Securing the communication between Entuity Server and TrueSight Operations Management

To secure the communication between Entuity Server and TrueSight Presentation Server, do the following:

  1. Secure the communication between TrueSight Operations Management components. For details, see
  2. Secure the communication between the Entuity Server and TrueSight Presentation Server. Do the following to create and import certificates for the Entuity Server and the Presentation Server. 

The workflow diagram summarizes the process to secure the communication between the Entuity Server and the Presentation Server:

entuity_server_workflow.png

To create a signed certificate for the Entuity Server

The following section guides you to create a signed certificate for the Entuity Server.

  1. Log in to a Linux computer, and do the following: 

    Note: You can use the following commands to create a private key and the Certificate Signing Request (CSR) for Entuity Servers running on both the Windows and Linux computers.

    1. Run the command to create a private key: 

      openssl genrsa -out entuity.key 2048

      Save the entuity.key private key file. You will need it later when the certificate is issued and installed on your server.

    2. Run the command to create a CSR using the private key created in the previous step. The command prompts you to enter the details about the Distinguished Name (DN) such as name, organization details as shown in the following code block. Enter the details accordingly. For some fields there will be a default value, if you enter '.', the field will be left blank.  

      openssl req -new -key entuity.key -out entServer.csr


      Country Name (2 letter code) [AU]:US
      State or Province Name (full name) [Some-State]:Texas
      Locality Name (eg, city) []:Houston
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:BMC Software Inc
      Organizational Unit Name (eg, section) []:PANDA Common
      Common Name (e.g. server FQDN or YOUR name) []:xyz.bmc.com
      Email Address []:abc@bmc.com
      Please enter the following 'extra' attributes to be sent with your certificate request A
      challenge password []: <ENTER>
      An optional company name []: <ENTER>

      Common Name: Enter the FQDN of the Entuity Server for which you want to create a CSR.

  2. Send the entServer.csr to the certificate authority (CA) of your organisation for signing.

    • Request the CA to use base64 encoding and send the signed file in .cer format.
    • Request the CA to provide the CA certificate, and also the intermediate certificates if any.
  3. The CA sends the newly generated certificates in the .p7b file format. Perform the following steps from 4-11 to extract the certificate files from the .p7b file. Ideally, the set of CA signed certificates contain a root CA certificate, an intermediate CA certificate, and the certificate generated for the entServer.csr request.

  1. Double-click the .p7b file and navigate to the Certificates folder as shown in the following figure: 

    certificate_folder.png

    • BMC-CA: Name of the root CA certificate.
    • BMC Issuing CA Phx: Name of the intermediate CA certificate.
    • xyz.bmc.com: Name of the private certificate for which the entServer.csr was created. 
  2. Double-click BMC-CA certificate and a Certificate dialog box is displayed.

  3. Click the Details tab, and click Copy to File as shown in the following figure:

    cert_details_tab.png

  4. Certificate Export Wizard dialog box is displayed. Click Next as shown in the following figure:
    cert_export_1.png
  5. You are prompted to select an export file format from a list of file formats. Select Base-64 encoded X.509 (.CER) format and click Next as shown in the following figure:
    cert_export_2.png
  6. Specify a file name, and click Browse to specify the directory location where you want to export this certificate file as shown in the following figure: 
    cert_export_3.png

  7. Click Next after specifying file name details as shown in the following figure: 
    cert_export_5.png

  8. Click Finish to complete the certificate export process as shown in the following figure:
    cert_export_6.png

  9. Repeat steps 4-11 to extract the remaining two certificates.

    The certificate file names may vary depending on the CA signing authority.

  10. Generally, after extracting these certificates, you will have the following certificates:
    1. CA.cer: Root CA signed certificate
    2. ICA.cer: Intermediate certificate
    3. EntuityServer.cer: Certificate specifically generated for the entServer.csr certificate signing request.
  11. Copy the entuity.key, CA.cer, ICA.cer, and EntuityServer.cer files. 
  12. Log in to the computer where the Entuity Server is installed.
  13. Save the copied certificates and the private key to the <ENTUITY_HOME>\etc directory.
  14. Stop the Entuity Server:
    • (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
      1. Double-click the Services icon to launch the Services dialog box.
      2. Locate the Entuity service on the list of services, highlight, then click Stop
    • (Linux): Go to the <ENTUITY_HOME>/bin directory and run the ./stopeye command.
  15. Go to the <ENTUITY_HOME>\install directory, and run the configuration utility:
    1. (Microsoft Windows) Double-click the configure.exe utility.
    2. (Linux) Run the ./configure gui command.
  16. Click Next till you get the Server Configuration screen, and specify the paths for the EntuityServer.cer , entuity.key, and CA.cer (optional) files, and click Next.
    server_config_tool.png

  17. Click Next till you reach the last configuration screen, and click Configure.

  18. Start the Entuity Server:

    • (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
      1. Double-click the Services icon to launch the Services dialog box.
      2. Locate the Entuity service on the list of services, highlight, then click Start
    • (Linux): Go to the <ENTUITY_HOME>/bin directory and run the ./starteye command.


  19. Do the following to verify that the newly created certificates have been applied successfully:
    1. Close all browser windows. Open a new web browser window, and type the Entuity Server URL.

