This is documentation for Apprenda 7 and 8.
Documentation for older versions are also available.

TLS and Certificates

Transport Layer Security

The Platform supports TLS 1.0, 1.1, and Platform version 8.1.0 adds support for 1.2 for internal and external web applications communications depending on corresponding environmental configurations. It is recommended that you disallow vulnerable cryptographic protocol suites (e.g. SSL v2) in your environments to force communications over more secure standards like TLS 1.2. Enable these controls in the Windows Registry on Load Manager nodes for external web application communication.

SSL Certificates

Certain Platform-wide settings will determine whether SSL enforcement is enabled/disabled Platform-wide (for all Apprenda and guest applications) or for Apprenda applications only. You can view and manage settings for SSL enforment on the Configuration>Security page in the SOC. Note that Developers may also choose to enforce SSL on a per-application basis for guest applications. Regardless of these settings, the Platform uses SSL encryption for all cross-cloud communication.

Whenever SSL enforcement is enabled, Platform Load Managers will redirect HTTP traffic to HTTPS for all affected applications. Otherwise, Load Managers will accept both insecure HTTP and secure HTTPS connections from clients. HTTPS encryption is accomplished using an SSL certificate for each cloud. Clients (such as browsers) encrypt requests using the certificate's public key, which are then decrypted by the Platform using the corresponding private key.

Depending on settings chosen during Platform installation, the Platform can use either an SSL certificate signed by a Certification Authority and supplied by your company or a self-signed SSL certificate created by the Apprenda Installer.

An SSL certificate provided by your company

You can specify an SSL certificate signed by a Certification Authority for the Platform to use to provide SSL encryption during Platform installation. After install, you are able to upload a new certificate in the Updating the SSL section of the Configuration>Security page in the SOC.

Before running the Apprenda Installer, install the root certificate used to issue the SSL certificate as a Trusted Root Certification Authority on the machine from which the Installer is run. The Installer must be able to access the root certificate to

  • install the root certificate on all servers that are part of the Apprenda Platform installation
  • store the root certificate in the Platform Repository for future use

A self-signed SSL certificate generated by the Apprenda Installer

You can also use a self-signed SSL certificate generated by the Apprenda Installer for Platform SSL encryption. Note that as this SSL certificate is not signed by a known Certification Authority, it won't automatically be trusted by clients' browsers.

When the Installer creates this SSL certificate, it creates a root certificate that is installed as a Trusted Root Certification Authority on the machine that the Installer is being run from. The root certificate then installed on all servers that are part of the Platform infrastructure during installation. This root certificate is used in place of a Certification Authority to sign the SSL certificate that is used by the Platform after install,  allowing cross-Platform communications to be trusted internally. Client connections to the Platform will not establish the same trust relationship, however, unless the client machine also recognizes the root certificate as a Trusted Root Certification Authority.

SSL certificates are designated on a per-cloud basis. On a Hybrid Cloud environment, you need to specify a separate SSL certificate for each cloud. The SSL certificate designated for a given cloud is installed on any Load Managers located on that cloud.

Certificate Subject for SSL Certificates

If using an SSL certificate provided by your company, the certificate subject (also called CN) must match one of the following for each cloud (where cloudurl is the URL specified for the cloud):

  • *.cloudurl

    • e.g.: *.mycompany.net
    • a wildcard is used for the subdomain
  • subdomain.cloudurl
    • e.g.: apps.mycompany.net
    • the Apprenda Installer will default to a subdomain of "apps" (although this value is configurable)

If using the self-signed certificate(s) generated by the Apprenda Installer, the certificate subject is generated with a wildcard subdomain in the form of *.cloudurl

Signing Certificates

A signing certificate is used by the Platform to sign the authentication tokens that are issued to client browsers to track User login sessions. Claims are signed with the certificate's private key and verified with its public key.

During Platform installation, the Platform Operator is given the opportunity to specify an existing signing certificate for the Platform to use. Otherwise, the Apprenda Installer will generate a signing certificate. Note that unlike SSL certificates (which must be provided separately for each cloud belonging to the Platform), only one signing certificate is used for an Apprenda Platform installation.

A signing certificate provided by your company

This certificate is used for signing claims (and should not be confused with a Signing Certificate Authority). There are no known subject restrictions for the signing certificate; however, it is best practice to use separate certificates for the SSL and signing certificates. It is therefore a common practice for companies to provide their own SSL certificates but use the Apprenda Installer-generated signing certificate.

Note: The certificate used for the signing certificate must NOT be the same certificate that is used for the SSL certificate.

A signing certificate generated by the Apprenda Installer

A signing certificate can also be generated by the Apprenda Installer. When the Installer creates this signing certificate, it creates a root certificate that is installed as a Trusted Root Certification Authority on the machine that the Installer is being run from and is subsequently installed on all servers that are part of the Apprenda Platform infrastructure. If using the self-signed signing certificate generated by the Apprenda Installer, the certificate subject is generated as a wildcard in the form of cloudurl Signing