This documentation supports the 18.08 version of Remedy Action Request System.

To view the latest version, select the version from the Product version menu.

Configuring the Mid Tier web server for SSL certificate

You can use root certificates issued by trusted Certificate Authorities (CA) in your production environment. For example, Verisign.

Before you configure mid tier web server for SSL certificate, you must take a back-up of your servers or a snapshot of your VMs.

Consider the following points before adding the SSL certificate:

  • You must have a certificate from a fully fledged certificate authority or a CA that is already trusted by your clients. For example, you can have a certificate from as https://letsencrypt.org/ (free of cost) or from https://www.pluralsight.com/blog/software-development/top-reliable-ssl-certificates (with an associated cost). 
  • Never rely on a self-signed certificate for production environment. Using a self signed certificate creates manual work for each client and disrupts integrations once certificate expires.
  • The SSL certificate expires after one year. 

Perform the following steps when you have a certificate signed by a fully-fledged CA:

  1. Add the certificate to Apache Tomcat.
  2. Add the certificate to jetty.

Perform the following steps when you have self-signed certificate:

  1. Add the certificate to Apache Tomcat.
  2. Import Apache Tomcat self-signed certificate to Remedy Developer Studio.
  3. Import Apache Tomcat self-signed certificate to Remedy AR System server.
  4. Import Apache Tomcat self-signed certificate to any client that wants to connect to Remedy published web services.
  5. Add certificate to jetty.
  6. Import jetty certificate to  Remedy Developer Studio.
  7. Import jetty self-signed certificate to any client that wants to connect to REST services published by Remedy AR System.

To configure the Mid Tier SSL

  1. On the Mid Tier host, create the KeysCertificates, and CSR folders. 
  2. Stop the Mid Tier Tomcat server.
  3. Open a command prompt and navigate to the JRE folder. 
  4. Enter the following command to create a keypair using the keytool utility.
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks

    Note

    • If the Mid Tier is behind a load balancer, use CN as the load balancer name; otherwise select MT. 
    • The CN parameter must match the host name if you are accessing the server by using different host names such as https://server1/ , https://server1.domain.com.
    • Add the SAN parameter to cover all different host name or use wildcards. For example, -ext san=dns:ca1 .
  5. At the prompts, enter the required information to create the keypair, and then press Enter
  6. Enter the following command to create the Certificate Signing Request (CSR) from the Mid Tier primary server to retrieve the certificate from CA.
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -certreq -keyalg RSA -alias tomcat -file 
    C:\Keys\mt.csr -keystore C:\Keys\keystore.jks
  7. At the prompt, enter changeit as the password.
  8. Copy the mt.csr file to the Keys folder where OpenSSL is installed to generate a certificate and then run the following command on the OpenSSL computer.
    C:\OpenSSL\bin>openssl x509 -req -days 365 -in 
    C:\Keys\mt.csr -CA C:\Certificates\RootCA.crt -CAkey 
    C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\mt_server.crt
  9. After the certificate is generated (mt_server.crt) in the Certificates folder, copy mt_server.crt and RootCA.crt to the Mid Tier primary and secondary computers into their Certificates folder.
  10. Enter the following command on the Mid Tier primary and secondary servers to import the Root CA certificate.
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file 
    C:\Certificates\RootCA.crt
  11. At the prompt, enter changeit as the password.
  12. When you see the Trust this certificate prompt, enter yes
    Your certificate is added to the keystore.  
  13. Enter the following command to import the mt_server.crt certificate:
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -import -alias tomcat -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\mt_server.crt
  14. At the prompt, enter changeit as the password.
    Your certificate reply is installed in the keystore.  
  15. Open the server.xml file in a text editor and uncomment the SSL related sections.

    Note

    In Microsoft Windows, the default location is C:\Program Files\Apache Software Foundation\Tomcat\conf\server.xml.

    1. Search for the following text and uncomment the Connector port section:

      <!-- Define a SSL HTTP/1.1 Connector on port 8443
      This connector uses the JSSE configuration, when using APR, the
      connector should be using the OpenSSL style configuration
      described in the APR documentation -->
       <!--
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
         maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS" />
      -->

    2.  Modify the Connector port information as follows:

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"
      keystoreFile="C:\Keys\keystore.jks"
      />

      Optionally, you change the connector port to 8443 and add the keyStore file location. 

    3. Save the server.xml file. 

  16. Start the Tomcat server.

  17. Verify your changes to the Mid Tier or Mid Tier Load Balancer by accessing the following URL:
    https://<MidTier>:8443/arsys (where 8443 is the default SSL port)
    https://<LoadBalancer>/arsys
  18. (For Internet Explorer) Add and confirm any security restrictions in your browser as shown in the following figure.

  19. (For Internet Explorer) When you access the Mid Tier the first time, review the certificate details, as shown in the following figure.

    1. Check who the certificate is issued to (for example, MT) and who the certificate was issued by (for example, bmc.com).
    2. Review the certificate path or hierarchy.

Your Mid Tier is now configured with SSL and is ready to serve content securely.


Was this page helpful? Yes No Submitting... Thank you

Comments