Important

   

Starting version 8.9.03, BMC Network Automation is renamed to TrueSight Network Automation. This space contains information about BMC Network Automation 8.9.02 and previous versions. For TrueSight Network Automation 8.9.03 and later releases, see the TrueSight Network Automation documentation.

Generating and importing an SSL certificate for the application server

Secure Sockets Layer (SSL) is used to keep sensitive information sent across the Internet encrypted. A proper SSL certificate provides authentication, which ensures that you are sending information to the right server and not to an unintended server. Customers most often send information through several computers. It is possible to avoid intermediate computers from pretending to be your website and trick your users into sending them personal information by using a proper Public Key Infrastructure (PKI), and getting an SSL certificate from a trusted SSL provider.

Starting with version 8.7.00, BMC Network Automation uses the SHA256WithRSA encryption algorithm to generate a self-signed certificate. By default, the size (in bits) for the certificate key is set to 4096. However, you can also generate and import a third-party SSL certificate with a different algorithm or a different key size (greater than or equal to 2048-bits) by modifying the ENA_CERTIFICATE_ALGORITHM and ENA_KEY_NUM_BITS parameters in the setenv file.

Note

BMC Network Automation does not support certificates with key size less than 2048-bits and an encryption algorithm weaker than SHA256WithRSA.

This topic describes how to generate and import a third-party SSL certificate and how to set various parameters in the setenv file if you want to use different parameter values than the default.

List of editable parameters in the setenv file

In addition to ENA_CERTIFICATE_ALGORITHM and ENA_KEY_NUM_BITS, you can modify the following parameters in the setenv file for the SSL certificate that you want to import into the application server:

  • ENA_CERTIFIER_COMMON_NAME
  • ENA_CERTIFIER_ORG_UNIT
  • ENA_CERTIFIER_ORG_NAME
  • ENA_CERTIFIER_LOCALITY
  • ENA_CERTIFIER_STATE
  • ENA_CERTIFIER_COUNTRY
  • ENA_KEY_ALGORITHM
  • ENA_KEY_VALIDITY_DAYS

Note

Step 3 in the following procedures includes the instructions to change the keystore password.

To generate and import an SSL certificate for the application server that is hosted on Windows

  1. Stop the BCA-Networks Web Server service.
  2. (Optional) If you want to generate an SSL certificate with the parameter values (other than the keystore password) different than the default values in the setenv file, perform the following steps:
    1. Navigate to the BCAN_HOME\tools directory and open the setenv file with a text editor.
    2. Modify various parameters in the file.
    3. Save the file.
  3. (This step is required only if you have performed step 2 to change parameter values or if you want to change the keystore password) From the BCAN_HOME\tools directory, run the following command to generate a new self-signed certificate with the required password:

    create_keystore.bat <password>

    Note

    During installation, BMC Network Automation creates the self-signed certificate with a default password, 1emprisa. If you want to change this password, provide the required password; else, provide the default password.

    The following sample messages are displayed:

    Removing old C:\BCA-Networks-Data\.keystore file ... 
    Generating certified key-pair and storing in C:\BCA-Networks-Data\.keystore ...
    Success
  4. Navigate to the BCAN_HOME\java\bin directory and run the following command to view the keystore with the default self-signed certificate:

    keytool.exe -list -v -keystore C:\BCA-Networks-Data\.keystore

    The following sample messages are displayed:

    Enter keystore password: Adm1npaswd
            Keystore type: JKS
            Keystore provider: SUN
            Your keystore contains 1 entry
            Alias name: tomcat
            Creation date: Jan 20, 2015
            Entry type: PrivateKeyEntry
            Certificate chain length: 1
            Certificate[1]:
            Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Issuer: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Serial number: 20b6fde4
            Valid from: Tue Jan 20 11:24:55 CST 2015 until: Thu Dec 27 11:24:55
            CST 2114
            Certificate fingerprints:
                     MD5:  22:55:8B:62:A0:85:6F:B0:82:A2:28:D5:FE:55:90:8A
                     SHA1: 24:17:3B:EB:5D:FF:B4:78:5E:3A:C5:A9:28:C0:0E:64:FB:0B
                     :6A:4A
                     SHA256: F4:5B:E5:0E:74:EB:4B:B1:B2:D2:FA:22:33:CE:D3:5B:6C
                     :24:03:4B:EF:6D:5A:4E:DC:96:92:A0:1E:2B:0C:9C
                     Signature algorithm name: SHA1withRSA
                     Version: 3


