for the adapter.
TLS Example
The following diagram provides an example of basic TLS protocol between client and Itential server. Note: This diagram does not include negotation of cipher suites.
SSL Properties
You can find information on how to configure SSL in the adapter within the IAP Service Instance Configuration section under SSL Properties.
SSL Failures & Troubleshooting
There are a few reasons SSL could potentially fail.
- The external system is using SSL but the adapter does not have SSL enabled.
- Go into the IAP Service Instance Configuration for the adapter and change the ssl.enabled property to
true
. - This will also require you to provide a ca_file or to set
accept_invalid_certs
totrue
.
- Go into the IAP Service Instance Configuration for the adapter and change the ssl.enabled property to
- The external system is using SSL and the adapter has SSL enabled, but its still unable to validate the SSL certificate.
- For development and testing, go into the IAP Service Instance Configuration for the adapter and set the
ssl.accept_invalid_certs
property totrue
. For precautionary measures, please verify that its okay to change this setting with a System Adminstrator. - Alternately, you have the option to obtain a CA File and put it on the IAP server. To do this go into the IAP Service Instance Configuration for the adapter and change the
ssl.ca_file
property to have the path to the CA File. This is the best practice for production environments.
- For development and testing, go into the IAP Service Instance Configuration for the adapter and set the
Still Having Issues?
Need additional support? The Adapter Team is here to help! Please reference the Here to Help article for information on how to connect with the Adapter Team.