Unsupported content


This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring BMC Atrium Orchestrator to use HTTPS

To provide an additional layer of security to clients that pass sensitive information over a network, such as logon information and security certificates, you can configure BMC Atrium Orchestrator to use the HTTPS protocol to connect securely to clients.


BMC Atrium Orchestrator installations use HTTPS by default. Use these instructions if you installed BMC Atrium Orchestrator using HTTP and want to reconfigure to HTTPS. 

To configure BMC Atrium Orchestrator to use HTTPS

Use this procedure to configure each of the BMC Atrium Orchestrator servers that you want to use HTTPS, including the CDP, the repository, any HA-CDPs, any APs, any LAPs, and BMC Atrium Orchestrator Operator Control Panel.

  1. Stop the BMC Atrium Orchestrator services.
  2. On the server, use a text editor to open the <installationDirectory>\tomcat\conf\server.xml file.
  3. Find the element containing the HTTPS protocol information.
    It contains text similar to the following example:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

    The <!-- text and --> text indicate that this element is a comment.

  4. To make the element active, delete <!-- and -->, as in the following example:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
  5. Save and close the server.xml file.

  6. In the <installationDirectory>\tomcat\conf\context.xml file, update the logon URL for the server component:
    • Change http to https.
    • Change the port number to match the Connector port value in the server.xml file.

      Server component

      Property with sample value


      <Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" value="https://ipAddressOrHost:securePort/baorepo/http"/>


      <Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=AP1"/>


      <Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=LAP1"/>

      BMC Atrium Orchestrator Operator Control Panel

      <Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://ipAddressOrHost:securePort/baocdp/ws/console"/>

  7. Continue with setting up the self-signed certificate.

To establish a connection using HTTPS with a self-signed certificate

In production environments, you set up HTTPS with a certificate signed by a certificate authority. In testing or development environments, you can use a self-signed certificate to set up HTTPS.


When creating keystore entries, use the same logon credentials as the user that starts the CDP service. By default, the keystore file is created in your home directory. If you change the directory where the keystore file is located, you need to add that location to the server.xml file.
For example: keystoreFile="C:\Documents and Settings\Administrator\.keystore"

  1. With the CDP services stopped, navigate to the AO_HOME\jvm\bin directory and test for an existing Tomcat keystore entry:
    From a command prompt or terminal session, type keytool -list -alias tomcat.
  2. When prompted, type the keystorePassword.


    The default password for the keytool utility is changeit. If you change the default password, also change the password listed in the BMC Software\AO\tomcat\conf\server.xml file.

    The key and the keystore passwords must match. Due to a limitation of the underlying Tomcat engine, the keypass used when storing a key must be the same as the keystore password itself. See the topic Specifying a keystore password.

  3. Perform one of the following actions:
    • If a keystore entry is displayed, meaning that a keystore exists for Tomcat, proceed to step 10.
    • If the message Alias <tomcat> does not exist is displayed, continue with the next step.


      In addition to the arguments indicated in the commands provided, you can add an argument of -validity days where days is the number of days until the server certificate expires. Although the default value is 90, BMC recommends changing the value to a longer period.
      For more about this and other arguments that you can use for the keytool utility, type keytool and review the -genkey section.

  4. To create a keystore entry, from a command prompt or terminal session, type keytool -genkey -alias tomcat -keyalg RSA.
  5. When prompted, type the keystore password.


    The keystore password for the certificate that you are creating must match the keystore password in the server.xml file. For more information about changing the keystore password in the server.xml file, see Specifying a keystore password for details.

  6. When prompted, provide user details.
    • What is your first and last name?


      When promoted for your first and last name, provide the server's fully qualified host name.

    • What is the name of your organizational unit?
    • What is the name of your organization?
    • What is the name of your City or Locality?
    • What is the name of your State or Province?
    • What is the two-letter country code for this unit?
      This information is used for the certificate and is visible only within the certificate.
  7. Review the information displayed and confirm that the information is correct.
  8. When prompted to enter the key password for Tomcat, press Enter.
  9. Start the peer.
  10. Test the keystore by launching the software in a browser using HTTPS protocol and port set in the server.xml file.
    For example, to launch Grid Manager, enter the following URL:



Was this page helpful? Yes No Submitting... Thank you


  1. Navneet Pare


    1) Since AM is replaced by Atrium SSO hereafter, hows does the repo login url property change in context.xml ?

    2) In case of a CDP-HACDP configuration, how does the login url property in context.xml for AP / LAP / OCP change (if at all) considering that the above sample values reference the baocdp context ?



    Mar 13, 2014 02:10
    1. Dorothy Poole

      Thank you for your comment. I will look into this and update the page when I have more information.

      Dec 05, 2014 07:46
    1. Dorothy Poole

      The team will investigate this information. I created defect BAP-267 to track this work. Once I have details from the team, I'll update the page. Thanks again for your comments.

      Dec 23, 2014 08:58