Error: Invalid spaceKey on retrieving a related space config.

Configuring the Mid Tier web server for SSL certificate

Before you begin

Take a back-up of your servers or a snapshot of your VMs.


BMC has performed SSL tests with OpenSSL generated certificates as described below. But, you can use root certificates issued by trusted Certificate Authorities (CA) in your production environment. For example, Verisign. 

To create a Root CA certificate using OpenSSL

  1. Download and install OpenSSL1.0.1g on its own host. 
    For example, review the download and install topic on the VMware documentation portal.
  2. Create Keys, Certificates, and CSR folders for placing keys, certificates files, etc.
  3. Open the command prompt and navigate to the OpenSSL folder. 
  4. Enter the following command to generate the key pair for root CA and store this key pair in the Keys/RootCA.key file.
    C:\OpenSSL\bin>openssl genrsa -out C:\Keys\RootCA.key 1024
  5. Generate a self-signed certificate for CA.
    This CA certificate is used across all cloud products as a common certificate.
  6. Store this CA certificate in the RootCA.crt file.
    1.  Enter the following commands to create the CA certificate.
      C:\OpenSSL\bin>openssl req -config 
      C:\OpenSSL\bin\openSSL.cnf -new -x509 -days 365 -key 
      C:\Keys\RootCA.key -out C:\Certificates\RootCA.crt
    2. Create a Distinguished Name (DN).


      Ensure that you enter the information in all the required fields. Some fields contain default values. You can leave the field value as blank for the non-mandatory fields. If you enter a period as a field value, the field will be left blank. 

    3. Press Enter to create the certificate.

The Root CA certificate is now created.

To configure the Mid Tier SSL

  1. On the Mid Tier host, create the KeysCertificates, and CSR folders. 
  2. Stop the Mid Tier Tomcat server.
  3. Open a command prompt and navigate to the JRE folder. 
  4. Enter the following command to create a keypair using the keytool utility.
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks


    • If the Mid Tier is behind a load balancer, use CN as the load balancer name; otherwise select MT. 
    • The CN parameter must match the host name if you are accessing the server by using different host names such as https://server1/ ,
    • Add the SAN parameter to cover all different host name or use wildcards. For example, -ext san=dns:ca1 .
  5. At the prompts, enter the required information to create the keypair, and then press Enter
  6. Enter the following command to create the Certificate Signing Request (CSR) from the Mid Tier primary server to retrieve the certificate from CA.
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -certreq -keyalg RSA -alias tomcat -file 
    C:\Keys\mt.csr -keystore C:\Keys\keystore.jks
  7. At the prompt, enter changeit as the password.
  8. Copy the mt.csr file to the Keys folder where OpenSSL is installed to generate a certificate and then run the following command on the OpenSSL computer.
    C:\OpenSSL\bin>openssl x509 -req -days 365 -in 
    C:\Keys\mt.csr -CA C:\Certificates\RootCA.crt -CAkey 
    C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\mt_server.crt
  9. After the certificate is generated (mt_server.crt) in the Certificates folder, copy mt_server.crt and RootCA.crt to the Mid Tier primary and secondary computers into their Certificates folder.
  10. Enter the following command on the Mid Tier primary and secondary servers to import the Root CA certificate.
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file 
  11. At the prompt, enter changeit as the password.
  12. When you see the Trust this certificate prompt, enter yes
    Your certificate is added to the keystore.  
  13. Enter the following command to import the mt_server.crt certificate:
    C:\Program Files\Java\<Java_Home_Folder>\bin>keytool.exe -import -alias tomcat -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\mt_server.crt
  14. At the prompt, enter changeit as the password.
    Your certificate reply is installed in the keystore.  
  15. Open the server.xml file in a text editor and uncomment the SSL related sections.


    In Microsoft Windows, the default location is C:\Program Files\Apache Software Foundation\Tomcat\conf\server.xml.

    1. Search for the following text and uncomment the Connector port section:

      <!-- Define a SSL HTTP/1.1 Connector on port 8443
      This connector uses the JSSE configuration, when using APR, the
      connector should be using the OpenSSL style configuration
      described in the APR documentation -->
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
         maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS" />

    2.  Modify the Connector port information as follows:

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"

      Optionally, you change the connector port to 8443 and add the keyStore file location. 

    3. Save the server.xml file. 

  16. Start the Tomcat server.

  17. Verify your changes to the Mid Tier or Mid Tier Load Balancer by accessing the following URL:
    https://<MidTier>:8443/arsys (where 8443 is the default SSL port)
  18. (For Internet Explorer) Add and confirm any security restrictions in your browser as shown in the following figure.

  19. (For Internet Explorer) When you access the Mid Tier the first time, review the certificate details, as shown in the following figure.

    1. Check who the certificate is issued to (for example, MT) and who the certificate was issued by (for example,
    2. Review the certificate path or hierarchy.

Your Mid Tier is now configured with SSL and is ready to serve content securely.

Was this page helpful? Yes No Submitting... Thank you