Configuring BMC Atrium Orchestrator to use HTTPS
To provide an additional layer of security to clients that pass sensitive information over a network, such as logon information and security certificates, you can configure BMC Atrium Orchestrator to use the HTTPS protocol to connect securely to clients.
BMC Atrium Orchestrator installations use HTTPS by default. Use these instructions if you installed BMC Atrium Orchestrator using HTTP and want to reconfigure to HTTPS.
To configure BMC Atrium Orchestrator to use HTTPS
Use this procedure to configure each of the BMC Atrium Orchestrator servers that you want to use HTTPS, including the CDP, the repository, any HA-CDPs, any APs, any LAPs, and BMC Atrium Orchestrator Operator Control Panel.
- Stop the BMC Atrium Orchestrator services.
- On the server, use a text editor to open the <installationDirectory>\tomcat\conf\server.xml file.
Find the element containing the HTTPS protocol information.
It contains text similar to the following example:
<!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
<!-- text and --
>text indicate that this element is a comment.
To make the element active, delete
<!-- and --
>, as in the following example:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
(7.6.03 to 7.8.02 upgrades only) If you are upgrading from BMC Atrium Orchestrator version 7.6.03 to 7.8.02, make the following changes in the server.xml file:
- In the Connector port element, change the protocol to
Add the following attributes to the server.xml file:
URIEncoding="UTF-8" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA" maxSwallowSize="-1" useServerCipherSuitesOrder="true"
- In the Connector port element, change the protocol to
Save and close the server.xml file.
- In the <installationDirectory>\tomcat\conf\context.xml file, update the logon URL for the server component:
- Change http to https.
Change the port number to match the Connector port value in the server.xml file.
Property with sample value
<Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" value="https://ipAddressOrHost:securePort/baorepo/http"/>
<Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=AP1"/>
<Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=LAP1"/>
BMC Atrium Orchestrator Operator Control Panel
<Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://ipAddressOrHost:securePort/baocdp/ws/console"/>
- Continue with setting up the self-signed certificate.
To establish a connection using HTTPS with a self-signed certificate
In production environments, you set up HTTPS with a certificate signed by a certificate authority. In testing or development environments, you can use a self-signed certificate to set up HTTPS.
When creating keystore entries, use the same logon credentials as the user that starts the CDP service. By default, the keystore file is created in your home directory. If you change the directory where the keystore file is located, you need to add that location to the server.xml file.
keystoreFile="C:\Documents and Settings\Administrator\.keystore"
- With the CDP services stopped, navigate to the AO_HOME\jvm\bin directory and test for an existing Tomcat keystore entry:
From a command prompt or terminal session, type keytool -list -alias tomcat -keystore <keystoreFileName.
When prompted, type the keystorePassword.
The default password for the keytool utility is changeit. If you change the default password, also change the password listed in the BMC Software\AO\tomcat\conf\server.xml file.
The key and the keystore passwords must match. Due to a limitation of the underlying Tomcat engine, the keypass used when storing a key must be the same as the keystore password itself. See the topic Specifying a keystore password.
- Perform one of the following actions:
- If a keystore entry is displayed, meaning that a keystore exists for Tomcat, proceed to step 10.
If the message Alias <tomcat> does not exist is displayed, continue with the next step.
In addition to the arguments indicated in the commands provided, you can add an argument of
-validity dayswhere days is the number of days until the server certificate expires. Although the default value is 90, BMC recommends changing the value to a longer period.
For more about this and other arguments that you can use for the keytool utility, type keytool and review the
- To create a keystore entry, from a command prompt or terminal session, type keytool -genkey -alias tomcat -keyalg RSA.
When prompted, type the keystore password.
The keystore password for the certificate that you are creating must match the keystore password in the server.xml file. For more information about changing the keystore password in the server.xml file, see Specifying a keystore password for details.
- When prompted, provide user details.
What is your first and last name?
When promoted for your first and last name, provide the server's fully qualified host name.
- What is the name of your organizational unit?
- What is the name of your organization?
- What is the name of your City or Locality?
- What is the name of your State or Province?
- What is the two-letter country code for this unit?
This information is used for the certificate and is visible only within the certificate.
- Review the information displayed and confirm that the information is correct.
- When prompted to enter the key password for Tomcat, press Enter.
- Start the peer.
Test the keystore by launching the software in a browser using HTTPS protocol and port set in the server.xml file.
For example, to launch Grid Manager, enter the the following URL: