TLS

What is a TLS handshake?

TLS is an authentication protocol used to establish a secure form of communication between machines, devices, applications, and servers.

Generally, TLS handshake protocol includes the following processes:

• Authentication of client and server.
• Negotiation of cipher suites and TLS version.
• Exchange of key.

Authentication of Client and Server

As a part of TLS protocol, SSL certificates are exchanged between the client and server to establish trust. This process may also include having a CA file to validate the SSL certificate against. Once certificates are exchanged and validated, there will be a secure connection between the client and server.

An example of this process is when an Itential Adapter makes a request to an external system that is using SSL, the external system will respond with an SSL certificate.

In development and testing environments, self-signed certificates are often used because getting CA files is more complicated than just telling the adapter to accept invalid certificates. The practice of telling the adapter to accept invalid certifications means that the adapter will no longer validate the certificate, it will just automatically accept it. Never use this practice in production environments.

Methods to validate an SSL certificate

• Using a Publicly-Signed Certificate: obtain a CA for the certificate and place it into the ssl.ca_file property in the IAP Service Instance Configuration for the adapter.

• Using a Self-Signed Certificate: obtain a CA for the certificate and place it into the ssl.ca_file property in the IAP Service Instance Configuration for the adapter.

• Setting the ssl.accept_invalid_certs property to true in the IAP Service Instance Configuration for the adapter.

TLS Example

The following diagram provides an example of basic TLS protocol between client and Itential server. Note: This diagram does not include negotation of cipher suites.

Overhead

TLS Handshakes add overhead to the adapter call. The amount of time it takes to complete the handshake can depend on many things. Are you just validating a ca file or is there also a cert file and a key file that need to be validated? Are the file(s) simple and specific to this system or are they general, complex and bulky?

In our experiences we have seen simple ca validation take a second but we have also seen validation of 3 "bulky files" take closer to 10 seconds.

SSL Properties

You can find information on how to configure SSL in the adapter within the IAP Service Instance Configuration section under SSL Properties.

SSL Failures & Troubleshooting

There are a few reasons SSL could potentially fail.

• The external system is using SSL but the adapter does not have SSL enabled.
  • Go into the IAP Service Instance Configuration for the adapter and change the ssl.enabled property to true.
  • This will also require you to provide a ca_file or to set accept_invalid_certs to true.
    
    
• The external system is using SSL and the adapter has SSL enabled, but its still unable to validate the SSL certificate.
  • For development and testing, go into the IAP Service Instance Configuration for the adapter and set the ssl.accept_invalid_certs property to true. For precautionary measures, please verify that its okay to change this setting with a System Adminstrator.
  • Alternately, you have the option to obtain a CA File and put it on the IAP server. To do this go into the IAP Service Instance Configuration for the adapter and change the ssl.ca_file property to have the path to the CA File. This is the best practice for production environments.

Still Having Issues?

Need additional support? The Adapter Team is here to help! Please reference the Here to Help article for information on how to connect with the Adapter Team.