Configuring RSA key exchange

RSA is a public key encryption algorithm that uses separate keys for encryption and decryption. You may want to use RSA key exchange if your organization stores sensitive information in Surround SCM and users access the server using a username and password in client applications outside of your network.

If you use RSA key exchange, a public key fingerprint must be imported to all client applications that connect to the server.

1. Choose Tools > Administration > Server Options.

The Server Options dialog box opens with the General category selected.

2. Select Encrypt communication between clients and the server and Use RSA key exchange.

A public key is generated on the server. The Fingerprint field displays the public key fingerprint, which is a short version of the public key. Public and private keys are stored in the rsakeys directory in the Surround SCM application directory on the server computer. To keep these key files secure, make sure only the user that runs the server has read and modify access to them.

If you clear the Use RSA key exchange option, you are prompted that all users will need to modify their server settings. Click Yes if you no longer want to use RSA. Make sure the public key fingerprint is removed from server connection settings in clients and server settings in the registry utility for web and proxy servers.

3. Click Download Public Key to save an XML file that contains the server address, port number, and public key fingerprint.

This file must be distributed to users so they can import it to clients that connect to the server. Make sure the file is securely stored and only administrative users have access to modify it. If a hacker has unauthorized access to the file, changes it, and it is imported to clients, your installation could be hacked.

The server address in the XML file includes the default hostname of the server computer. If users connect to the server from outside the local network, you must manually update the server address in the server settings file before providing it to users.

4. Click OK to save the changes.

5. Import the server settings file to clients that connect to the server.

  • Desktop client—Provide the server settings file to users so they can import it when configuring a server connection. See Adding server connections.
  • CLI—Provide the server settings file to users so they can save it and provide the file path in the -z command when connecting to the server. To learn more, see Surround SCM command-line interface (CLI).
  • Proxy server—Import the server settings file in the proxy server options in the registry utility so users can connect to the server. To learn more, see Proxy servers.
If you suspect the private key on the server was compromised because of unauthorized access, regenerate the public and private key pair. Click Regenerate Key Pair and click OK when you are prompted to generate the new keys. If you regenerate the keys, you must download a new server settings file and update all client applications that connect to the server.