    Notice that there is only one alias tomcat, which has the entry type of PrivateKeyEntry.

  5. Run the following command to generate a certificate signing request (CSR) file, for example, BNA.csr, by using the self-signed certificate:

    keytool.exe -certreq -keystore C:\BCA-Networks-Data\.keystore -alias tomcat -file C:\BCA-Networks-Data\BNA.csr

    The following sample message is displayed:

    Enter keystore password: Adm1npaswd
  6. Submit the BNA.csr file to the certification authority (CA) and get the application server certificate.
  7. Obtain the root certificate, and optionally intermediate certificates from the CA if required.
  8. Copy the application server, root, and intermediate certificates to the BCAN_DATA directory.
  9. Import the root CA certificate, as follows:

    1. Run the following command:
      keytool.exe -importcert -keystore C:\BCA-Networks-Data\.keystore -alias root -file C:\BCA-Networks-Data\CA-root.cer

    2. When prompted for the password, enter the default password (1emprisa), or if you have changed the password in step 3, enter the changed password.

    3. Run the following command:
      keytool.exe -importcert -keystore "C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts" -alias root -file C:\BCA-Networks-Data\CA-root.cer

    4. When prompted for the password, enter changeit.

      The following sample messages are displayed, when you run the preceding commands:

     Enter keystore password:  <password>
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08
                     :15:63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86
                     :22:ED:DD:
                     5A:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            Trust this certificate? [no]:  yes
            Certificate was added to keystore
  10. (Optional) Run the following command to import intermediate CA certificates:

    keytool.exe -importcert -keystore C:\BCA-Networks-Data\.keystore -alias intermediate -file C:\BCA-Networks-Data\CA-intermediate.cer
  11. Run the following command to import the application server certificate:


    keytool.exe -importcert -keystore C:\BCA-Networks-Data\.keystore -alias tomcat -file C:\BCA-Networks-Data\BNA-Certificate.cer

    The following sample messages are displayed:

    Enter keystore password:  Adm1npaswd
          Certificate reply was installed in keystore
  12. Run the following command to view the root and application server certificates in the keystore:

    keytool.exe -list -v -keystore C:\BCA-Networks-Data\.keystore

    The following sample messages are displayed:

    Enter keystore password: Adm1npaswd
            Keystore type: JKS
            Keystore provider: SUN
            Your keystore contains 2 entries
            Alias name: root
            Creation date: Jan 20, 2015
            Entry type: trustedCertEntry
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
                     :63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22:ED
                     :DD:5A
                     :87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            *******************************************
            *******************************************
            Alias name: tomcat
            Creation date: Jan 20, 2015
            Entry type: PrivateKeyEntry
            Certificate chain length: 2
            Certificate[1]:
            Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Issuer: CN=ca-host-name
            Serial number: 3a0000000c0afa89bc8714632500000000000c
            Valid from: Tue Jan 20 11:20:05 CST 2015 until: Wed Jan 20 11:30:05
            CST 2016
            Certificate fingerprints:
                     MD5:  C3:1C:22:08:A6:21:B9:FF:D1:73:29:F6:8C:75:E4:DF
                     SHA1: 3D:08:7C:45:6B:B4:7E:65:BD:7C:E7:F8:4C:1F:6E:9B:05:75
                     :5F:27
                     SHA256: 5A:49:2E:82:53:DD:40:78:E9:D5:68:15:28:38:07:6E:D3
                     :7E:8C:9E
                     :A4:1E:DF:D8:6C:27:9E:8F:FA:E2:15:5F
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            Certificate[2]:
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
                     :63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22
                     :ED:DD:5A
                     :87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
      *******************************************
      *******************************************
    
