Securing the communication between Entuity Server and TrueSight Operations Management
To secure the communication between Entuity Server and TrueSight Presentation Server, do the following:
- Secure the communication between TrueSight Operations Management components. For details, see
- Secure the communication between the Entuity Server and TrueSight Presentation Server. Do the following to create and import certificates for the Entuity Server and the Presentation Server.
The workflow diagram summarizes the process to secure the communication between the Entuity Server and the Presentation Server:
To create a signed certificate for the Entuity Server
The following section guides you to create a signed certificate for the Entuity Server.
Log in to a Linux computer, and do the following:
Note: You can use the following commands to create a private key and the Certificate Signing Request (CSR) for Entuity Servers running on both the Windows and Linux computers.
Run the command to create a private key:
openssl genrsa -out entuity.key 2048Save the entuity.key private key file. You will need it later when the certificate is issued and installed on your server.
Run the command to create a CSR using the private key created in the previous step. The command prompts you to enter the details about the Distinguished Name (DN) such as name, organization details as shown in the following code block. Enter the details accordingly. For some fields there will be a default value, if you enter '.', the field will be left blank.
openssl req -new -key entuity.key -out entServer.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Houston
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BMC Software Inc
Organizational Unit Name (eg, section) []:PANDA Common
Common Name (e.g. server FQDN or YOUR name) []:xyz.bmc.com
Email Address []:abc@bmc.com
Please enter the following 'extra' attributes to be sent with your certificate request A
challenge password []: <ENTER>
An optional company name []: <ENTER>
Send the entServer.csr to the certificate authority (CA) of your organisation for signing.
- The CA sends the newly generated certificates in the .p7b file format. Perform the following steps from 4-11 to extract the certificate files from the .p7b file. Ideally, the set of CA signed certificates contain a root CA certificate, an intermediate CA certificate, and the certificate generated for the entServer.csr request.
Double-click the .p7b file and navigate to the Certificates folder as shown in the following figure:
- Double-click BMC-CA certificate and a Certificate dialog box is displayed.
Click the Details tab, and click Copy to File as shown in the following figure:
- Certificate Export Wizard dialog box is displayed. Click Next as shown in the following figure:
- You are prompted to select an export file format from a list of file formats. Select Base-64 encoded X.509 (.CER) format and click Next as shown in the following figure:
- Specify a file name, and click Browse to specify the directory location where you want to export this certificate file as shown in the following figure:
- Click Next after specifying file name details as shown in the following figure:
- Click Finish to complete the certificate export process as shown in the following figure:
Repeat steps 4-11 to extract the remaining two certificates.
- Generally, after extracting these certificates, you will have the following certificates:
- CA.cer: Root CA signed certificate
- ICA.cer: Intermediate certificate
- EntuityServer.cer: Certificate specifically generated for the entServer.csr certificate signing request.
- Copy the entuity.key, CA.cer, ICA.cer, and EntuityServer.cer files.
- Log in to the computer where the Entuity Server is installed.
- Save the copied certificates and the private key to the <ENTUITY_HOME>\etc directory.
- Stop the Entuity Server:
- (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
- Double-click the Services icon to launch the Services dialog box.
- Locate the Entuity service on the list of services, highlight, then click Stop.
- (Linux): Go to the <ENTUITY_HOME>/bin directory and run the ./stopeye command.
- (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
- Go to the <ENTUITY_HOME>\install directory, and run the configuration utility:
- (Microsoft Windows) Double-click the configure.exe utility.
- (Linux) Run the ./configure gui command.
- Click Next till you get the Server Configuration screen, and specify the paths for the EntuityServer.cer , entuity.key, and CA.cer (optional) files, and click Next.
- Click Next till you reach the last configuration screen, and click Configure.
Start the Entuity Server:
- (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
- Double-click the Services icon to launch the Services dialog box.
- Locate the Entuity service on the list of services, highlight, then click Start.
