Installing a CA-signed certificate into the embedded web server


When you install TrueSight Capacity Optimization, an Apache web server is automatically installed, and a private key with a self-signed certificate is generated during installation. The Apache Web Server is a part of all Application Server installations.

To prevent certificate-related warnings while accessing the TrueSight Capacity Optimization from a browser,  you must install a certificate that is signed by a Certification Authority (CA) into the web server. The certificate can be signed by an enterprise CA or a third-party CA.

After you install the CA-signed certificate, a trusted TLS communication is established between the browser and the web server.

Before you begin

Ensure that you have the CA-signed certificates and the private key. These files must be saved to the server directory where all the certificate and key files are available.

If you receive the domain-specific certificate (for example, myserver.crt) and intermediate certificate chain (for example, intermediate.crt) from a CA, concatenate the intermediate.crt  to myserver.crt. For example, use the following command on a Linux system for concatenating certificates:

cat intermediate.crt  >> myserver.crt

For more information about concatenating certificates, see the SSLCertificateFile directive at the  Apache website.

$BCO_HOME represents the TrueSight Capacity Optimization Installation Directory.

To install the signed certificate

  1. Log in to the host where the Application Server is installed.
  2. In the $BCO_HOME/secure directory, create a new 'httpd/keys' subdirectory:

    cd $BCO_HOME/secure
    mkdir -p httpd/keys
  3. Copy the new certificate and key files to this directory: $BCO_HOME/secure/httpd/keys
  4. To configure the TrueSight Capacity Optimization embedded Apache web server to read the certificates in the $BCO_HOME/secure/httpd/keys directory:
    1. Create the following directory: $BCO_HOME/secure/httpd/conf
    2. Create a file named custom_ssl.conf in the directory: $BCO_HOME/secure/httpd/conf
    3. In the custom_ssl.conf file, specify the location of the site-signed certificate file and key:

      For example, 

      SSLCertificateFile ../../secure/httpd/keys/certificate.cer
      SSLCertificateKeyFile ../../secure/httpd/keys/certkey.key
      where, certificate.cer indicates the name of the certificate file and certkey.key indicates the name of the key file

      The file location path is relative to the Apache web server working directory so '../../secure/httpd/keys' is the $BCO_HOME/secure/httpd/keys directory.

    When you upgrade TrueSight Capacity Optimization, these customized settings are retained.
  5. Modify the $BCO_HOME/3rd_party/apache2/conf/bco-vhost.conf file to include a call to load the custom_ssl.conf file. 
    1. At the beginning of the file, find the following section: 

      <IfModule !mod_ssl.c>
        #load SSL configuration only if file exists
        IncludeOptional conf/ssl.con[f]
      </IfModule>
    2. Add the line: IncludeOptional ../../secure/httpd/conf/custom_ssl.conf as follows:

      <IfModule !mod_ssl.c> 
        #load SSL configuration only if file exists 
        IncludeOptional conf/ssl.con[f] 
        IncludeOptional ../../secure/httpd/conf/custom_ssl.conf 
      </IfModule>
  6. Run the following command to restart the Apache web server. 

    ./cpit restart httpd

    The changes allows the Apache httpd server to read the custom_ssl.conf file, which contains the SSLCertificateFile and SSLCertificateKeyFile properties that point to your site-signed SSL certificate and key. 

The new URL to connect to TrueSight Capacity Optimization will be https://<host_name>.<domain.com>:<port>/console.

To validate a trusted connection

To verify that a trusted connection is established with the web server, complete the following steps:

  1. Close all browser windows.
  2. Open a new browser window, and type the URL to access the TrueSight Capacity Optimization console.
    If the certificate is correctly applied, the secure symbol is displayed besides the https:// URL as shown in the following image:



    If the browser still shows a warning about an insecure connection, verify that the trusted root certificate from CA is available in the certificate store or the keystore of your browser.

Was this page helpful? Yes No Submitting... Thank you

Comments