Enabling SSL support

To enable SSL support in BMC Database Automation (BDA), you must generate the following certificates:

  • A Certificate Authority (CA) certificate, which is used for issuing and validation of all other certificates
  • A server certificate to be installed on the BDA Manager, issued by the CA
  • One or more client certificates that are installed on the hosts on which the command line utilities packages are installed and that will issue commands to BDA. These certificates must also be issued by CA.

Note (Applicable to version 8.9.01 and later)

  • Starting with version 8.9.01, the SSL communication protocol is upgraded to TLSv1.2.
  • To enable communication between the latest manager and older versions of BDA CLM Connector, specify transport_layer_backward_compatibility_mode=true in the mtd.conf file and restart the mtd service using the service mtd restart command.

To generate SSL certificates

  1. Run the script to generate SSL certificates and follow the instructions:
    /app/clarity/manager_scripts/bin/generate_ssl_cert manager.gridapp-dev.com

    If you want to customize some certificate properties (for example, the country, city, or organization name), copy the sample file at /app/clarity/manager_scripts/etc/caprops.default to /app/clarity/manager_scripts/etc/caprops, modify as required, and then run the script.

  2. Install the various certificates on the manager:
    cp /app/clarity/var/ssl_cert/manager.gridapp-dev.com/manager/* /app/clarity/dmanager/etc
  3. Edit the mtd.conf file to enable SSL and point to the new certificates/keys: 

    service=static MtdApiSoapAcceptor "-c 2 -s 1 -p 8087 -k /app/clarity/dmanager/etc/api_server.key -x /app/clarity/dmanager/etc/apiserver.pem -y /app/clarity/dmanager/etc/apicacert.pem
  4. Restart the mtd using the following command: service mtd restart.

  5. Copy the client cert and client key to the individual client: 

    scp /app/clarity/var/ssl_cert/manager.gridapp-dev.com/client/* root@manager.gridapp-dev.com:/app/clarity/cmdutils/etc

Example certificate generation process

The following example process demonstrates how certificates under Linux are generated using the standard OpenSSL command line tool. The resulting client certificates can be installed under either Linux or Windows.

Note

The name provided in the following example session (testca.bmc.com) is for demonstration purposes only. Ensure that you substitute the name (bold in the example to highlight which instances to change) with the fully qualified domain name of your host to ensure that the SSL certificates are generated successfully.

  1. Create a directory for temporary files:
    mkdir /root/certsetup
    cd /root/certsetup
  2. Create the caprops.txt file with the following content:

    Note

    sha256 algorithm is supported starting with BMC Database Automation version 8.9.03. For earlier versions, set the value of default_md to sha1 in the content.

    [ req ]
    default_bits = 2048
    default_keyfile = cakey.key
    default_md = sha256
    prompt = no
    distinguished_name = testca.bmc.com
    x509_extensions = v3_ca
    
    [ testca.bmc.com ]
    countryName = US
    stateOrProvinceName = New York
    localityName = New York
    0.organizationName = BMC Software Inc.
    commonName = API Test Certificate Authority
    emailAddress = devin_heitmueller@bmc.com
    
    [ v3_ca ]
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid:always,issuer:always
    basicConstraints = CA:true


  3. Generate the CA private key:
    openssl genrsa -out cakey.key 2048
  4. Generate the CA Certificate CSR:
    openssl req -new -config caprops.txt -key cakey.key -out api_ca.csr
  5. Self-sign the test CA certificate:
    openssl x509 -req -days 3650 -in api_ca.csr -signkey cakey.key -out cacert.pem
  6. Generate the self-signed CA certificate:
    openssl req -new -config caprops.txt -days 3650 -x509 -key cakey.key -out cacert.pem
  7. Display the properties of the new CA certificate:
    openssl x509 -text -in cacert.pem
  8. Generate the server private key:
    openssl genrsa -out api_server.key 2048
  9. Generate the server certificate CSR:
    openssl req -new -key api_server.key -out api_server.csr

    Note

    The 'Common Name' should match the output of the hostname command on the BDA management server.

  10. Sign the server certificate, signed with the CA certificate: 

    openssl x509 -req -days 3650 -in api_server.csr -CA cacert.pem -CAkey cakey.key -set_serial 123 -out apiserver.pem


  11. Display the properties of the new server certificate:
    openssl x509 -text -in apiserver.pem
  12. Generate a client private key:
    openssl genrsa -out apiclient.key 2048
  13. Generate the client certificate CSR:
    openssl req -new -key apiclient.key -out api_client.csr

    Note

    The 'Common Name' should match the output of the hostname command on the BDA client server.

  14. Generate the client cert, signed with the CA certificate: 

    openssl x509 -req -days 3650 -in api_client.csr -CA cacert.pem -CAkey cakey.key -set_serial 456 -out apiclient.pem


  15. Display the properties of the new client certificate:
    openssl x509 -text -in apiclient.pem
  16. Install the various certs on the manager:
    cp /root/certsetup/cacert.pem /app/clarity/dmanager/etc/apicacert.pem

    cp /root/certsetup/apiserver.pem /app/clarity/dmanager/etc/

    cp /root/certsetup/api_server.key /app/clarity/dmanager/etc/
  17. Edit the mtd.conf file to enable SSL and point to the new certs/keys: 

    service=static MtdApiSoapAcceptor "-c 2 -s 1 -p 8087 -k /app/clarity/dmanager/etc/api_server.key -x /app/clarity/dmanager/etc/apiserver.pem -y /app/clarity/dmanager/etc/apicacert.pem
  18. Restart the mtd using the command service mtd restart.
  19. Copy the client cert and client key to the individual client:
    scp apiclient.pem root@rh5-ma-130.gridapp-dev.com:/app/clarity/cmdutils/etc/client.pem
    scp cacert.pem root@rh5-ma-130.gridapp-dev.com:/app/clarity/cmdutils/etc/cacert.pem
    scp apiclient.key root@rh5-ma-130.gridapp-dev.com:/app/clarity/cmdutils/etc/client.key

The resulting certificates are installed in the following manner:

    • On the BMC Database Automation Manager, the following files are installed:

/app/clarity/dmanager/etc/api_server.key

/app/clarity/dmanager/etc/apiserver.pem

/app/clarity/dmanager/etc/apicacert.pem

    • On the clients running the cmdtools package, the following files are installed:

/app/clarity/cmdutils/etc/client.pem

/app/clarity/cmdutils/etc/cacert.pem

/app/clarity/cmdutils/etc/client.key

Note

On Windows, the same three files must be installed (with the same file names), except that they are installed into the etc directory under whatever installation path the cmdtools package is installed.

Was this page helpful? Yes No Submitting... Thank you

Comments