Managing Certificates

Introduction

When deploying Nuix Rampiva, it’s typical to configure the communication between the various Nuix Rampiva components, as well as with third-party services, over an encrypted HTTPS communication channel.

For each HTTPS communication, for example from Scheduler to the Engine Server, certificates need to be configured at both ends of the communication:

• On the connection server, i.e. the component receiving the connection, in this case Rampiva Engine Server, a certificate including the private key must be deployed. This can either be a certificate issued by an public Certificate Authority (CA), or an internally-issued certificate, or a self-signed certificate;

• On the connection client. i.e. the component initiating the connection, in this case Rampiva Scheduler, the certificate must be trusted, unless it’s a certificate issued by a public CA.

This article describes what the typical components involved in HTTPS communications are, and how certificates can be configured on a Microsoft Windows deployment of Nuix Rampiva.

HTTPS Connections List

Configuring Certificates on a Connection Server

1. Scheduler

After a default installation, Scheduler generates a self-signed certificate. This certificate is located in the JKS store at C:\ProgramData\Rampiva\Automate\Scheduler\config\keystore.jks

1.1 Replace the Self-Signed Certificate With a Certificate From a PFX File

• Install KeyStore Explorer

• In KeyStore Explorer, open the file C:\ProgramData\Rampiva\Automate\Scheduler\config\keystore.jks

• Use the default password defaultPassword1234

• Delete the existing certificate rampiva-scheduler

• Import Key Pair in PKCS #12 format

• Set the Key Pair entry password defaultPassword1234

• Save the changes

• Restart the Rampiva Scheduler Windows service

1.2 Replace the JKS Store With a PFX File

• In an administrative text editor, edit the file C:\ProgramData\Rampiva\Automate\Scheduler\config\config.yml

• Under the server → applicationConnectors section, replace:

with:

where sample.pfx is the PFX file, and samplePasswordGoesHere is the password of the PFX file.

• Restart the Rampiva Scheduler service

1.3 Configure an HTTPS Certificate from the CA Let’s Encrypt

• See related KB article https://rampiva.atlassian.net/wiki/spaces/KB/pages/1264254977/Automate+-+Configure+an+HTTPS+Certificate+with+Let+s+Encrypt+with+Automatic+Renewal

2. Engine Server

Similar to Scheduler, after a default installation, the Engine Server generates a self-signed certificate. This certificate is located in the JKS store at C:\ProgramData\Rampiva\Automate\EngineServer\config\keystore.jks

To change the default certificate or the certificate store, follow the same steps described in section 1.Scheduler, and point to the keystore and config file paths from EngineServer the folder.

3. Various Third-Party Systems

The configuration of server certificates on third-party systems is outside the scope of this article.

Trusting Certificates on a Connection Client

4. Browser / Third-Party Systems

If the certificate used on Scheduler is issued by a public CA, then no steps need to be performed on the browser or third-party systems. Alternatively, the certificate must be trusted either in the browser / third-party system, or at the operating system level. This configuration is outside the scope of this article.

5. Scheduler

If the certificate from the third-party system or the Engine Server is issued by a public CA, then no steps need to be performed on Scheduler to trust the certificate. Alternatively, certificates can be trusted in Scheduler by either specifying the certificate fingerprint, or by loading the certificate into the Java store used by Scheduler.

5.1 Trust a Certificate With Fingerprint

• Obtain the SHA-256 fingerprint of the certificate, by performing one of the following steps on a secured network:

  • Attempt to configure the Engine Server or the third-party system in Scheduler and take note of the SHA-256 fingerprint in the error message

  • Browse to the Engine Server page or the third-party service using Chrome, inspect the certificate details, General → SHA-256 Fingerprints → Certificate

• Configure the Engine Server or the third-party system in Scheduler and enter the SHA-256 fingerprint in the Whitelisted Certificate Fingerprints field

5.2 Trust a Certificate By Importing It Into the Java Store

• Export the certificate of the Engine Server or the third-party service:

  • Browse to the Engine Server page or the third-party service using Chrome

  • Inspect the certificate details, Details → Export …

  • Save the certificate in Base64-encoded ASCII, certificate chain .pem format, for example under C:\Temp\service1.cer

• Determine the path to the Java installation being used by Scheduler, using one of the following methods:

  • By default, Scheduler versions between 7.0 to 8.1 use the Java installation at C:\Program Files\Rampiva\Automate\java\jre11

  • By default, Scheduler versions 8.2 and later use the Java installation at C:\Program Files\Rampiva\Automate\java\jre17

  • Inspect the Scheduler log file, by default at C:\Temp\logs\rampiva-scheduler.log and search for JVM Path

• Open an administrative Command Prompt

• Navigate to the Java installation, for example:

• Import the certificate using the following keytool command:

where service1 is the name of the service, and C:\Temp\service1.cer is the path to the certificate saved at the previous steps.

• When prompted to trust the certificate, type yes

• Restart the Scheduler service

6. Engine (to Third-Party Service)

If the certificate from the third-party system is issued by a public CA, then no steps need to be performed on the Engine to trust the certificate. Alternatively, certificates can be trusted in the Engine by either specifying the certificate fingerprint, or by loading the certificate into the Java store used by Scheduler.

6.1 Trust a Certificate With Fingerprint

• Follow the steps in section 5.1 to configure the third-party system with a certificate fingerprint in Scheduler. Then, the certificate fingerprint will automatically be used in the Engine for supported services.

6.2 Trust a Certificate By Importing It Into the Java Store

• Export the certificate of the third-party service:

  • Browse to the Engine Server page or the third-party service using Chrome

  • Inspect the certificate details, Details → Export …

  • Save the certificate in Base64-encoded ASCII, certificate chain .pem format, for example C:\Temp\service1.cer

• Determine the path to the Java being used by the Engine, using one of the following methods:

  • In Scheduler Settings → Execution Profiles → open the relevant profile and inspect the field Java Installation Folder

  • Inspect the Engine log file, by default at C:\Temp\logs\rampiva-engine.aaaaa-job.55555.log, and search for JVM Path

• Open an administrative Command Prompt

• Navigate to the Java installation, for example:

• Import the certificate using the following keytool command:

where server1 is the name of the service, and C:\Temp\server1.cer is the path to the certificate saved at the previous steps.

• When prompted to trust the certificate, type yes

7. Engine (to Scheduler)

The Engine communicates with Scheduler when running jobs with certain operations, such as operations using third-party services. This communication occurs by default over HTTPS, and Rampiva automatically manages the certificate trust.

Additionally, the certificate trust on the Engines can be manually managed using the steps from section 6, or by setting the Scheduler certificate fingerprint using the parameter {scheduler_cert_fingerprint}.