How to configure SSL certificates for the .NET Agent

Agent Deployment Knowledge:

See more
License Type SaaS & On-Premise
Agent Mode Assess & Protect
Main Product Category    .NET Agent
Sub Category Connectivity

 

Objective

By default, the .NET framework doesn't allow SSL connections that can't be validated. If the .NET agent is attempting to connect to Contrast with a self-signed SSL certificate, it could give the following error message:

> The underlying connection was closed: Could not establish trust
  relationship for the SSL/TLS secure channel.

There are two configuration changes that allow the .NET agent to connect to Contrast with a self-signed SSL certificate:

  • Install the self-signed certificate as a trusted certificate.
  • Configure the agent to ignore certificate errors.

Contrast only recommends that you use these solutions for testing purposes in a trusted environment. These changes could allow for man-in-the-middle attacks to intercept or modify data sent from the agent to Contrast.

Process

Option One - Install the self-signed certificate as a trusted certificate.

  • Open Internet Explorer (IE) as an Administrator.
  • Navigate to your instance of the Contrast interface. If IE displays an error message, click Continue to this website (not recommended).
  • Click on the Certificate Error icon (next to the URL) > View Certificate > Details tab > Copy to File.
  • Export the certificate as a DER encoded binary X.509 (.CER).
  • Click Start, and then Start Search.
  • Type mmc and then press Enter.
  • On the File menu, click Add/Remove Snap-in.
  • Under Available snap-ins, click Certificates and then Add
  • Under This snap-in will always manage certificates for, click Computer account and then Next.
  • Click Local computer and then Finish.
  • If you have no more snap-ins to add to the console, click OK.
  • In the console tree, double-click Certificates
  • Right-click the Trusted Root Certification Authorities store.
  • Click Import to import the certificates.
  • Follow the steps in the Certificate Import Wizard using the certificate created in the previous steps.

Option Two - Configure the agent to ignore certificate errors.

Alternatively, you can configure the agent to trust any certificate. You should only use this configuration for testing purposes or in trusted environments.

  • In a text editor, open %SYSTEMDRIVE%\ProgramData\Contrast\dotnet\contrast_security.yaml
  • Add the following lines: 
    api:
      certificate:
        enable: false

Related articles

Powered by Zendesk