Installing a CA-signed certificate into the embedded web server
When you install TrueSight Capacity Optimization, an Apache web server is automatically installed, and a private key with a self-signed certificate is generated during installation. The Apache Web Server is a part of all Application Server installations.
To prevent certificate-related warnings while accessing the TrueSight Capacity Optimization from a browser, you must install a certificate that is signed by a Certification Authority (CA) into the web server. The certificate can be signed by an enterprise CA or a third-party CA.
After you install the CA-signed certificate, a trusted TLS communication is established between the browser and the web server.
Before you begin
Ensure that you have the CA-signed certificates and the private key. These files must be saved to the server directory where all the certificate and key files are available.
If you receive the domain-specific certificate (for example, myserver.crt) and intermediate certificate chain (for example, intermediate.crt) from a CA, concatenate the intermediate.crt to myserver.crt. For example, use the following command on a Linux system for concatenating certificates:
cat intermediate.crt >> myserver.crt
For more information about concatenating certificates, see the SSLCertificateFile directive at the website.
$BCO_HOME represents the TrueSight Capacity Optimization Installation Directory.
To install the signed certificate
- Log in to the host where the Application Server is installed.
In the $BCO_HOME/secure directory, create a new 'httpd/keys' subdirectory:
cd $BCO_HOME/secure mkdir -p httpd/keys
- Copy the new certificate and key files to this directory: $BCO_HOME/secure/httpd/keys
- To configure the TrueSight Capacity Optimization embedded Apache web server to read the certificates in the $BCO_HOME/secure/httpd/keys directory:
- Create the following directory: $BCO_HOME/secure/httpd/conf
- Create a file named custom_ssl.conf in the directory: $BCO_HOME/secure/httpd/conf
In the custom_ssl.conf file, specify the location of the site-signed certificate file and key:
certificate.cerindicates the name of the certificate file and
certkey.keyindicates the name of the key file
The file location path is relative to the Apache web server working directory so '../../secure/httpd/keys' is the $BCO_HOME/secure/httpd/keys directory.
- Modify the $BCO_HOME/3rd_party/apache2/conf/bco-vhost.conf file to include a call to load the custom_ssl.conf file.
At the beginning of the file, find the following section:
<IfModule !mod_ssl.c> #load SSL configuration only if file exists IncludeOptional conf/ssl.con[f] </IfModule>
Add the line:
IncludeOptional ../../secure/httpd/conf/custom_ssl.confas follows:
<IfModule !mod_ssl.c> #load SSL configuration only if file exists IncludeOptional conf/ssl.con[f] IncludeOptional ../../secure/httpd/conf/custom_ssl.conf </IfModule>
Run the following command to restart the Apache web server.
./cpit restart httpd
The changes allows the Apache httpd server to read the custom_ssl.conf file, which contains the SSLCertificateFile and SSLCertificateKeyFile properties that point to your site-signed SSL certificate and key.
The new URL to connect to TrueSight Capacity Optimization will be https://<host_name>.<domain.com>:<port>/console.
To validate a trusted connection
To verify that a trusted connection is established with the web server, complete the following steps:
- Close all browser windows.
Open a new browser window, and type the URL to access the TrueSight Capacity Optimization console.
If the certificate is correctly applied, the secure symbol is displayed besides the https:// URL as shown in the following image:
If the browser still shows a warning about an insecure connection, verify that the trusted root certificate from CA is available in the certificate store or the keystore of your browser.