Configuring BMC Atrium Orchestrator to use HTTPS

To provide an additional layer of security to clients that pass sensitive information over a network, such as logon information and security certificates, you can configure BMC Atrium Orchestrator to use the HTTPS protocol to connect securely to clients.

Note

BMC Atrium Orchestrator installations use HTTPS by default. Use these instructions if you installed BMC Atrium Orchestrator using HTTP and want to reconfigure to HTTPS. 

To configure BMC Atrium Orchestrator to use HTTPS

Use this procedure to configure each of the BMC Atrium Orchestrator servers that you want to use HTTPS, including the CDP, the repository, any HA-CDPs, any APs, any LAPs, and BMC Atrium Orchestrator Operator Control Panel.

  1. Stop the BMC Atrium Orchestrator services.
  2. On the server, use a text editor to open the <installationDirectory>\tomcat\conf\server.xml file.
  3. Find the element containing the HTTPS protocol information.
    It contains text similar to the following example:

    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->


    The <!-- text and --> text indicate that this element is a comment.

  4. To make the element active, delete <!-- and -->, as in the following example:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
  5. (7.6.03 to 7.8.02 upgrades only) If you are upgrading from BMC Atrium Orchestrator version 7.6.03 to 7.8.02, make the following changes in the server.xml file:

    1. In the Connector port element, change the protocol to org.apache.coyote.http11.Http11NioProtocol.
    2. Add the following attributes to the server.xml file:

      URIEncoding="UTF-8" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
      SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
      TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
      TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
      TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
      TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
      maxSwallowSize="-1"
      useServerCipherSuitesOrder="true"
  6. Save and close the server.xml file.

  7. In the <installationDirectory>\tomcat\conf\context.xml file, update the logon URL for the server component:
    • Change http to https.
    • Change the port number to match the Connector port value in the server.xml file.

      Server component

      Property with sample value

      CDP

      <Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" value="https://ipAddressOrHost:securePort/baorepo/http"/>

      AP

      <Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=AP1"/>

      LAP

      <Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=LAP1"/>

      BMC Atrium Orchestrator Operator Control Panel

      <Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://ipAddressOrHost:securePort/baocdp/ws/console"/>

  8. Continue with setting up the self-signed certificate.

To establish a connection using HTTPS with a self-signed certificate

In production environments, you set up HTTPS with a certificate signed by a certificate authority. In testing or development environments, you can use a self-signed certificate to set up HTTPS.

Note

When creating keystore entries, use the same logon credentials as the user that starts the CDP service. By default, the keystore file is created in your home directory. If you change the directory where the keystore file is located, you need to add that location to the server.xml file.
For example: keystoreFile="C:\Documents and Settings\Administrator\.keystore"

  1. With the CDP services stopped, navigate to the AO_HOME\jvm\bin directory and test for an existing Tomcat keystore entry:
    From a command prompt or terminal session, type keytool -list -alias tomcat -keystore <keystoreFileName.
  2. When prompted, type the keystorePassword.

    Note

    The default password for the keytool utility is changeit. If you change the default password, also change the password listed in the BMC Software\AO\tomcat\conf\server.xml file.

    The key and the keystore passwords must match. Due to a limitation of the underlying Tomcat engine, the keypass used when storing a key must be the same as the keystore password itself. See the topic Specifying a keystore password.

  3. Perform one of the following actions:
    • If a keystore entry is displayed, meaning that a keystore exists for Tomcat, proceed to step 10.
    • If the message Alias <tomcat> does not exist is displayed, continue with the next step.

      Note

      In addition to the arguments indicated in the commands provided, you can add an argument of -validity days where days is the number of days until the server certificate expires. Although the default value is 90, BMC recommends changing the value to a longer period.
      For more about this and other arguments that you can use for the keytool utility, type keytool and review the -genkey section.

  4. To create a keystore entry, from a command prompt or terminal session, type keytool -genkey -alias tomcat -keyalg RSA.
  5. When prompted, type the keystore password.

    Note

    The keystore password for the certificate that you are creating must match the keystore password in the server.xml file. For more information about changing the keystore password in the server.xml file, see Specifying a keystore password for details.

  6. When prompted, provide user details.
    • What is your first and last name?

      Note

      When promoted for your first and last name, provide the server's fully qualified host name.

    • What is the name of your organizational unit?
    • What is the name of your organization?
    • What is the name of your City or Locality?
    • What is the name of your State or Province?
    • What is the two-letter country code for this unit?
      This information is used for the certificate and is visible only within the certificate.
  7. Review the information displayed and confirm that the information is correct.
  8. When prompted to enter the key password for Tomcat, press Enter.
  9. Start the peer.
  10. Test the keystore by launching the software in a browser using HTTPS protocol and port set in the server.xml file.
    For example, to launch Grid Manager, enter the the following URL:

    https://<IP_or_hostname>:<port>/baocdp/gm/index.jsf

    .

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Aryan Anantwar
    Hi Team,

    We have a situation where we need to use external (CA authorized-signed) certificate for BAO SSL communication.
    I didn't find any details in BAO docs, related to configure external certificates instead of self-signed certificate.
    Please provide details no it or the link where it is described in docs.

    Regards,
    Aryan
    Mar 27, 2017 06:18
    1. Dorothy Poole

      Hi Aryan. Thank you for your comment. I'm currently investigating with the team about external CA certificates and will respond when I have more information. In the meantime, you may find more information in the Atrium SSO wiki: Managing certificates in BMC Atrium Single Sign-On. I hope that this is helpful.

      Mar 27, 2017 11:08