Use Tosca Server with an HTTPS binding

All Tosca Server features allow for an HTTPS binding to transfer data.

If you want to use HTTPS binding, install Tosca Server with HTTPS setting. Note that you have to provide your certificate thumbprint during the installation to proceed with HTTPS settings.

Certificate requirements

To make Tosca Server secure, your certificate has to meet the following security requirements. This helps to ensure validity and to avoid warnings in your browser:

  • It must be placed in your machine's certificate store.

  • The certificate is only stored in a single certificate store location of the local machine certificate store. That's the certificate store which is local to the machine and global to all its users.

  • It must be RSA encrypted. The minimum requirement is signature hash algorithm SHA256.

  • The private key must be included in your certificate.

  • The key size must be at least 2048.

  • The key is exportable. You must enable Mark as exportable in the Windows certificate import dialog when you import the certificate. If you haven't done so, you must renew the certificate.

  • The extended key usage extension must include the Server Authentication OID 1.3.6.1.5.5.7.3.1. This ensures that the certificate implements Transport Layer Security (TLS) on the internet as described in RFC-5280.

  • The subject must be the DNS name of the machine.

    Note: you can't use wildcards. The certificate must contain the real DNS name.

  • The subject alternative name must be set to your DNS names to avoid warnings in your browser.

    For example: localhost, machineName, machineName.domain.com

  • It must have a valid from and to date that define a time span that includes the current date.

  • It must have a valid issuer, which is installed as a root certificate on the machine.

  • If you enable the optional Skip certificate revocation check setting during the setup or configuration, you're all set. Otherwise, make sure that the certificate, or any certificate in its chain, has not been revoked, and that the revocation servers are available.

Set up HTTPS configuration for Tosca Server services

If you have installed Tosca Server with an HTTP binding and want to switch to HTTPS, you can do so in the Service Configuration. Follow the steps below:

  1. Make sure that your SSL certificate meets the security requirements described earlier in this chapter.

  2. Start Tricentis Service Configuration.

  3. Go to the Gateway Service tab.

  4. Select HTTPS.

  5. Insert your certificate thumbprint into the Certificate Thumbprint field.

Ensure that you have copied your certificate thumbprint correctly. In some cases, the thumbprint contains an "invisible" unicode character, which causes issues.

For more information, see the Microsoft documentation.

  1. Select the Certificate Location.

  2. Click Save to save your changes and finish the configuration.

  3. To use Tosca Distributed Execution with HTTPS binding, set it up as described in "Set up Tosca Distributed Execution with AOS | HTTPS".