Enabling HTTPS/SSL on existing instance
If you already have an existing BMC Release Process Management instance configured via HTTP and you want to switch to HTTPS/SSL, do the following:
To generate a keystore, run the following commands:
Windowscd <RLM>/bin setenv.bat keytool -genkey -alias <ALIAS_NAME> -keyalg RSA -keystore <KEYSTORE_NAME>.keystore
(Linux/Oracle)
cd <RLM>/bin ../setenv.sh keytool -genkey -alias <ALIAS_NAME> -keyalg RSA -keystore <KEYSTORE_NAME>.keystore
Answer the questions that appear at the command prompt.
The brpm.keystore file is generated to the location specified in the command, which in our case, is /tmp/certs/. You can move the file to the desired location.
To configure the BMC Release Process Management JBoss instance, stop the BMC Release Process Management service:
In the standalone.xml file (for cluster installation, standalone-ha.xml) located at RLMhome/server/jboss/standalone/configuration/, disable the HTTP container by changing
:
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
to
<connector enabled="false" name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
After the
virtual-server
tag, add the followingconnector
tag:
BMC Release Process Management 5.0.03 Patch 1 includes TLS 1.2 by default. You must specify thecipher_suites
and the following information in the connector tag:For RPM Classic UI 5.0.03.001<connector enable-lookups="false" name="https" protocol="HTTP/1.1" scheme="https" secure="true" socket-binding="https"> <ssl certificate-key-file="C:\Program Files\BMC Software\RLM\server\jboss\standalone\configuration\.keystore" cipher-suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" key-alias="brpm_ssl" name="ssl" password="ynakon" protocol="TLSv1.2" verify-client="false"/>
Under
<socket-binding name="https" port="8443"/>
, check the HTTPS port.
Start BMC Release Process Management and access it with the HTTPS port.
(Optional) To generate the public certificate from the keystore, run the following command:
keytool -export -alias <ALIAS_NAME> -file <CERTIFICATE_NAME>.cer -keystore <KEYSTORE_NAME>.keystore
(Optional) To generate the certificate signing request (CSR), run the following command:
keytool -certreq -keyalg RSA -alias <ALIAS_NAME> -file < CERTIFICATE_NAME>.csr -keystore <KEYSTORE_NAME>.keystore
- (Optional) Import the certification authority (CA) signed certificate to the keystore by doing the following:
To download a chain or root certificates, go to the website of a CA where you obtained your certificates.
Note
The requirements and usage of chain or root certificates can differ for every CA. Refer to the corresponding CA documentation for more details.
To import the chain or root certificate into the keystore, run the following command:
keytool -import -alias root -keystore <KEYSTORE_NAME> -trustcacerts -file <FILENAME_FOR CHAIN_CERTIFICATE>
To import the new certificate, run the command:
keytool -import -alias <ALIAS_NAME> -keystore <KEYSTORE_NAME> -file <CERTICIATE_RECEIVED_FROM_CA>
Note
The keytool commands need to be modified properly to match your environment specific values such as path, names, and so on.
Comments
Log in or register to comment.