Enabling TLS mode for TrueSight Operations Manager adapter
TrueSight Operations Manager actor and monitor adapter support Transport Layer Security (TLS) as an encryption protocol for secure communication.
Use this topic to enable TLS mode for the TrueSight Operations Manager actor and monitor adapter.
Before you begin
Before enabling the adapters in a TLS mode, ensure that the following conditions are met:
- TrueSight Operations Management and TrueSight Presentation Server applications are configured with TLS mode. For more information, see Securing communication among Infrastructure Management components.
- For the TrueSight Operations Manager monitor adapter, obtain the certificate root chain (CA or Self-signed) which has the certificates and private key required in a p12 format.
- For the TrueSight Operations Manager actor adapter, obtain the Mcell certificate.
You may find this file at the following location on a TrueSight Infrastructure Management server:
<TSIM_HOME>\pw\server\etc
Typically, a certificate file has a .crt or .cert extension.
Installing certificates to TrueSight Orchestration Java Truststore
Run the following command to install the TrueSight Infrastructure p12 format certificate on a peer where the TrueSight Operations Manager monitor adapter is to be enabled.
keytool -importkeystore -deststorepass <jssecacertPassword: For example, changeit> -destkeypass <jssecacertPassword: e.g.changeit> -deststoretype JKS -destkeystore "<AO_PEER_HOME>\jvm\lib\security\jssecacerts" -srckeystore TSIM_Server_Certificate.p12 -srcstoretype PKCS12 -srcstorepass <p12 file password:e.g. password
Note
If the command fails due to java incompatibility problem, copy the following file from the TrueSight Orchestration server to TrueSight Infrastructure server (location : e.g. c:/tmp), and then execute the above command.
Now, you need to copy jssecacerts back to TrueSight Orchestration server to original jssecacerts location – "<AO_PEER_HOME>/jvm/lib/security/jssecacert.
Go to <AO_PEER_HOME>\/CDP/jvm/bin directory and run the following command to import the mcell certificate.
Keytool.exe -import -storepass <password: default changeit> -noprompt -alias <certificate alias for Keystore> -keystore "<AO_PEER_HOME>/jvm/lib/security/cacerts -trustcacerts -file <mcell certificate file path>
Adding the TrueSight Orchestration Java options of peer
Perform the following steps if your TrueSight Orchestration peer is installed on a Windows OS:
From the command prompt, go to
<AO_PEER_INSTALL_LOCATION>\tomcat\bin
and run the following command:tomcat8w.exe //ES/<AO_PEER_SERVICE_NAME>
The peer service name is displayed in the list.- From the service options command, click the Java tab and in the Java Options section, add the following options:
-DServerKeyStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
-DServerKeyStorePassword=changeit
-DServerTrustStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
-DServerTrustStorePassword=changeit
-Denabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
- Restart the service.
Perform the following steps if your TrueSight Orchestration peer is installed on a Linux OS:
- Go to
<AO_PEER_INSTALL_LOCATION>\bin
file and open the server.sh file in an edit mode. - In the server.sh file, search for the
JAVA_OPTS
parameter and add the following options:-DServerKeyStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
-DServerKeyStorePassword=changeit
-DServerTrustStore=<AO_PEER_INSTALL_LOCATION>/jvm/lib/security/jssecacerts
-DServerTrustStorePassword=changeit
-Denabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
The following figure shows the changes made to the server.sh file.JAVA_OPTS="-server -Xms1024m -Xmx1280m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:MaxPermSize=192m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath='$CATALINA_HOME/logs' -XX:+UseConcMarkSweepGC -XX:+DisableExplicitGC -DServerKeyStore=/opt/bmc/BAO/CDP/jvm/lib/security/jssecacerts -DServerKeyStorePassword=changeit -DServerTrustStore=/opt/bmc/BAO/CDP/jvm/lib/security/jssecacerts -DServerTrustStorePassword=changeit -Denabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256"
- Restart the service.
Comments
Log in or register to comment.