    

    Notice that there are two aliases, root and tomcat. The root alias is a self-signed trustedCertEntry with only one certificate. However, the tomcat alias is still a PrivateKeyEntry. Now tomcat has two certificates:

    • One for itself: Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US

    • One for its root: Owner: CN=ca-host-name

  13. If you have changed the keystore password in step 3, follow these steps:
    1. Navigate to the BCAN_HOME\utility directory and run BcanMaintenanceTool.cmd. Encrypt the keystore password by selecting Encrypt Product Password as the encryption method.
    2. Navigate to the BCAN_HOME\tomcat\conf directory and update the bna.connector.keystorePass property in the catalina.properties file with the encrypted keystore password generated in the preceding step.
  14. Start the BCA-Networks Web Server service.

Back to top

To generate and import an SSL certificate for the application server that is hosted on Linux

  1. Stop the enatomcat service.
  2. (Optional) If you want to generate an SSL certificate with the parameter values (other than the keystore password) different than the default values in the setenv file, perform the following steps:
    1. Navigate to the BCAN_HOME\tools directory and open the setenv file with a text editor.
    2. Modify various parameters in the file.
    3. Save the file.
  3. (This step is required only if you have performed step 2 to change parameter values or if you want to change the keystore password) From the BCAN_HOME\tools directory, run the following command to generate a new self-signed certificate with the required password:

    ./create_keystore.sh <password>

    Note

    During installation, by default, BMC Network Automation creates the self-signed certificate with a default password, 1emprisa. If you want to change this password, provide the required password; else, provide the default password.

    The following sample messages are displayed:

    removing old /var/bca-networks-data/.keystore file ...
    generating certified key-pair and storing in
    /var/bca-networks-data/.keystore ..
  4. Navigate to the BCAN_HOME/java/bin directory and run the following command to view the keystore with the default self-signed certificate:

    ./keytool -list -v -keystore /var/bca-networks-data/.keystore

    The following sample messages are displayed:

    Enter keystore password: Adm1npaswd
            Keystore type: JKS
            Keystore provider: SUN
            Your keystore contains 1 entry
            Alias name: tomcat
            Creation date: Jan 20, 2015
            Entry type: PrivateKeyEntry
            Certificate chain length: 1
            Certificate[1]:
            Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Issuer: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Serial number: 20b6fde4
            Valid from: Tue Jan 20 11:24:55 CST 2015 until: Thu Dec 27 11:24:55
            CST 2114
            Certificate fingerprints:
                     MD5:  22:55:8B:62:A0:85:6F:B0:82:A2:28:D5:FE:55:90:8A
                     SHA1: 24:17:3B:EB:5D:FF:B4:78:5E:3A:C5:A9:28:C0:0E:64:FB:0B
                     :6A:4A
                     SHA256: F4:5B:E5:0E:74:EB:4B:B1:B2:D2:FA:22:33:CE:D3:5B:6C
                     :24:03:4B:EF:6D:5A:4E:DC:96:92:A0:1E:2B:0C:9C
                     Signature algorithm name: SHA1withRSA
                     Version: 3


    Notice that there is only one alias tomcat, which has the entry type of PrivateKeyEntry.

  5.  Run the following command to generate a certificate signing request (CSR) file, for example, bna.csr, by using the self-signed certificate:

    ./keytool -certreq -keystore /var/bca-networks-data/.keystore -alias tomcat -file /var/bca-networks-data/bna.csr

    The following sample message is displayed:

    Enter keystore password: Adm1npaswd
  6. Submit the bna.csr file to the certification authority (CA) and get the application server certificate.
  7. Obtain the root certificate, and optionally intermediate certificates from the CA if required.
  8. Copy the application server, root, and intermediate certificates to the BCAN_DATA directory.
  9. Import the root CA certificate, as follows:

    1. Run the following command:
      ./keytool -importcert -keystore /var/bca-networks-data/.keystore -alias root -file /var/bca-networks-data/ca-root.cer

    2. When prompted for the password, enter the default password (1emprisa), or if you have changed the password in step 3, enter the changed password.

