Skip to main content
Code42 Support

Enable TLS messaging

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

TLS messaging is an industry standard, RFC-compliant method of transport security. Code42 server version 5.3 introduces the ability to enable transport-layer security (TLS) for server-to-server and client-to-server communication. In Code42 server version 5.4, TLS is the default messaging method. The Code42 servers use the TLS protocol version 1.2

This tutorial explains how to enable TLS in your Code42 environment.

Considerations

Managed appliances
If your master server is a Code42 managed appliance, contact our Customer Champions about enabling TLS in your Code42 environment. Do not attempt to enable TLS in your environment on your own.
  • For the TLS protocol, client-to-server communications use port 4287; server-to-server communications use port 4288.
  • The alternative to TLS is the Code42 custom protocol. It is the default protocol for servers version 5.3.x and earlier. It requires ports 4282 and 4283.
  • If a TLS connection cannot be established for any reason, messaging falls back to the custom protocol.
  • Code42 server version 5.4 and later:
    • TLS is the default messaging protocol.
    • Code42 environments upgrading from 5.3.x or earlier will begin using the TLS protocol automatically.
    • If you're upgrading from 5.3.x and you specifically disabled outbound TLS, your new 5.4 deployment will continue to use the custom (non-TLS) protocol. To manually re-enable TLS after disabling, follow the directions under Code42 server version 5.3.x.
  • Code42 server version 5.3.x:

Code42 server version 5.4 and later

TLS is the default messaging method in Code42 server version 5.4 and later. Follow these steps below to ensure that all servers in your Code42 environment are able to communicate using TLS.

Step 1: Open TLS ports

Configure your network to allow all CrashPlan apps and Code42 servers (both master and storage servers) to communicate over ports 4287 and 4288.

Do not change the port numbers of the primary and secondary network addresses in the administration console under Server > Settings > General. The port change happens behind the scenes and requires no intervention. To determine TLS ports, Code42 CrashPlan adds 5 to the existing port, so environments using different ports than 4282/4283 must open the ports 5 higher than the existing port number.

Updating Windows firewall rules
Windows Code42 servers upgrading from version 5.2.x or earlier also require Windows Firewall updates to specifically allow ports 4287 and 4288.

New installations of the Code42 server version 5.4 or later do not need to update Windows Firewall.

Validating Ports In Use
To check if the server is listening (or has an established connection) on a specific port, enter the following Terminal or Command Prompt command:

  • Linux/OS X: lsof -i
  • Windows: netstat -na

Step 2: Increase Windows stack size

Only applies to Windows Code42 servers that are upgrading from version 5.2.x or earlier. New installations of the Code42 server version 5.4 can skip this step.

For optimal performance, Windows Code42 servers need the stack size increased to 256 kilobytes (KB) after enabling TLS connections. To change this value:

  1. Use the Windows Services tool to stop the Code42 server service.
  2. Right-click Notepad or another plain text editor, and select Run as administrator.
  3. From within the text editor, open C:\Program Files\CrashPlan PROe Server\CrashPlanPROServer.ini
  4. Locate the line beginning with Virtual Machine Parameters.
  5. Change -Xss128K to -Xss256K.
  6. Save the changes to the file.
  7. Use the Windows Services tool to restart the Code42 server service.

Step 3: Verify that your environment communicates over TLS

  1. Sign in to the administration console.
  2. Go to Settings > Server.
  3. Next to System logs, click View.
    The Logs view appears.
  4. From the list, choose the com_backup42_app.log Code42 server log file.
  5. Search for this line to verify that your Code42 environment is communicating over TLS:
    [08.29.16 21:15:12.584 INFO  re-event-2-1 handler.AppProtocolStartListener] SABRE:: TLS connection established. version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, channel=[id: 0xde7cee54, L:/10.43.32.218:4287 - R:/162.222.47.218:55074]
  6. Repeat steps 1 to 5 on each Code42 server in your environment.

Code42 server version 5.3.x

Step 1: Open TLS ports

Configure your network to allow all CrashPlan apps and Code42 servers (both master and storage servers) to communicate over ports 4287 and 4288. Existing server-to-server and client-to-server communication occurs over ports 4282 and 4283. TLS requires ports 4287 and 4288.

Do not change the port numbers of the primary and secondary network addresses in the administration console under Server > Settings > General. The port change happens behind the scenes and requires no intervention. To determine TLS ports, Code42 CrashPlan adds 5 to the existing port, so environments using different ports than 4282/4283 must open the ports 5 higher than the existing port number.

Updating Windows firewall rules
Windows Code42 servers upgraded to 5.3 from an earlier version also require Windows Firewall updates to specifically allow ports 4287 and 4288.