    2. If the newly generated certificates are applied appropriately, the https:// window displays secure sign as shown in the following example: 

      secure_EntuityServer.png

  20. Import the Entuity Server certificate into the Presentation Server truststore as explained in the next section.


To import the Entuity Server certificate to the Presentation Server

Once the Entuity Server private certificate is created and secured, import this certificate into the Presentation Server truststore. Do the following:

  1. Log in to the host computer where the Presentation Server is installed.

  2. The keytool utility that is used to import the certificates is present in the <Presentation Server Installation Directory>\truesightpserver\modules\jre\bin directory. Add this directory path to the PATH environment variable by running the following command: 

    #Microsoft Windows
    set PATH=<PresentationServer Installation Directory>\truesightpserver\modules\jre\bin;%PATH%


    #Linux
    export PATH=<PresentationServer Installation Directory>/truesightpserver/modules/jre/bin:$PATH
  3. Go to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory where the cacerts truststore is located.
  4. Take a backup of cacerts file and name it as cacerts-update.
  5. Copy the Entuity server certificates CA.cer, ICA.cer, and EntuityServer.cer to this directory.

  6. List all the keys in the cacerts-update keystore by running the following command: 

    keytool -list -keystore cacerts-update -storetype JKS -storepass changeit

  7. Delete the existing Entuity Server certificate alias from the cacerts-update by running the following command: 

    #Syntax
    keytool.exe -delete -alias <alias name> -keystore <keystore name> -storepass <keystore password>


    #Example
    keytool.exe -delete -alias entuityServer -keystore cacerts-update -storepass changeit

    entuityServer: Entuity Server certificate alias name. If the Entuity Server certificate alias name is different, then use the relevant alias name in the preceding command. If you don't have any existing Entuity Server certificate alias in the cacerts-update truststore, you can ignore this step and proceed to the next step that guides you to import the certificate.

  8. Import the Entuity Server certificate into the cacerts-update truststore by running the following command: 

    keytool -import -alias rootCA -file CA.cer -keystore cacerts-update -storepass changeit
    keytool -import -alias interCA -file ICA.cer -keystore cacerts-update -storepass changeit
    keytool -import -alias EntuityServer -file EntuityServer.cer -keystore cacerts-update -storepass changeit

    Parameter description

    • CA.cer: Name of the root certificate obtained from the Entuity Server. If this name is different, use the relevant file name in the preceding command.
    • ICA.cer: Name of the intermediate certificate obtained from the Entuity Server. If this name is different, use the relevant file name in the preceding command.
    • EntuityServer.cer: Name of the server certificate obtained from the Entuity Server. If this name is different, use the relevant file name in the preceding command.
    • cacerts-update: Presentation Server truststore name
    • changeit: Default password of cacerts-update truststore. 
  9. When you run the preceding command, you are prompted with the following message, type Yes:

    Trust this certificate [no]:
  10. Go to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory where the cacerts file is located.
  11. Rename the cacerts file to cacerts.orig
  12. Copy cacerts-update to cacerts.
  13. Restart the Presentation Server.


To create a signed certificate for the Presentation Server

Ensure that you have created a private certificate for the Presentation Server and secured it. For details, see Implementing private certificates in the TrueSight Presentation Server.


To import the Presentation Server certificate to the Entuity Server

Do the following:

  1. Open a new web browser window, and type the TrueSight Presentation Server URL.

  2. Click the certificate icon in the browser’s address bar, and click View certificates, as shown in the following example:
    tsps_new_import.png

  3. Select the Details tab, and click the Copy to File to export the certificate from the TrueSight Presentation Server.
    tsps_new_import2.png
    The Certificate Export wizard is displayed. 

  4. Select DER X.509 as the file format.
    tspsCert_import4.png

  5. Log in to the host computer on which the Entuity Server is installed, and save the certificates to a temporary directory location on the Entuity Server.
  6. Go to the <ENTUITY_HOME>\bin directory.

  7. Run the following command to import the Presentation Server certificate: 

    #syntax
    certtool -import -file <Path to cert file> -alias <cert alias name>

    #Example - Microsoft Windows
    certtool -import -file F:\certs\tsps.cer -alias tspscert


    #Example - Linux
    ./certtool -import -file /tmp/tsps.cer -alias tspscert
    • This command imports the certificates into the following truststores:
      • Entuity Server default truststore: <ENTUITY_HOME>\etc\entuity_certs
      • Default JRE trust store: <ENTUITY_HOME>\install\JRE\lib\security\cacerts
    • tsps.cer: Name of the Presentation Server certificate. In this example, the certificate is located in the following temporary directory. If the certificate is present in a different directory, use the relevant directory name in the preceding command:
      • (Microsoft Windows): F:\certs
      • (Linux): /tmp/tsps.cer
    • tspscert: Name of the Presentation Server certificate alias.
  8. Restart the Entuity Server:
    • (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
      1. Double-click the Services icon to launch the Services dialog box.
      2. Locate the Entuity service on the list of services, highlight, then click Stop
      3. After the Entuity service is stopped, click Start.
    • (Linux): Go to the <ENTUITY_HOME>/bin directory and run the following commands:
      1. ./stopeye
      2. ./starteye
  9. After you have completed creating and importing certificates for the Entuity Server and the Presentation Server, add Entuity Server as a component in the Presentation Server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*