Configuring BMC Atrium Orchestrator components to communicate with each other over HTTPS
In order for a client component to be able to communicate with another server component over HTTPS, the certificate generated on the server must be imported into the client peer's JVM trust store.
For example, for the CDP to be able to communicate with the repository over HTTPS, you would import the certificate generated on the repository into the CDP's JVM trust store.
The following procedure describes how to import the repository's self-signed certificate file into the CDP trust store. See the Client relationships table to see possible client-server relationships. Complete the following procedure for each client-server pair, replacing the CDP and repository with the appropriate client and server.
Before you begin
Perform the key certificate generation and installation before you configure the client and server computers to support HTTPS, ensuring the certificates that enable HTTPS have not expired.
Notes
- When generating the key certificate, you must specify the host name and not the IP address for the common name (CN).
- In these instructions, AO_HOME represents the installation directory for the BMC Atrium Orchestrator component, such as the CDP, HA-CDP, AP, LAP, OCP, repository, or dashboards.
The keystore entry on the peer host uses the alias tomcat.
Identify the servers that hold the certificates that the clients need to import. Refer to the following diagram, which depicts a typical single grid architecture.
As shown in the diagram, the CDP is a client of the repository, and must import the repository's certificate. BMC Atrium Orchestrator Development Studio is a client of the CDP and the repository, and must import the CDP's and the repository's certificates. In multi-repository environments, each repository must import the other repository's certificate. In a basic high-availability environment, the CDP must import the repository's and the HA-CDP's certificates, and the HA-CDP must import the repository's and the CDP's certificates. The client-server relationships will vary, depending on your implementation of BMC Atrium Orchestrator.
To export the self-signed certificate file from the keystore on the repository and import it into the CDP trust store
- Stop the BMC Atrium Orchestrator services.
- Log on to the repository server using the same credentials used for starting the repository.
Open a command prompt and navigate to the AO_HOME/jvm/bin directory on the repository. Enter the following command:
keytool -exportcert -alias tomcat -file tomcat.crt –keystore "<installationDirectory>/tomcat/conf/.keystore”
When prompted, enter the keystore password.
Note
The default password for the keytool utility is changeit. If you change the default password, also change the password listed in the AO_HOME/tomcat/conf/server.xml file. The key and the keystore passwords must match. Due to a limitation of the underlying Tomcat engine, the keypass used when storing a key must be the same as the keystore password itself.
The following line is displayed, indicating that a certificate file called tomcat.crt has been stored in the directory from which the command was entered.Certificate stored in file <tomcat.crt>
- Using an account with administrative privileges, log on to the CDP computer.
- Copy the tomcat.crt certificate file to the AO_HOME/jvm/lib/security directory on the CDP computer.
- Open a command prompt and navigate to the AO_HOME/jvm/bin directory.
Enter the following command:
keytool -importcert -trustcacerts -alias tomcat -file tomcat.crt -keystore cacerts
When prompted, enter the keystore password.
The system returns the certificate details. The details can vary, but the information will look similar to the following example:Owner: CN=hostname, OU=BMC, O=BMC DCA, L=Herndon, ST=VA, C=US Issuer: CN=hostname, OU=BMC, O=BMC DCA, L=Herndon, ST=VA, C=US Serial number: 46bb6dd8 Valid from: Thu Aug 09 15:41:12 EDT 2007 until: Mon Dec 25 14:41:12 EST 2034 Certificate fingerprints: MD5: 06:0E:D2:82:68:01:6B:3F:84:70:D4:63:68:B2:CE:89 SHA1: CF:F0:94:41:CE:5C:AD:7F:97:52:01:C2:A8:6F:E5:ED:5B:79:32:5B
- When prompted with
Trust this certificate? [conbaosys:no]
, type yes and press Enter.
The statementCertificate was added to keystore
is displayed. Enter the following command:
keytool -importcert -trustcacerts -alias tomcat -file tomcat.crt -keystore jssecacerts
When prompted, enter the keystore password.
The system returns the certificate details. The details can vary, but the information will look similar to the following example:Owner: CN=hostname, OU=BMC, O=BMC DCA, L=Herndon, ST=VA, C=US Issuer: CN=hostname, OU=BMC, O=BMC DCA, L=Herndon, ST=VA, C=US Serial number: 46bb6dd8 Valid from: Thu Aug 09 15:41:12 EDT 2007 until: Mon Dec 25 14:41:12 EST 2034 Certificate fingerprints: MD5: 06:0E:D2:82:68:01:6B:3F:84:70:D4:63:68:B2:CE:89 SHA1: CF:F0:94:41:CE:5C:AD:7F:97:52:01:C2:A8:6F:E5:ED:5B:79:32:5B
- When prompted with
Trust this certificate? [conbaosys:no]
, type yes and press Enter.
The statementCertificate was added to keystore
is displayed, confirming that you can start the CDP and Grid Manager over HTTPS. - Start the BMC Atrium Orchestrator services.
Client relationships
The HTTPS certificate for each of the component servers listed needs to be copied to the trust store of each of the paired clients. The following table lists the BMC Atrium Orchestrator client/server communication relationships for each type of component.
Client relationships
Client | Server |
---|---|
CDP | Repository, HA-CDP (in a high-availability environment), CDP (for Orca and Legacy web services) |
HA-CDP | Repository, CDP |
Repository | Repository Note In environments that have multiple repositories, each repository needs to import the certificate of the repository with which it will communicate. |
AP | CDP, AP (for Legacy web services) |
LAP | CDP |
BMC Atrium Orchestrator Development Studio | Repository, CDP |
BMC Atrium Orchestrator Operator Control Panel | CDP |
Comments
Log in or register to comment.