Enabling TLS server certificate validation among the internal product components
You can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between the Apache front-end web server (Apache Httpd) and the following product components:
- Application Server
- Web Server
- Data Hub
- Primary Scheduler
- Service Container
- Web Server
- ETL Engine Server (Local and Remote) : Scheduler
If these components are communicating in HTTPS mode, then TLS 1.2 is enabled by default. Complete the following steps to enable server certificate validation:
I. Obtain a signed security certificate
Ensure that you obtain a CA-signed certificate from the security department of your organization or create a request to obtain it from the CA that your organization recommends. For information about creating a request for a signed certificate, see Creating a request for a CA-signed certificate.
The certificate (
<CertificateName>.crt) will be available at the following location:
<Server Installation Directory>/3rd_party/apache2/pki/tls/certs/
II. Install the security certificate
The Application Server and ETL Engine Server use cotruststore.ts truststore to communicate with other components. The truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory.
Complete the following procedure on the Application Server and ETL Engine Server:
Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:
export PATH=<Server Installation Directory>/jre/bin:$PATH
Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:
keytool -importcert -trustcacerts -file <path>/<CertificateName>.cert -keystore cotruststore.ts -alias <CertificateName>
When you are prompted, enter the password to access the keystore.
When you are prompted to trust the certificate, enter Yes.
III. Configure the product components to use TLS
Complete the following steps on all the computers that have the Application Server components and ETL Engine Server installed:
Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.
#Example switchTLSmode.pl -on -tspwd -flow internal
Click here for switchTLSmode.pl command details
#Syntax switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]
-h or --help: Prints the help for the command.
-on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.
-dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)
-tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.
-flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.
internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.
auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Remedy Single Sign-On Server or LDAP server) and Application Server.
codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.
externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.
all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.
2. When you are prompted, enter the password to access the truststore.
The communication channels between the internal product components are now TLS 1.2 enabled with server certificate validation.