    3. Run the following command:
      ./keytool -importcert -keystore /opt/bmc/bca-networks/java/lib/security/cacerts -alias root -file /var/bca-networks-data/ca-root.cer

    4. When prompted for the password, enter changeit.

       The following sample messages are displayed, when you run the preceding commands:

     Enter keystore password:  <password>
            Owner: CN=ca-ost-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08
                     :15:63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86
                     :22:ED:DD:
                     5A:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            Trust this certificate? [no]:  yes
            Certificate was added to keystore
  10. (Optional) Run the following command to import intermediate CA certificates:

    ./keytool -importcert -keystore /var/bca-networks-data/.keystore -alias intermediate -file /var/bca-networks-data/ca-intermediate.cer
  11. Run the following command to import the application server certificate:


    ./keytool -importcert -keystore /var/bca-networks-data/.keystore -alias tomcat -file /var/bca-networks-data/bna-certificate.cer

    The following messages are displayed:

    Enter keystore password:  Adm1npaswd
          Certificate reply was installed in keystore
  12. Run the following command to view the root and application server certificates in the keystore:

    ./keytool -list -v -keystore /var/bca-networks-data/.keystore


    The following sample messages are displayed:

    Enter keystore password: Adm1npaswd
            Keystore type: JKS
            Keystore provider: SUN
            Your keystore contains 2 entries
            Alias name: root
            Creation date: Jan 20, 2015
            Entry type: trustedCertEntry
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
                     :63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22:ED
                     :DD:5A
                     :87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            *******************************************
            *******************************************
            Alias name: tomcat
            Creation date: Jan 20, 2015
            Entry type: PrivateKeyEntry
            Certificate chain length: 2
            Certificate[1]:
            Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Issuer: CN=ca-host-name
            Serial number: 3a0000000c0afa89bc8714632500000000000c
            Valid from: Tue Jan 20 11:20:05 CST 2015 until: Wed Jan 20 11:30:05
            CST 2016
            Certificate fingerprints:
                     MD5:  C3:1C:22:08:A6:21:B9:FF:D1:73:29:F6:8C:75:E4:DF
                     SHA1: 3D:08:7C:45:6B:B4:7E:65:BD:7C:E7:F8:4C:1F:6E:9B:05:75
                     :5F:27
                     SHA256: 5A:49:2E:82:53:DD:40:78:E9:D5:68:15:28:38:07:6E:D3
                     :7E:8C:9E
                     :A4:1E:DF:D8:6C:27:9E:8F:FA:E2:15:5F
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            Certificate[2]:
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
                     :63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22
                     :ED:DD:5A
                     :87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
      *******************************************
      *******************************************
    
    

    Notice that there are two aliases, root and tomcat. The alias root is a self-signed trustedCertEntry with only one certificate. However, the tomcat alias is still a PrivateKeyEntry. Now tomcat has two certificates:

    • One for itself: Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US

    • One for its root: Owner: CN=ca-host-name

  13. If you have changed the keystore password in step 3, follow these steps:
    1. Navigate to the BCAN_HOME/utility directory and run BcanMaintenanceTool.sh. Encrypt the keystore password by selecting Encrypt Product Password as the encryption method.
    2. Navigate to the BCAN_HOME/tomcat/conf directory and update the bna.connector.keystorePass property in the catalina.properties file with the encrypted keystore password generated in the preceding step.
  14. Start the enatomcat service.

Generating and importing an SSL certificate for a remote device agent

Back to top

Was this page helpful? Yes No Submitting... Thank you

Comments