Configuring BMC Atrium Orchestrator to use HTTPS

To provide an additional layer of security to clients that pass sensitive information over a network, such as logon information and security certificates, you can configure BMC Atrium Orchestrator to use the HTTPS protocol to connect securely to clients.

Notes

  • BMC Atrium Orchestrator installations use HTTPS by default. Use these instructions if you installed BMC Atrium Orchestrator using HTTP and want to reconfigure to HTTPS. 
  • In these instructions, AO_HOME represents the installation directory for the BMC  Atrium Orchestrator component, such as the CDP, HA-CDP, AP, LAP, OCP, repository, or dashboards.

To configure BMC Atrium Orchestrator to use HTTPS

Use this procedure to configure each of the BMC Atrium Orchestrator server components that you want to use HTTPS, including the CDP, the repository, any HA-CDPs, any APs, any LAPs, Operator Control Panel, and Dashboard.

  1. Stop the BMC Atrium Orchestrator services.
  2. On the server, use a text editor to open the AO_HOME\tomcat\conf\server.xml file.
  3. Find the Connector element where the scheme is set to https.
    It contains text similar to the following example:

    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->


    The <!-- text and --> text indicate that this element is a comment.

  4. To make the element active, delete <!-- and -->, as in the following example:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
  5. Check the server.xml file for the following information and, if necessary, update the file to change the values as specified:

    1. In the Connector element, verify that the protocol is set to the following: 
      org.apache.coyote.http11.Http11NioProtocol.
    2. Verify that the cipher and the keystoreFile attributes are set as follows:

      URIEncoding="UTF-8" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
      SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
      TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
      TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
      TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
      TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
      maxSwallowSize="-1"
      useServerCipherSuitesOrder="true"
      keystoreFile="<InstallationDirectory>/tomcat/conf/.keystore"
  6. Save and close the server.xml file.

  7. In the AO_HOME\tomcat\conf\context.xml file, update the logon URL for the server component:
    • Change http to https.
    • Change the port number to match the Connector port value in the server.xml file.

      Server component

      Property with sample value

      CDP

      <Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" value="https://ipAddressOrHost:securePort/baorepo/http"/>

      AP

      <Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=AP1"/>

      LAP

      <Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=LAP1"/>

      HA-CDP

      <Parameter name="com.bmc.ao.HACDP_CONFIGURATION" override="true" value="https://<cdphostname>:<port>/baocdp/ws/install?grid=GRID1&amp;peer=HACDP"/>

      BMC Atrium Orchestrator Operator Control Panel

      <Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://ipAddressOrHost:securePort/baocdp/ws/console"/>

      DashboardNo change change needed.
  8. Continue with setting up the self-signed certificate.

To establish a connection using HTTPS with a self-signed certificate

In production environments, you set up HTTPS with a certificate signed by a certificate authority. In testing or development environments, you can use a self-signed certificate to set up HTTPS.

Note

When creating keystore entries, use the same logon credentials as the user that starts the CDP service. Set the location of the keystore file in the server.xml file. 
For example: keystoreFile="AO_HOME/tomcat/conf/.keystore"

  1. With the CDP services stopped, navigate to the AO_HOME\jvm\bin directory and test for an existing Tomcat keystore entry:
    From a command prompt or terminal session, type the following: 
    keytool -list -alias tomcat -keystore<installationDirectory>/tomcat/conf/.keystore
  2. When prompted, type the keystorePassword.

    Note

    The default password for the keytool utility is changeit. If you change the default password, also change the password listed in the AO_HOME\tomcat\conf\server.xml file.

    The key and the keystore passwords must match. Due to a limitation of the underlying Tomcat engine, the keypass used when storing a key must be the same as the keystore password itself. See the topic Specifying a keystore password.

  3. Perform one of the following actions:
    • If a keystore entry is displayed, meaning that a keystore exists for Tomcat, proceed to step 10.
    • If the message Alias <tomcat> does not exist is displayed, continue with the next step.

      Note

      In addition to the arguments indicated in the commands provided, you can add an argument of -validity days where days is the number of days until the server certificate expires. Although the default value is 90, BMC recommends changing the value to a longer period.
      For more about this and other arguments that you can use for the keytool utility, type keytool and review the -genkey section.

  4. To create a keystore entry, from a command prompt or terminal session, type the following:
    keytool -genkey -alias tomcat -keyalg RSA -keystore AO_HOME/tomcat/conf/.keystore
  5. When prompted, type the keystore password.

    Note

    The keystore password for the certificate that you are creating must match the keystore password in the server.xml file. For more information about changing the keystore password in the server.xml file, see Specifying a keystore password for details.

  6. When prompted, provide user details.
    • What is your first and last name?

      Note

      When promoted for your first and last name, provide the server's fully qualified host name.

    • What is the name of your organizational unit?
    • What is the name of your organization?
    • What is the name of your City or Locality?
    • What is the name of your State or Province?
    • What is the two-letter country code for this unit?
      This information is used for the certificate and is visible only within the certificate.
  7. Review the information displayed and confirm that the information is correct.
  8. When prompted to enter the key password for Tomcat, press Enter.
  9. Start the peer.
  10. Test the keystore by launching the software in a browser using HTTPS protocol and port set in the server.xml file.
    For example, to launch Grid Manager, enter the the following URL:

    https://<IP_or_hostname>:<port>/baocdp/gm/index.jsf