Who is this article for?
Incydr Professional and Enterprise, no.
Incydr Basic and Advanced, no.
CrashPlan Cloud, no.
Other product plans, yes.
CrashPlan for Small Business, no.
This article applies to on-premises authority servers.
Transport-layer security (TLS) messaging is an industry standard, RFC-compliant method of providing communications security. Code42 servers use the TLS protocol version 1.2 for server-to-server and client-to-server communication.
This tutorial explains how to ensure your Code42 environment is properly configured to use TLS.
Server security requires a CA-signed certificate and the TLS protocol
Reliable security of any production web server requires an SSL certificate signed by a trusted certificate authority (CA) and enforced use of the TLS protocol (that is, HTTPS, not HTTP).
Your on-premises Code42 authority server is no exception. A Code42 server that is configured to use a signed certificate, strict TLS validation, and strict security headers protects server communications with browsers, your Code42 apps, and other servers.
- By default, your authority server uses a self-signed certificate and TLS. That provides for encrypting client-server traffic.
- Adding a CA-signed certificate provides further security by confirming your server's identity to clients. It prevents attackers from acquiring client data through counterfeit servers and encryption keys.
- Never reconfigure a production server to use HTTP, rather than TLS and HTTPS.
- Configuring Code42 servers and apps to use strict TLS validation further ensures the security of client-server connections.
- Configuring Code42 servers to use an HTTPS Strict Transport Security (HSTS) response header further prevents unencrypted browser access to Code42 consoles.
If your authority server is a Code42 managed appliance, contact our Customer Champions about configuration to support TLS. Do not configure your environment on your own.
- TLS is the default messaging protocol for the Code42 environment.
- Client-to-server communications use port 4287
- Server-to-server communications use port 4288
- The Legacy port values displayed in the Code42 console were for the Code42 custom protocol in versions 5.3 and earlier. The default ports were 4282 and 4283.
- In the Code42 console, configure the TLS port. The authority server subtracts 5 to calculate the legacy port number.
- In Code42 app configuration, provide the legacy port number. The apps add 5 to calculate the TLS port number.
Ensure TLS is configured
Follow these steps to ensure that all servers in your Code42 environment are able to communicate using TLS.
Step 1: Open TLS ports
Configure your network to allow all Code42 apps and Code42 servers (authority server and storage servers) to communicate over ports 4287 and 4288.
- Sign in to the console.
- Go to Settings > Server > General.
- In the TLS port fields, enter the TLS port numbers. By default, the TLS port number for the primary and secondary network addresses is 4287.
Code42 for Enterprise calculates the legacy port numbers by subtracting 5 from the TLS port numbers.
Validating Ports In Use
To check if the server is listening (or has an established connection) on a specific port, enter the following terminal or command prompt command:
Step 2: Verify that your Code42 environment communicates over TLS
- Sign in to the console.
- Go to Settings > Server.
- Next to System logs, click View.
The Logs view appears.
- From the list, choose the com_backup42_app.log Code42 server log file.
- Search for the text "TLS connection established" to verify that your Code42 environment is communicating over TLS, for example:
[08.29.16 21:15:12.584 INFO re-event-2-1 handler.AppProtocolStartListener] SABRE:: TLS connection established. version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, channel=[id: 0xde7cee54, L:/10.43.32.218:4287 - R:/126.96.36.199:55074]
- Repeat steps 1 to 5 on each Code42 server in your Code42 environment.
- Wikipedia: Transport Layer Security