Objective
By default, the .NET framework doesn't allow SSL connections that can't be validated. If the .NET agent is attempting to connect to Contrast with a self-signed SSL certificate, it could give the following error message:
> The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel.
There are two configuration changes that allow the .NET agent to connect to Contrast with a self-signed SSL certificate:
- Install the self-signed certificate as a trusted certificate.
- Configure the agent to ignore certificate errors.
Contrast only recommends that you use these solutions for testing purposes in a trusted environment. These changes could allow for man-in-the-middle attacks to intercept or modify data sent from the agent to Contrast.
Process
Option One - Install the self-signed certificate as a trusted certificate.
- Open Internet Explorer (IE) as an Administrator.
- Navigate to your instance of the Contrast interface. If IE displays an error message, click Continue to this website (not recommended).
- Click on the Certificate Error icon (next to the URL) > View Certificate > Details tab > Copy to File.
- Export the certificate as a DER encoded binary X.509 (.CER).
- Click Start, and then Start Search.
- Type mmc and then right click to Run as Administrator (required in order to import certificates).
- On the File menu, click Add/Remove Snap-in.
- Under Available snap-ins, click Certificates and then Add
- Under This snap-in will always manage certificates for, click Computer account and then Next.
- Click Local computer and then Finish.
- Click OK.
- In the console tree, double-click Certificates to expand the list of Certificate Stores.
- Right-click the Trusted Root Certification Authorities store.
- Select All Tasks->Import... to bring up the Certificate Import Wizard.
- Follow the steps in the Certificate Import Wizard using the certificate created in the previous steps.
Option Two - Configure the agent to ignore certificate errors.
Alternatively, you can configure the agent to trust any certificate. It is advised that you should only use this configuration for testing purposes or in trusted environments.
- In a text editor, open %SYSTEMDRIVE%\ProgramData\Contrast\dotnet\contrast_security.yaml
- Add the following lines:
api:
certificate:
ignore_cert_errors: true