Documentation update

   

To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management).
Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console. .

Adding a trusted certificate

You may choose to use a certificate issued by a certificate authority or any trusted source instead of using the default self-signed certificate that TrueSight Automation Console provides. This topic provides the procedure to replace existing SSL certificate with certificate that you may have obtained from a trusted source. 

To add a trusted certificate

Before adding a trusted certificate to your Automation Console environment, you need to generate a CSR and a private key.  

  1. To generate a private key, run the following command:

    # openssl genrsa -out <private key file name> <2048|4096>
    
    For example: # openssl genrsa -out www.hostname.com.key.pem 2048
    
  2. To create a certificate signing request (CSR), run the following command:

    # openssl req \
          -key <private key file name> \
          -new -sha256 -out <certificate file name>
    
    
    For example: 
    # openssl req \
          -key www.hostname.com.key.pem \
          -new -sha256 -out www.hostname.com.csr.pem
    
    Enter pass phrase for www.hostname.com.key.pem: <password>
    You are about to be asked to enter information that will be incorporated into your certificate request.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name []:California
    Locality Name []:San Jose
    Organization Name []:BMC Software
    Organizational Unit Name []:Security and Operations
    Common Name []:www.bmc.com
    Email Address []:notify@bmc.com

    <filename>.csr.pem file that contains the CSR is generated.

  3. Send the CSR file to a CA for signing using one of the following methods. The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
    • Have the CSR be signed by a commercial CA. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. 
      OR
    • Use your own CA and get the CSR signed by this CA.
  4. If using a commercial CA, download the certificates in a .pem format.
    For example, www.hostname.com.cert.pem file.

  5. If using your private or company specific CA, download the certificates in a .pem format and then do these steps:

    1. Download the public certificate of the root or any intermediary certificates who has signed the certificate.
      This is needed as the default Java runtime does not have access to the certificates.

    2. Run the following command to create a certificate chain by concatenating the root, intermediary, and the signed certificate:

      cat <any root certificate> <any intermediate certificate> <downloaded signed certificate> > <www.hostname.com.cert.pem>
  6. On a host where the TrueSight Automation Console application is installed, run the following commands to back up the existing certificate files:

    cp <install_dir>/application/common/certs/tsvmSslCertificate.crt <install_dir>/application/common/certs/tsvmSslCertificate.crt.original
    
    cp <install_dir>/application/common/certs/tsvmSslCertificate.key <install_dir>/application/common/certs/tsvmSslCertificate.key.original
  7. Rename and copy the certificate files that you generated from a CA to the names specified here: 

    • www.hostname.com.cert.pem --> tsvmSslCertificate.crt
    • www.hostname.com.key.pem --> tsvmSslCertificate.key
    cp <trusted ca cert file name> <install_dir>/application/common/certs/tsvmSslCertificate.crt
    Example: cp <www.hostname.com.cert.pem> <install_dir>/application/common/certs/tsvmSslCertificate.crt
    
    cp <trusted ca key file name> <install_dir>/application/common/certs/tsvmSslCertificate.key
    Example: cp <www.hostname.com.key.pem> <install_dir>/application/common/certs/tsvmSslCertificate.key


  8. Restart the application. 

    /opt/bmc/stackmanager restart --deployment application

    You can now log on to TrueSight Automation Console using the trusted certificates. 

Resolving issues with trusted certificates

If you face issues while logging on to TrueSight Automation Console where the certificate is shown as "Not Secured", you may need to implement private certificates in TrueSight Server Automation. For more information, see the knowledge article TrueSight Automation Console (TSAC): The login page shows the SSL certificate as "Not Secured" (TSAC 21.02 above redirects to TSSA URL for login authentication).

Where to go next?

Now that you have configured trusted certificates, administrators can start setting up the application for your patch and vulnerability management needs. You can start using the features based on your role and requirements. See Using.

Was this page helpful? Yes No Submitting... Thank you

Comments