- (Linux): Go to the <ENTUITY_HOME>/bin directory and run the ./starteye command.
- (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
- Do the following to verify that the newly created certificates have been applied successfully:
- Close all browser windows. Open a new web browser window, and type the Entuity Server URL.
If the newly generated certificates are applied appropriately, the https:// window displays secure sign as shown in the following example:
- Import the Entuity Server certificate into the Presentation Server truststore as explained in the next section.
To import the Entuity Server certificate to the Presentation Server
Once the Entuity Server private certificate is created and secured, import this certificate into the Presentation Server truststore. Do the following:
- Log in to the host computer where the Presentation Server is installed.
The keytool utility that is used to import the certificates is present in the <Presentation Server Installation Directory>\truesightpserver\modules\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
#Microsoft Windows
set PATH=<PresentationServer Installation Directory>\truesightpserver\modules\jre\bin;%PATH%
#Linux
export PATH=<PresentationServer Installation Directory>/truesightpserver/modules/jre/bin:$PATH- Go to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory where the cacerts truststore is located.
- Take a backup of cacerts file and name it as cacerts-update.
- Copy the Entuity server certificates CA.cer, ICA.cer, and EntuityServer.cer to this directory.
List all the keys in the cacerts-update keystore by running the following command:
keytool -list -keystore cacerts-update -storetype JKS -storepass changeitDelete the existing Entuity Server certificate alias from the cacerts-update by running the following command:
#Syntax
keytool.exe -delete -alias <alias name> -keystore <keystore name> -storepass <keystore password>
#Example
keytool.exe -delete -alias entuityServer -keystore cacerts-update -storepass changeitImport the Entuity Server certificate into the cacerts-update truststore by running the following command:
keytool -import -alias rootCA -file CA.cer -keystore cacerts-update -storepass changeit
keytool -import -alias interCA -file ICA.cer -keystore cacerts-update -storepass changeit
keytool -import -alias EntuityServer -file EntuityServer.cer -keystore cacerts-update -storepass changeit- When you run the preceding command, you are prompted with the following message, type Yes:
Trust this certificate [no]: - Go to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory where the cacerts file is located.
- Rename the cacerts file to cacerts.orig
- Copy cacerts-update to cacerts.
- Restart the Presentation Server.
To create a signed certificate for the Presentation Server
Ensure that you have created a private certificate for the Presentation Server and secured it. For details, see Implementing private certificates in the TrueSight Presentation Server.
To import the Presentation Server certificate to the Entuity Server
Do the following:
- Open a new web browser window, and type the TrueSight Presentation Server URL.
- Click the certificate icon in the browser’s address bar, and click View certificates, as shown in the following example:
- Select the Details tab, and click the Copy to File to export the certificate from the TrueSight Presentation Server.
The Certificate Export wizard is displayed. - Select DER X.509 as the file format.
- Log in to the host computer on which the Entuity Server is installed, and save the certificates to a temporary directory location on the Entuity Server.
- Go to the <ENTUITY_HOME>\bin directory.
Run the following command to import the Presentation Server certificate:
#syntax
certtool -import -file <Path to cert file> -alias <cert alias name>
#Example - Microsoft Windows
certtool -import -file F:\certs\tsps.cer -alias tspscert
#Example - Linux
./certtool -import -file /tmp/tsps.cer -alias tspscert- Restart the Entuity Server:
- (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
- Double-click the Services icon to launch the Services dialog box.
- Locate the Entuity service on the list of services, highlight, then click Stop.
- After the Entuity service is stopped, click Start.
- (Linux): Go to the <ENTUITY_HOME>/bin directory and run the following commands:
- ./stopeye
- ./starteye
- (Microsoft Windows): Go to Start > Settings > Control Panel, and do the following:
- After you have completed creating and importing certificates for the Entuity Server and the Presentation Server, add Entuity Server as a component in the Presentation Server.