SSL, Encryption, and Other Security Settings
Using SSL Certificates to Secure Access to Incredibuild Components
When installing Incredibuild components (Coordinator or Agents), we recommend that you add your own SSL certificate in the installation wizard or during silent installation.
Note: Importing files from remote machines using UNC (e.g. \\remote_machine\certs\coordinator.crt) is not supported.
If you are using Cloud machines, you upload your certificate in the Cloud Settings.
Note: If you do not upload your own certificates, Incredibuild uses a generic self-signed certificate to encrypt communication. However, this certificate is not trusted and may cause Chrome to issue a warning every time you access the Coordinator user interface. While you can ignore this warning every time, we recommend using your own certificate to improve security.
In order to change certificates after installation, see below.
Supported Formats
The following certificate and key formats are supported. Each certificate has it's own dedicated private key.
Item | Supported Formats |
---|---|
Certificate Types | X.509, PEM |
Certificate Extension | .pem, .crt |
Certificate Key Encoding Types | PKCS#1 |
Certificate Key Extension | .key |
Coordinator Certificate Validation
Incredibuild validates SSL certificates whenever communication is initiated between Incredibuild machines. When verifying a Coordinator certificate, we validate the following fields:
-
Common name (CN): We verify that this matches the name of the host PC exactly. Wildcard expressions can be used.
-
Certificate Authority (CA): The CA that signed the certificate.
-
Expiration date: We validate that the certificate is not expired.
-
Certificate Revocation List (CRL): If you are not using an OCSP, we verify that the certificate is not listed in the operating system's CRL.
-
Online Certificate Status Protocol (OCSP): If your certificate specifies an OCSP, we use that OCSP to verify that the certificate is not revoked. For the OCSP validation to work, the certificate must include the OCSP address, and Incredibuild must be able to communicate with that location (check your firewall).
Agent Certificate Validation
Incredibuild validates SSL certificates whenever communication is initiated between Incredibuild machines. When verifying the Agent certificate, we validate the following fields:
-
Common name (CN):You can use a regular expression to verify the CN. For details, see below.
-
Certificate Authority (CA): The CA that signed the certificate.
-
Expiration date: We validate that the certificate is not expired.
-
Certificate Revocation List (CRL): We verify that the certificate is not listed in the operating system's CRL.
Validation Agent Names using Regular Expressions
You can use regular expression to validate the common name of your agents instead of directly checking the common name against the host PC name.
For example, if all of your machine names are of the form "Agent123" where 123 is a dynamic number, you can use a regular expression to define that pattern. Then any Agent whose name matches the regular expression will be verified during the certificate validation process.
Regular expressions must be less than 999 characters.
Examples:
Validate any name that ends in .rnd1.example.com:
[a-zA-Z]*[.-]?(rnd\d{1})[.-]?[a-zA-Z]*[.-]?[a-zA-Z]*
Validate any name that ends in rnd*.example.com.
This means that john.rnd12.example.com and dan.rnd3.example.com would be valid, while george.sales.example.com would be invalid.
[a-zA-Z]*[.-]?(rnd[0-9]*)[.-]?[a-zA-Z]*[.-]?[a-zA-Z]*
To use a regular expression for agent validation, go to the Coordinator Monitor > Coordinator Settings > General > Network area and add a valid regex.
Replacing SSL Certificates After Installation
If you added SSL certificates during installation or upgrade, you can replace them later.
Replace the existing certificates in the following folders:
-
On the Incredibuild Coordinator <Incredibuild installation folder>\Certs\Coordinator\
-
On the Incredibuild Agent Machines <Incredibuild installation folder>\Certs\Agent\
Encrypting Communication
Whether or not you uploaded your own certificates, you can encrypt communication between Incredibuild's internal components. By default, communication is not encrypted as Incredibuild machines are often on the same environment. To encrypt communication, check the Encrypted communication box in the Coordinator Monitor >Coordinator Settings > General > Network area and specify a secured port to manage the communication.
Limitation: All communication with Backup Coordinators is not encrypted.
Prevent Users from Changing the Default Distribution Profile
In order to support some technologies, Incredibuild can use custom profiles to modify its distribution behavior. This allows you to choose which tools can run remotely on the grid. You can prevent users from having this ability by unchecking the Allow changes to default distribution profile checkbox in the Coordinator Monitor > Settings > General page.