Skip to main content

PD TLS Installation Notes

 

1. The certificates were not in the right format (PEM) and the server key file was missing

 

To ensure a certificate is in the right format, you need to open the file with notepad and look for "-----BEGIN CERTIFICATE-----" or "-----BEGIN RSA PRIVATE KEY-----". 

The server certificate should contain only one section, the CA certificate may contain more.

 

To overcome these issues, we: 

a. Downloaded OpenSSL from https://sourceforge.net/projects/openssl/ and unzipped it

b. Converted the server pfx certificate into server certificate and server key files using the following commands:

openssl pkcs12 -in "ServerCert.pfx" -clcerts -nokeys -out "server.crt" -passin pass:"OptionalPassword"

 

openssl pkcs12 -in " ServerCert.pfx" -nocerts -out "server.key" -passin pass:" OptionalPassword" -nodes

 

c. Converted the CA certificate from DER format to PEM using this command:

openssl x509 -inform der -outform pem -in my_ca.cer -out ca_bundle.pem

 

d. Saved all 3 files in a folder and changed rabbitmq.config file according to the “Configuring TLS” section on PD’s installation manual.

e. Restarted RabbitMQ service + PD server

 

2. The Discovery Robot configuration file contained a wrong TLS server name

The “TlsServer” configuration parameter should be identical to the server name on the certificate.

 

3. Port configuration known issue

We also changed the “messagesBrokerPort” configuration parameter to “5671” due to a known issue of PD 20.1 (https://kryonsystems.atlassian.net/browse/PD-862)

 

*** This is when we managed to create a secured TLS connection between the Discovery Robot and RabbitMQ on the same machine ***

 

4. Remote Discovery Robot connection errors

We then tried to connect a remote Discovery Robot (with the same configuration as the local one) but we couldn’t establish a connection.

 

I checked the RabbitMQ logs on the server (located under %AppData%/RabbitMQ/log) and noticed a message saying PDDR tried to connect with wrong credentials – meaning that PDDR reached the server and the ports configuration is okay, but the pddr.keys file is wrong.

 

We copied the pddr.keys file from the server and placed it in %LocalAppData%/Kryon/ActionRecorder/config folder (due to certain access restrictions) and changed the “IdentificationFilesPath” config parameter to this folder.

 

When we restarted the Discovery Robot it started recording using TLS communication ?

Be the first to reply!

Reply