New installations of the Code42 server version 5.3 do not need to update Windows Firewall.
Validating ports in use
To check if the server is listening (or has an established connection) on a specific port, enter the following Terminal or Command Prompt command:
  • Linux/OS X: lsof -i
  • Windows: netstat -na

Contact our Customer Champions for Code42 CrashPlan support or CrashPlan for Small Business (previously CrashPlan PRO) support if ports 4287 and 4288 are already in use by another application.

Step 2: Enable outbound TLS connections

Enabling outbound TLS connections requires entering two separate commands in the administration console command-line interface (CLI): one to enable outbound TLS connections between servers and one to enable connections with CrashPlan apps.

  1. Sign in to the administration console.
  2. Double-click the Code42 logo in the upper left corner.
    The command-line interface appears.
  3. Enter the following command to enable server connections: setting.set system c42.sabre.outgoing_server_enabled true
  4. Enter one of the following commands to enable CrashPlan app connections. Connections can be enabled system-wide or for a specific organization:
    • To enable system-wide, enter: setting.set system c42.sabre.outgoing_client_enabled true
    • To enable for a specific organization, replace <orgID> with the organization ID and enter: setting.set org c42.sabre.outgoing_client_enabled true <orgID>

Step 3: Increase Windows stack size

Only applies to Windows Code42 servers upgraded to 5.3 from an earlier version. New installations of the Code42 server version 5.3 can skip this step.

For optimal performance, Windows Code42 servers need the stack size increased to 256 kilobytes (KB) after enabling TLS connections. To change this value:

  1. Use the Windows Services tool to stop the Code42 server service.
  2. Right-click Notepad or another plain text editor, and select Run as administrator.
  3. From within the text editor, open C:\Program Files\CrashPlan PROe Server\CrashPlanPROServer.ini
  4. Locate the line beginning with Virtual Machine Parameters.
  5. Change -Xss128K to -Xss256K.
  6. Save the changes to the file.
  7. Use the Windows Services tool to restart the Code42 server service.

Step 4: Restart all Code42 servers

TLS messaging is not enabled until after a restart.

  1. Sign in to the administration console on the master server.
  2. Navigate to Destinations > Servers.
  3. For each server:
    1. Select a server.
    2. Click the action menu, and select Restart Server.

Step 5: Restart CrashPlan apps

The CrashPlan app will continue to communicate using the custom protocol until the CrashPlan service is restarted on each device. Choose one of the following options to restart the service:

  1. Select your CrashPlan app version for steps to restart the CrashPlan service via the CrashPlan app command-line interface (CLI):
  2. Restart each device, which also restarts the CrashPlan service.
CrashPlan app upgrades
Upgrading to the latest version of the CrashPlan app automatically restarts the CrashPlan service. Therefore, if possible, follow steps 1 - 4 above to enable TLS on your Code42 server before upgrading the CrashPlan app on user devices. If you upgrade CrashPlan apps to version 5.3 after TLS is enabled on the Code42 server, you do not need to manually restart each device as described in this step.

Step 6: Verify that your environment communicates over TLS

  1. Sign in to the administration console.
  2. Go to Settings > Server.
  3. Next to System logs, click View.
    The Logs view appears.
  4. From the list, choose the com_backup42_app.log Code42 server log file.
  5. Search for this line to verify that your Code42 environment is communicating over TLS:
    [08.29.16 21:15:12.584 INFO  re-event-2-1 handler.AppProtocolStartListener] SABRE:: TLS connection established. version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, channel=[id: 0xde7cee54, L:/10.43.32.218:4287 - R:/162.222.47.218:55074]
  6. Repeat steps 1 to 5 on each Code42 server in your environment.

(Optional) Disable non-TLS communication

If you wish to disable non-TLS communications, block ports 4282 and 4283 in your network. If you block these ports and the TLS connection cannot be established for any reason, the Code42 environment will not fall back to the custom protocol.

 

(Optional) Disable inbound TLS connections

By default, Code42 server version 5.3 allows inbound communication (listening) on ports 4287 and 4288. If, for security reasons, you want to prevent incoming communication on these ports, follow these steps to disable inbound TLS messaging:

  1. Sign in to the administration console.
  2. Double-click the Code42 logo in the upper left corner.
    The command-line interface appears.
  3. Enter the following command: setting.set system c42.sabre.listen_enabled false
  4. Navigate to Destinations > Servers.
  5. For each server:
    1. Select a server.
    2. Click the action menu, and select Restart Server.

(Optional) Change event loop threads setting

After enabling TLS messaging, if you see high memory usage or slow throughput while performing client upgrades or data balancing, perform the following steps to change the messaging event loop threads setting:

  1. Sign in to the administration console.
  2. Double-click the Code42 logo in the upper-left corner of the administration console.
    The command-line interface appears.
  3. Enter the followingprop.setcommand to change the messaging event loop threads setting from the default of 4 to 8:

prop.set c42.messaging.event.loop.threads 8 save all

  1. To verify the new setting in your Code42 environment, enter the following command:

prop.show c42.messaging.event.loop.threads

External resources

  • Was this article helpful?