×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight Capacity Optimization 20.02 ... Administering Securing communication between product components

Enabling TLS server certificate validation between the Gateway Server and the Application Server

The Gateway Server communicates with the Application Server component of TrueSight Capacity Optimization. 

Gateway Server supports only self-signed certificates. So, there is no need for a new certificate to communicate with the Application Server. Only the Application Server and the ETL Engine are needed to be signed.

When you install the Gateway Server, a self-signed certificate is also installed. However, it is recommended to install a security certificate that is issued by a competent public certificate authority (CA). 

Complete the following tasks to configure the Application Server to use TLS:

  1. Obtain a signed security certificate for the Application Server
  2. Install the signed certificates into the truststore of Application Server
  3. Configure the Application Server to use TLS

Before you begin

Obtaining a signed security certificate for the Application Server

You must obtain a certificate that is signed by a CA. Usually, the security department of your organization can provide you this certificate or you can request for it from the CA that your organization recommends. For information about requesting for a signed certificate, see Creating a request for a CA-signed certificate.

Installing the signed certificates into the truststore of Application Server

If you are switching the Application Server to a new machine, you must reinstall the product to point the installation to the new Application server. For more information, see Installing Application Server.

The Application Server uses the cotruststore.ts truststore to communicate with other components. This truststore is bundled along with the Server installation and is located in the <Server Installation Directory>/secure directory.

  1. Log on to the host computer where the Application Server is installed.

  2. The keytool utility that is used to generate and import the certificates is present in the <Application Server Installation Directory>/jre/bin directory. The default <Application Server Installation Directory> is /opt/bmc/BCO.

    Add this directory path to the PATH environment variable by running the following command:

    # Linux

    export PATH=<Application Server Installation Directory>/jre/bin:$PATH

  3. Navigate to the directory where the cotruststore.ts truststore file is located.

    Windows: <Application Server Installation Directory>\secure

    Linux: <Application Server Installation Directory>/secure

    Note

    Take a backup of the \secure folder and save it in a location that is not in the Application Server install path. If you need to reinstall the Application Server in case it stops processing, you can restore this backed up folder.


  4. Copy cotruststore.ts truststore file and rename it as cotruststore-update.ts.

  5. List all the keys in the cotruststore-update.ts truststore file by running the following command:

    keytool -list -keystore <Application Server Installation Directory>/secure/cotruststore.ts -storepass changeit -storetype JKS

    Note

    changeit is the default password for the cotruststore-update.ts truststore.

  6. Delete the existing certificate alias, dummy, if it exists, by running the following command:

    keytool -delete -alias dummy -keystore <Application Server Installation Directory>/secure/cotruststore-update.ts -storepass changeit

    Parameter description

    dummy: Alias name for the root certificate. If the alias name of the root certificate is different, then use the relevant name in the preceding command.

  7. Run the list command again to verify that the aliases are deleted:

    keytool -list -keystore cotruststore-update.ts -storepass changeit

  8. Copy the RootCA.cer, intermediateCA.cer, and TSCO.cer to the current directory, and import these certificates into the cotruststore-update.ts truststore by running the following command:

    keytool -importcert -trustcacerts -alias root -keystore loginvault-update.ks -storepass changeit -file RootCA.cer

    You are prompted with the Trust this certificate question, type Yes

    keytool -importcert -trustcacerts -alias intermediateCA -keystore loginvault-update.ks -storepass changeit -file intermediateCA.cer

    You are prompted with the Trust this certificate question, type Yes

    keytool -v -importcert -alias coserver -keystore <Application Server Installation directory>/secure/ cotruststore-update.ts -storepass changeit -storetype JKS -file TSCO.cer -trustcacerts

    You are prompted with the Trust this certificate question, type Yes

  9. Navigate to the directory where the cotruststore.ts truststore is located.

    Windows: <Application Server Installation Directory>\conf\secure

    Linux: <Application Server Installation Directory>/conf/secure

  10. Rename the cotruststore.ts truststore file as cotruststore.ts.orig.

  11. Copy cotruststore-update.ts truststore file and rename it as cotruststore.ts.

  12. Restart the Application Server.

Configuring the Application Server to use TLS

Complete the following steps on all the computers where the Application Server components and ETL Engine Server are installed:

  1.  Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.

    #Example
switchTLSmode.pl -on -tspwd -flow internal

    The page .Enabling TLS server certificate validation among the internal product components v11.0 was not found  -- Please check/update the page name used in the MultiExcerpt-Include macro

  2. When you are prompted, enter the password to access the truststore.

    The communication channels between the Application Server and the Gateway Server are now TLS 1.2 enabled with server certificate validation.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Bharati Poddar on Nov 11, 2020
tls12 tls certificate_authority gateway_server application_server task

Comments

  1. Dima Seliverstov

    • 1. It’s not specified how to put the new certificate on the GW server apache • 2. It’s not specified how to import the GW server certificate into TSCO AS truststore

    The documentation is missing instructions on how to replace the self-signed SSL certificate the installer creates with a site-signed version.

    Only self signed certificates are supported for the GWS.

    Sep 16, 2020 10:35
    1. Bharati Poddar

      Thanks for the feedback, Dima.

      As per our email discussion, I have updated the topic.

      Oct 27, 2020 01:16

Log in or register to comment.

Enabling TLS server certificate validation among the internal product components
Disabling TLS
© Copyright 2014 - 2020 BMC Software, Inc. © Copyright 2014 - 2020 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.