×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight Capacity Optimization 20.02 ... Administering Securing communication between product components

Enabling TLS server certificate validation between the Presentation Server and the Application Server

The Capacity Optimization plugin in the TrueSight Presentation Server communicates with the Application Server (Datahub) component of TrueSight Capacity Optimization. You can use Transport Layer Security (TLS) authentication to secure connection between the TrueSight Presentation Server and the Application Server to ensure that the TrueSight Presentation Server sends encrypted data to the trusted Application Server only.

To enable TLS 1.2 with server certificate validation, complete the following steps:

  1. Obtain a signed certificate for the Presentation Server.
  2. Install the Presentation Server certificate into the truststore of the Application Server.
  3. Configure the TrueSight Presentation Server to use TLS.

Before you begin

Make sure that the following tasks are completed:

  • Use the operating systems that support TLS. For details, see TLS considerations for TrueSight Capacity Optimization.
  • Configure the Application Server in the HTTPS mode. For details, see Installing Application Server.
  • Import the Application Server and the Remedy Single Sign-On Server certificates into the truststore of Application Server. For details, see Enabling TLS server certificate validation between the Remedy SSO Server and the Application Server.
  • Add the Remedy Single Sign-On Server and TrueSight Capacity Optimization certificates to the truststore of the Presentation Server. For details, see Implementing private certificates in the Remedy Single Sign-On Server Open link and Implementing private certificates in the TrueSight Presentation Server Open link
    The Remedy Single Sign-On Server and Presentation Server require on installation of a proper certificate chain setup when using the HTTPS protocol. The certificates from the remote listener must be imported into the truststore file of products, that is the default cacerts file. For details, see     Implementing private certificates in TrueSight Operations Management Open link .  The default security configuration of TrueSight Capacity Optimization does not require certificates from the remote TLS listener, until TLS 1.2 protocol version is enabled.

I. Obtain a signed security certificate for the Presentation Server

Obtain a certificate that is signed by a certificate authority (CA) for the Presentation ServerFor information, see Implementing private certificates in the TrueSight Presentation Server Open link .

II. Install the Presentation Server certificate into the truststore of Application Server

The Application Server uses the cotruststore.ts truststore to store the public certificates for the communication with remote listeners. This truststore is bundled along with the Server installation stored in the <Server Installation Directory>/secure directory.

To install the Presentation Server certificate:

  1. Log on to the host computer where the Application Server is installed.

  2. Run the following command to add the directory path to the PATH environment variable. The default installation directory of the Application Server is /opt/bmc/BCO.

    # Linux

    export PATH=<Application Server Installation Directory>/jre/bin:$PATH

  3. Navigate to the directory where the cotruststore.ts truststore file is located.

    <Application Server Installation Directory>/secure

    Note

    Take a backup of the secure folder and save it in a location that is not in the Application Server install path. If you need to reinstall the Application Server in case it stops processing, you can restore this backed-up folder.


  4. Copy the TrueSight Presentation Server certificate to this directory.
  5. Copy cotruststore.ts truststore file and rename it as cotruststore-update.ts.

  6. Run the following command to list all the keys in the cotruststore-update.ts truststore file:

    keytool -list -keystore <Application Server Installation Directory>/secure/cotruststore.ts -storepass changeit -storetype JKS

    Note

    changeit is the default password for the cotruststore-update.ts truststore.

    If you have not imported the certificate before, the truststore file is empty. So, you can skip steps 7 and 8. 

  7. Run the following command to delete the existing certificate alias, dummy, if any:

    keytool -delete -alias dummy -keystore <Application Server Installation Directory>/secure/cotruststore-update.ts -storepass changeit

    Parameter description

    dummy: Alias name for the root certificate. If the alias name of the root certificate is different, then use the relevant name in the preceding command.

  8. Run the list command again to verify that the aliases are deleted:

    keytool -list -keystore cotruststore-update.ts -storepass changeit

  9. Run the following command to import the Presentation Server certificate:

    #Import the TrueSight Presentation Server certificate

    keytool -import -alias truesightserver -keystore cotruststore-update.ts -file truesightPS.cer -storetype JKS -storepass changeit

    #When you are prompted with the Trust this certificate question, type Yes

    Parameter description:

    • truesightserverName of the Presentation Server alias.
    • truesightPS.cer: Name of the Presentation Server certificate.
    • cotruststore-update.ts: Name of the Application Server truststore.

  10. Navigate to the directory where the cotruststore.ts truststore is located.

    <Application Server Installation Directory>/secure

  11. Rename the cotruststore.ts truststore file as cotruststore.ts.orig.

  12. Copy cotruststore-update.ts truststore file and rename it as cotruststore.ts.

  13. Restart the Application Server.

III. Configure the TrueSight Presentation Server to use TLS

  1. Run the following command to ensure that the TrueSight Presentation Server is running:

    #Microsoft Windows
    tssh server status

    #Unix 
    ./tssh server status

  2. (Required only if other certification validation between the components is not enabled previously): Import the TrueSight Capacity Optimization Datahub AS Web Server certificate into the cotruststore.ts file.

  3. Copy the cotruststore.ts file to the following directory on the Presentation Server:

    • (Windows<TrueSight Presentation Server Installation Directory>\truesightpserver\conf\secure
    • (UNIX<TrueSight Presentation Server Installation Directory>/truesightpserver/conf/secure

  4. If the tssh property is not already set to tsps.co.conntype tls, run the following command to add the property in the Presentation Server:

    #Microsoft Windows 
    tssh properties set tsps.co.conntype tls
    #Unix 
    ./tssh properties set tsps.co.conntype tls

    In case of any issue, you might want to disable TLS by using this command:

    #Microsoft Windows 
    tssh properties set tsps.co.conntype ssl
    #Unix 
    ./tssh properties set tsps.co.conntype ssl

  5. Restart the Presentation Server.

    #Microsoft Windows 
    tssh server stop
    tssh server start
    #Unix

    ./tssh server stop

    nohup sh tssh server start & 

The TrueSight Presentation Server is configured to communicate with the Application Server by using the TLS 1.2 protocol. 

Related topic

Securing communication between product components

Was this page helpful? Yes No Submitting... Thank you
Last modified by Manisha Moon on Aug 28, 2023
task tls12 security administration application_server tsps

Comments

  1. David Deaderick

    Default password is incorrect for cotruststore.ts, ships as: changeit

    May 21, 2020 10:34
    1. Bharati Poddar

      The password is updated to changeit in Step 9. Thanks, David.

      Jul 17, 2020 07:22
  2. David Deaderick

    Why are you copying the cotruststore.ts to the Presentation server? There is a /truesightpserver/conf/secure/tspstruststore.ts that is referenced by the property tsps.client.cell.keystore.filename, which by the way does use the storepass: get2net

    Instead, I would think we would import our Certificate Authority's Root (and possibly Intermediate) CA Certificates, so we can trust any client they have signed.

    May 21, 2020 10:52
    1. Bharati Poddar

      Hi David,

      I checked with the team to validate the steps. They confirmed that the steps are correct and it is not required to import the CA-signed certificates as they are already imported to cotruststore.

      Thanks,

      Bharati

      Oct 23, 2020 06:00

Log in or register to comment.

Enabling TLS server certificate validation between the Remedy SSO Server and the Application Server
Enabling TLS server certificate validation between internal Oracle database and product components
© Copyright 2014 - 2020 BMC Software, Inc. © Copyright 2014 - 2020 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.