Enabling TLS server certificate validation between the Gateway Server and the Application Server
The Gateway Server communicates with the Application Server component of TrueSight Capacity Optimization.
Gateway Server supports only self-signed certificates. So, there is no need for a new certificate to communicate with the Application Server. Only the Application Server and the ETL Engine are needed to be signed.
When you install the Gateway Server, a self-signed certificate is also installed. However, it is recommended to install a security certificate that is issued by a competent public certificate authority (CA).
Complete the following tasks to configure the Application Server to use TLS:
Before you begin
- Ensure that you use the operating systems that support TLS. For more information, see TLS considerations for TrueSight Capacity Optimization.
- Ensure that you configure the Application Server in HTTPS mode.
If the Application Server is configured in HTTP mode and you want to switch to HTTPS mode, you must reinstall the Application Server. For more information, see Installing Application Server.
Obtaining a signed security certificate for the Application Server
You must obtain a certificate that is signed by a CA. Usually, the security department of your organization can provide you this certificate or you can request for it from the CA that your organization recommends. For information about requesting for a signed certificate, see Creating a request for a CA-signed certificate.
Installing the signed certificates into the truststore of Application Server
The Application Server uses the cotruststore.ts truststore to communicate with other components. This truststore is bundled along with the Server installation and is located in the <Server Installation Directory>/secure directory.
Log on to the host computer where the Application Server is installed.
The keytool utility that is used to generate and import the certificates is present in the <Application Server Installation Directory>/jre/bin directory. The default <Application Server Installation Directory> is /opt/bmc/BCO.
Add this directory path to the PATH environment variable by running the following command:
Navigate to the directory where the cotruststore.ts truststore file is located.
Windows: <Application Server Installation Directory>\secure
Linux: <Application Server Installation Directory>/secure
Take a backup of the \secure folder and save it in a location that is not in the Application Server install path. If you need to reinstall the Application Server in case it stops processing, you can restore this backed up folder.
- Copy cotruststore.ts truststore file and rename it as cotruststore-update.ts.
List all the keys in the cotruststore-update.ts truststore file by running the following command:
changeit is the default password for the cotruststore-update.ts truststore.
Delete the existing certificate alias, dummy, if it exists, by running the following command:
dummy: Alias name for the root certificate. If the alias name of the root certificate is different, then use the relevant name in the preceding command.
Run the list command again to verify that the aliases are deleted:
Copy the RootCA.cer, intermediateCA.cer, and TSCO.cer to the current directory, and import these certificates into the cotruststore-update.ts truststore by running the following command:
Navigate to the directory where the cotruststore.ts truststore is located.
Windows: <Application Server Installation Directory>\conf\secure
Linux: <Application Server Installation Directory>/conf/secure
Rename the cotruststore.ts truststore file as cotruststore.ts.orig.
Copy cotruststore-update.ts truststore file and rename it as cotruststore.ts.
Restart the Application Server.
Configuring the Application Server to use TLS
Complete the following steps on all the computers where the Application Server components and ETL Engine Server are installed:
Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.
#Example switchTLSmode.pl -on -tspwd -flow internalClick here for switchTLSmode.pl command details
#Syntax switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]
-h or --help: Prints the help for the command.
-on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.
-dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)
-tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.
-flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.
internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.
auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Remedy Single Sign-On Server or LDAP server) and Application Server.
codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.
externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.
all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.
- When you are prompted, enter the password to access the truststore.
The communication channels between the Application Server and the Gateway Server are now TLS 1.2 enabled with server certificate validation.