Enabling TLS mode for TrueSight Operations Manager adapter

Starting 20.18.01, TrueSight Operations Manager actor and monitor adapter support Transport Layer Security (TLS) as an encryption protocol for secure communication. 

Use this topic to enable TLS mode for the TrueSight Operations Manager actor and monitor adapter. 

Before you begin

Before enabling the adapters in a TLS mode, ensure that the following conditions are met: 

  • TrueSight Operations Management and TrueSight Presentation Server applications are configured with TLS mode. For more information, see Securing communication among Infrastructure Management components
  • For the TrueSight Operations Manager monitor adapter, obtain the certificate root chain (CA or Self-signed) which has the certificates and private key required in a p12 format.
  • For the TrueSight Operations Manager actor adapter, obtain the Mcell certificate. 
    You may find this file at the following location on a TrueSight Infrastructure Management server:
    <TSIM_HOME>\pw\server\etc
    Typically, a certificate file has a .crt or .cert extension.

Installing certificates to TrueSight Orchestration Java Truststore

  1. Run the following command to install the TrueSight Infrastructure p12 format certificate on a peer where the TrueSight Operations Manager monitor adapter is to be enabled.

    keytool -importkeystore -deststorepass <jssecacertPassword: For example, changeit> -destkeypass <jssecacertPassword: e.g.changeit> -deststoretype JKS -destkeystore "<AO_PEER_HOME>\jvm\lib\security\jssecacerts"  -srckeystore TSIM_Server_Certificate.p12 -srcstoretype PKCS12 -srcstorepass <p12 file password:e.g. password

    Note

    If the command fails due to java incompatibility problem, copy the following file from the TrueSight Orchestration server to TrueSight Infrastructure server (location : e.g. c:/tmp), and then execute the above command.

    Now, you need to copy jssecacerts back to TrueSight Orchestration server to original jssecacerts location –  "<AO_PEER_HOME>/jvm/lib/security/jssecacert.

  2. Go to <AO_PEER_HOME>\/CDP/jvm/bin directory and run the following command to import the mcell certificate.

    Keytool.exe -import -storepass <password: default changeit> -noprompt -alias <certificate alias for Keystore> -keystore "<AO_PEER_HOME>/jvm/lib/security/cacerts  -trustcacerts -file <mcell certificate file path>

Adding the TrueSight Orchestration Java options of peer

Perform the following steps if your TrueSight Orchestration peer is installed on a Windows OS:

  1. From the command prompt, go to <AO_PEER_INSTALL_LOCATION>\tomcat\bin and run the following command:

    tomcat8w.exe //ES/<AO_PEER_SERVICE_NAME>


    The peer service name is displayed in the list.

  2. From the service options command, click the Java tab and in the Java Options section, add the following options:
    • -DServerKeyStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
    • -DServerKeyStorePassword=changeit
    • -DServerTrustStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
    • -DServerTrustStorePassword=changeit
    • -Denabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
  3. Restart the service.

Perform the following steps if your TrueSight Orchestration peer is installed on a Linux OS:

  1. Go to <AO_PEER_INSTALL_LOCATION>\bin file and open the server.sh file in an edit mode. 
  2. In the server.sh file, search for the JAVA_OPTS parameter and add the following options:
    • -DServerKeyStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
    • -DServerKeyStorePassword=changeit
    • -DServerTrustStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
    • -DServerTrustStorePassword=changeit
    • -Denabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
      The following figure shows the changes made to the server.sh file.

      JAVA_OPTS="-server -Xms1024m -Xmx1280m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:MaxPermSize=192m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath='$CATALINA_HOME/logs' -XX:+UseConcMarkSweepGC -XX:+DisableExplicitGC -DServerKeyStore=/opt/bmc/BAO/CDP/jvm/lib/security/jssecacerts -DServerKeyStorePassword=changeit -DServerTrustStore=/opt/bmc/BAO/CDP/jvm/lib/security/jssecacerts -DServerTrustStorePassword=changeit -Denabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256"
  3. Restart the service. 
Was this page helpful? Yes No Submitting... Thank you

Comments