Enabling HTTPS/SSL on existing instance

If you already have an existing BMC Release Process Management instance configured via HTTP and you want to switch to HTTPS/SSL, do the following:

1. To generate a keystore, run the following commands:
   Windows

   cd <RLM>/bin
   setenv.bat
   keytool -genkey -alias <ALIAS_NAME> -keyalg RSA -keystore <KEYSTORE_NAME>.keystore

   (Linux/Oracle)

   cd <RLM>/bin
   ../setenv.sh
   keytool -genkey -alias <ALIAS_NAME> -keyalg RSA -keystore <KEYSTORE_NAME>.keystore 

2. Answer the questions that appear at the command prompt.

   Example

   Generating a keystore for UNIX:

   cd /opt/bmc/RLM/bin
   . ./setenv.sh
   keytool -genkey -alias brpm_ssl -keyalg RSA -keystore /tmp/certs/brpm.keystore

   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]:  BMC Support
   What is the name of your organizational unit?
     [Unknown]:  CustomerSupport
   What is the name of your organization?
     [Unknown]:  BMC
   What is the name of your City or Locality?
     [Unknown]:  Houston
   What is the name of your State or Province?
     [Unknown]:  TX
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=BMC Support, OU=CustomerSupport, O=BMC, L=Houston, ST=TX, C=US correct?
     [no]:  yes
   Enter key password for <brpm_ssl>
           (RETURN if same as keystore password): 

   The brpm.keystore file is generated to the location specified in the command, which in our case, is /tmp/certs/. You can move the file to the desired location.

3. To configure the BMC Release Process Management JBoss instance, stop the BMC Release Process Management service:

   1. In the standalone.xml file (for cluster installation, standalone-ha.xml) located at RLMhome/server/jboss/standalone/configuration/, disable the HTTP container by changing:

      <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

      to

      <connector enabled="false" name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

   2. After the virtual-server tag, add the following connectortag:
      BMC Release Process Management 5.0.03 Patch 1 includes TLS 1.2 by default. You must specify the cipher_suites and the following information in the connector tag:

      For RPM Classic UI 5.0.03.001

      <connector enable-lookups="false" name="https" protocol="HTTP/1.1" scheme="https" secure="true" socket-binding="https">
      <ssl certificate-key-file="C:\Program Files\BMC Software\RLM\server\jboss\standalone\configuration\.keystore" 
      cipher-suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
      TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
      TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
      TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,
      TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" 
      key-alias="brpm_ssl" name="ssl" password="ynakon" protocol="TLSv1.2" verify-client="false"/>

   3.  Under <socket-binding name="https" port="8443"/>, check the HTTPS port.

   Example

   Configuration of the BMC Release Process Management JBoss instance:

   <subsystem xmlns="urn:jboss:domain:web:1.4" 
   default-virtual-server="default-host" native="false">

      <connector enabled="false" name="http" protocol="HTTP/1.1" 
       scheme="http" socket-binding="http"/>

             <virtual-server name="default-host">

                 <alias name="localhost"/>

                 <alias name="example.com"/>

             </virtual-server>

         <connector enable-lookups="false" name="https" protocol="HTTP/1.1" 
          scheme="https" secure="true" socket-binding="https">

         <ssl certificate-key-file="/tmp/certs/brpm.keystore" key-alias="brpm_ssl" 
          name="ssl" password=”secret" protocol="TLSv1" verify-client="false"/>

      </connector>
   </subsystem>

4. Start BMC Release Process Management and access it with the HTTPS port.

5. (Optional) To generate the public certificate from the keystore, run the following command:

   keytool -export -alias <ALIAS_NAME> -file <CERTIFICATE_NAME>.cer -keystore <KEYSTORE_NAME>.keystore
   

6. (Optional) To generate the certificate signing request (CSR), run the following command:

   keytool -certreq -keyalg RSA -alias <ALIAS_NAME> -file < CERTIFICATE_NAME>.csr -keystore <KEYSTORE_NAME>.keystore
   

7. (Optional) Import the certification authority (CA) signed certificate to the keystore by doing the following:

   1. To download a chain or root certificates, go to the website of a CA where you obtained your certificates.

      Note

      The requirements and usage of chain or root certificates can differ for every CA. Refer to the corresponding CA documentation for more details.

   2. To import the chain or root certificate into the keystore, run the following command:

      keytool -import -alias root -keystore <KEYSTORE_NAME> -trustcacerts -file <FILENAME_FOR CHAIN_CERTIFICATE>

   3. To import the new certificate, run the command:

      keytool -import -alias <ALIAS_NAME> -keystore <KEYSTORE_NAME> -file <CERTICIATE_RECEIVED_FROM_CA>

      Note

      The keytool commands need to be modified properly to match your environment specific values such as path, names, and so on.