×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
TrueSight Orchestration Platform 8.2 ... Planning Security planning Configuring secure transport protocol and cipher suites for HTTPS

Configuring the UI communication channels (Tomcat)

This page describes how to configure the communication channel (the Tomcat server). It includes the following sections:

Configuration overview

You configure the secure transport protocol and cipher suite in the Tomcat server's server.xml files for each of the following product UIs:   Grid Manager, Operator Control Panel, the repository, and the dashboards. 

  • The protocol and allowed cipher suites are defined in the Connector element in the file.
  • The cipher suite is listed in the ciphers attribute.

An example of the server.xml file is provided in the instructions in this page.

Note

If you change the protocol and cipher suite settings for the internal communication channel, BMC Software recommends that you use the same settings for all product UIs, such as the OCP, APs, LAPs, the repository, and dashboards.

Secure transport protocols

The following table lists the supported secure transport protocol values

Secure transport protocol value

Supported versions

Supported versions are based on the secure provider implementation configured for your environment.

TLSSupports some versions of TLS.
TLSv1Supports Supports RFC 2246: TLS version 1.0; may support other versions.
TLSv1.1Supports RFC 4346: TLS version 1.1; may support other versions.
TLSv1.2Supports RFC 5246: TLS version 1.2; may support other versions.

Cipher suites

For a list of cipher suites that you can use for SSL connections, see Cipher suites

The current  release installs Java SE Runtime Environment (build 1.8.0_202). The cipher suites listed in Cipher suites are installed with the  release. Cipher suites listed as default are enabled. Unless a different list is defined for SSL, handshaking on an SSL connection will use one of these cipher suites. 

Before you begin

Before configuring the UI communication channel, ensure that you have completed the following:

  • Checked your web brower documentation for information about supported protocols and cipher suites. Ensure that the protocol you choose supports the cipher suites you use.
  • Checked with your network administrator to ensure that the chosen protocol and cipher suites are supported by your network environment.
  • Planned for a shutdown of your  environment, which occurs when you configure UI communication channels.

  • Made backup copies of the server.xml file for each   component (such as the CDP, OCP, repository, or dashboards). See Configuring the UI communication channels for file locations. 

    Warning

    It is very important that you back up the server.xml files for each component, so that you can revert back to the original files if needed.

Configuring the UI communication channels 

When you configure the UI communication channel, you need to shut down the UI server, resulting in a shutdown of your  environment. Ensure that you plan for this shutdown.

The server.xml file that you modify in these instructions is stored in the following locations (AO_HOME represents the installation directory for the  component, such as the CDP, HA-CDP, AP, LAP, OCP, repository, or dashboards):

  • Grid Manager (AO_HOME/CDP/tomcat/conf)
  • Operator Control Panel (AO_HOME/OCP/tomcat/conf)
  • Repository (AO_HOME/REPO/tomcat/conf)
  • Dashboards (AO_HOME/DASHBOARD/tomcat/conf)

To configure the UI communication channels

  1. Shut down the UI server for the product UI, such as Grid Manager CDP, OCP, repository, or dashboards (see Starting and stopping product components and services).

  2. Navigate to the appropriate tomcat/conf directory (listed above) and edit the server.xml file, making the following two changes in the <Connector> element (use the example server.xml file entry as a guideline) :

    <Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" keystoreFile="E:\Program Files\BMC Software\BAO\AP\tomcat\conf\.keystore" maxThreads="150" port="38080" protocol="HTTP/1.1" scheme="https" secure="true"sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

    • Change the protocol string in the sslProtocol value if applicable.

    • Add the cipher suite name to the ciphers attribute value.

  3. Repeat this process for each UI. 
  4. Restart the UI server.
  5. Using a browser, connect to the UI and check that it is working.
  6. If you have any problems connecting to the UI, check the Tomcat log files (named localhost.date.log).

Troubleshooting

Check the Tomcat log files (named localhost.date.log) for errors related to unsupported cipher suites or handshake failure messages.

When installing a new AP or LAP, the installation will fail if the UI protocol is not SSL. The SSL protocol is hard-coded in the installer for the UI server connection verification. If the UI server protocol is not SSL, before installing an AP or LAP, change the protocol back to SSL and perform the installation.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Shweta Hardikar on Jan 02, 2020
https configuration_distribution_peer cdp administration security configuration ssl tls secure_protocol cipher_suite ha_cdp lap ap

Comments

  1. Greg Michael

    The documentation is out of date.... "The current release installs Java SE Runtime Environment (build 1.7.0_07-b11). "

    E:\Apps\BMC Software\OCP\jvm\bin>java -version openjdk version "1.8.0_202" OpenJDK Runtime Environment (Zulu 8.36.0.2-SA-win64) (build 1.8.0_202-b05) OpenJDK 64-Bit Server VM (Zulu 8.36.0.2-SA-win64) (build 25.202-b05, mixed mode)

    E:\Apps\BMC Software\OCP\tomcat\bin>version.bat Using CATALINA_BASE: "E:\Apps\BMC Software\OCP\tomcat" Using CATALINA_HOME: "E:\Apps\BMC Software\OCP\tomcat" Using CATALINA_TMPDIR: "E:\Apps\BMC Software\OCP\tomcat\temp" Using JRE_HOME: "E:\Apps\CDP\jvm" Using CLASSPATH: "E:\Apps\BMC Software\OCP\tomcat\bin\bootstrap.jar;E:\Apps\BMC Software\OCP\tomcat\bin\tomcat-juli.jar" Server version: Apache Tomcat/9.0.10 Server built: Jun 20 2018 17:32:21 UTC Server number: 9.0.10.0 Architecture: amd64 JVM Version: 1.8.0_202-b05 JVM Vendor: Azul Systems, Inc.

    Sep 09, 2019 01:53
  2. Shweta Hardikar

    Thanks for bringing it to our notice, Greg. Will work with the team to update it asap.

    Sep 10, 2019 12:15
    1. Greg Michael

      It's now been more than 3 months with no updates...

      Dec 20, 2019 10:56
      1. Shweta Hardikar

        Hi Greg,

        Apologies for the delayed update. 

        We have updated the Java version now. Is there anything else you want us to update here? 

        Jan 02, 2020 04:39

Log in or register to comment.

Cipher suites
Configuring the internal communication channel (CDP, HA-CDP, AP, and LAP ports)
© Copyright 2013 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.