Applying security certificates to your applications

You can use a custom cacerts or self-signed certificate as a security certificate for your Service Management applications in the following cases:

• You want to use a custom CA certificate or self-signed certificate to use HTTPS communication for applications.
  
• You want BMC Helix Innovation Suite to communicate with third-party services that use custom cacerts.
  When you use BMC Helix Innovation Suite and application components to communicate with third-party services that do not have trusted CA signed security certificates, you must apply security certificates to perform outbound HTTPS calls. To achieve this communication, a security certificate file with third-party service public keys is used for authentication. A platform or application component requires a Java trust store to verify third-party service credentials. You must add the security certificate files to the trust store.
  

The following image describes the actions to apply security certificates to an application:

To use custom certificates for HTTPS communication

1. Download the cacerts file.
2. Customize the cacerts file.
   1.  Customize the cacerts file by adding the authentication details required to allow communication between BMC Helix Innovation Suite and application components with third-party services.

   2. To add the new certificate to the trust store, run the following key tool command:

      keytool -importcert -v -alias <alias name> -file <Path of the certificate file that contains the public key> -keystore <Path of the cacerts file>

      For example,

      keytool -importcert -v -alias <alias name> -file /tmp/<certificatefilename> -keystore /opt/cacerts

      The key tool prompts for a password.

   3. Enter the password as changeit and press Enter.

3. While performing the installation, in the CACERTS_FILE parameter, upload the custom cacerts file.
   

   Important

   The cacerts file is checked into the Git repository when the HELIX_GENERATE_CONFIG pipeline runs successfully. In case of any failures in the HELIX_ONPREM_DEPLOYMENT or HELIX_GENERATE_CONFIG pipelines, you must upload the cacerts file in the HELIX_ONPREM_DEPLOYMENT pipeline until the HELIX_GENERATE_CONFIG pipeline executes successfully at least once.

   You do not need to upload the cacerts file for consecutive execution of the HELIX_ONPREM_DEPLOYMENT pipeline and other pipelines.

To use custom certificates to communicate with third-party services

1. Download the cacerts file.
2. Customize the cacerts file.
   1. Customize the cacerts file by adding the authentication details required to allow communication between BMC Helix Innovation Suite and application components with third-party services.

   2. To add the new certificate to the trust store, run the following key tool command:

      keytool -importcert -v -alias <alias name> -file <Path of the certificate file that contains the public key> -keystore <Path of the cacerts file>

      For example,

      keytool -importcert -v -alias <alias name> -file /tmp/<certificatefilename> -keystore /opt/cacerts

      The key tool prompts for a password.

   3. Enter the password as changeit and press Enter.

3. To add a custom certificate while performing the installation, in the CACERTS_FILE parameter, upload the custom cacerts file.

4. (Optional) To add a custom certificate post-installation of BMC Helix Innovation Suite and applications, perform the following steps:

1. 1. On the BMC Deployment Engine that is your Jenkins server, navigate to the HELIX_ONPREM_DEPLOYMENT pipeline.
   2. In the HELIX_ONPREM_DEPLOYMENT pipeline, in the Build History section, select the last job, and click Rebuild.

   3. In the CUSTOMER-INFO section, in the CACERTS_FILE parameter, click Browse and upload your custom cacerts file.

   4. In the PRODUCT-DEPLOY section, select only the HELIX_GENERATE_CONFIG check box.
   5. Build the HELIX_ONPREM_DEPLOYMENT pipeline by using the Rebuild option.

   6. Make sure that the HELIX_ONPREM_DEPLOYMENT pipeline runs successfully.
      

      Important

      The cacerts file is checked into the Git repository when the HELIX_GENERATE_CONFIG pipeline runs successfully. In case of any failures in the HELIX_ONPREM_DEPLOYMENT or HELIX_GENERATE_CONFIG pipelines, you must upload the cacerts file in the HELIX_ONPREM_DEPLOYMENT pipeline until the HELIX_GENERATE_CONFIG pipeline executes successfully at least once.

      You do not need to upload the cacerts file for consecutive execution of the HELIX_ONPREM_DEPLOYMENT pipeline and other pipelines.

   7. Select the HELIX_ONPREM_DEPLOYMENT pipeline, select the latest build, and click Rebuild.
   8. In the CUSTOMER-INFO section, specify the DEPLOYMENT_MODE parameter value as SERVICE.

   9. In the PRODUCT-DEPLOY section, clear the HELIX_GENERATE_CONFIG check box, and select the HELIX_PLATFORM_DEPLOY, HELIX_NONPLATFORM_DEPLOY, and HELIX_SMARTAPPS_DEPLOY check boxes.

   10. Click Rebuild.