Enabling TLS server certificate validation between the Remedy SSO Server and the Application Server

You can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between the Application Server and the Remedy Single Sign-On Server, which is an authentication component.

Complete the following steps to enable server certificate validation:

  1. Obtain the security certificates
  2. Install the certificates
  3. Configure the components to enable TLS

Important

If you have installed the Application Server components on multiple computers, repeat steps II and III on each computer.

I. Obtain the security certificates 

Obtain certificates that are signed by a certificate authority (CA) for the Remedy Single Sign-On Server and the Application ServerFor information about obtaining certificates, see the following topics:

II. Install the security certificates

The Application Server uses the cotruststore.ts truststore to communicate with other components. This truststore is bundled along with the server installation and is located in the <Application Server Installation Directory>/secure directory.

To install the certificates:

  1. Log on to the host computer where the Application Server is installed.

  2. Run the following command to add the directory path to the PATH environment variable. The default Application Server installation directory is /opt/bmc/BCO.

    # Linux

    export PATH=<Application Server Installation Directory>/jre/bin:$PATH

  3. Navigate to the directory where the cotruststore.ts truststore file is located.
    <Application Server Installation Directory>/secure

    Note

    Take a backup of the secure folder and save it in a location that is not in the Application Server installation path. If you need to reinstall the Application Server in case it stops processing, you can restore this backed-up folder.

  4. Copy the RootCA.cerintermediateCA.cer, TSCO.cer, and RemedySSO.cer certificates to this directory.

  5. Copy cotruststore.ts truststore file and rename it as cotruststore-update.ts.

  6. Run the following command to list all the keys in the cotruststore-update.ts truststore file:

    keytool -list -keystore <Application Server Installation Directory>/secure/cotruststore.ts -storepass changeit -storetype JKS

    Note

    changeit is the default password for the cotruststore-update.ts truststore.

  7. Run the following command to delete the existing certificate alias, dummy, if any:

    keytool -delete -alias dummy -keystore <Application Server Installation Directory>/secure/cotruststore-update.ts -storepass changeit

    Parameter description

    dummy: Alias name for the root certificate. If the alias name of the root certificate is different, then use the relevant name in the preceding command.

  8. Run the list command again to verify that the aliases are deleted:

    keytool -list -keystore cotruststore-update.ts -storepass changeit

  9. Run the following command to import the Application Server certificates into the cotruststore-update.ts truststore:

    keytool -importcert -trustcacerts -alias root -keystore cotruststore-update.ts -storepass changeit -file RootCA.cer

    #When you are prompted with the Trust this certificate question, type Yes.

    keytool -importcert -trustcacerts -alias intermediateCA -keystore cotruststore-update.ts -storepass changeit -file intermediateCA.cer

    #When you are prompted with the Trust this certificate question, type Yes

    keytool -v -importcert -alias coserver -keystore cotruststore-update.ts -storepass changeit -storetype JKS -file TSCO.cer -trustcacerts

    #When you are prompted with the Trust this certificate question, type Yes

  10. Run the following command to import the Remedy SSO Server certificate into the truststore of the Application Server:

    keytool -import -alias remedysso -file RemedySSO.cer -keystore cotruststore-update.ts -storepass changeit

    • remedysso: Remedy Single Sign-On Server certificate alias name. If the Remedy Single Sign-On Server certificate alias name is different, use the relevant alias name in the command.
    • RemedySSO.cer: Name of the CA-signed certificate obtained for the Remedy Single Sign-On Server. If this name is different, use the relevant file name and path in the command.

    • cotruststore-update.ts: Name of the Application Server truststore.
    • changeit: The default password for the cotruststore-update.ts truststore.
  11. Navigate to the directory where the cotruststore.ts truststore is located.
    <Application Server Installation Directory>/secure
  12. Rename the cotruststore.ts truststore file as cotruststore.ts.orig.

  13. Copy cotruststore-update.ts truststore file and rename it as cotruststore.ts.

  14. Restart the Application Server.

III. Configure the components to enable TLS

Complete the following configuration steps on the Application Server to enable TLS:

  1.  Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.

    #Example
    perl switchTLSmode.pl -on -tspwd -flow auth

     Click here for switchTLSmode.pl command details

    #Syntax 
    switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]

    Parameter reference
    -h or --help: Prints the help for the command.

    -on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.

    -dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)

    -tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.

    -flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.

    internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.

    auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Remedy Single Sign-On Server or LDAP server) and Application Server.

    codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.

    externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.

    all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.


  2. When you are prompted, enter the password to access the truststore.

TLS 1.2 with server certificate validation is enabled between the Remedy Single Sign-On Server and the Application Server. 

Where to go from here

Import the TrueSight Presentation Server certificate into the truststore of Application Server. For more information, see Enabling TLS server certificate validation between the Presentation Server and the Application Server.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Stefan Antelmann

    The examples under point 9 are wrong. IN step 8 we are working on the cotruststore-update.ts file, but in the first 2 examples under point 9 we refer to loginvault-update.ks as the truststore file which is wrong.

    Nov 12, 2018 04:45