Enabling TLS server certificate validation between the Presentation Server and the Application Server
The Capacity Optimization plugin in the TrueSight Presentation Server communicates with the Application Server (Datahub) component of TrueSight Capacity Optimization. You can use Transport Layer Security (TLS) authentication to secure connection between the TrueSight Presentation Server and the Application Server to ensure that the TrueSight Presentation Server sends encrypted data to the trusted Application Server only.
To enable TLS 1.2 with server certificate validation, complete the following steps:
- Obtain a signed certificate for the Presentation Server.
- Install the Presentation Server certificate into the truststore of the Application Server.
- Configure the TrueSight Presentation Server to use TLS.
Before you begin
Make sure that the following tasks are completed:
- Use the operating systems that support TLS. For details, see TLS considerations for TrueSight Capacity Optimization.
- Configure the Application Server in the HTTPS mode. For details, see Installing Application Server.
- Import the Application Server and the Remedy Single Sign-On Server certificates into the truststore of Application Server. For details, see Enabling TLS server certificate validation between the Remedy SSO Server and the Application Server.
- Add the Remedy Single Sign-On Server and TrueSight Capacity Optimization certificates to the truststore of the Presentation Server. For details, see
Implementing private certificates in the Remedy Single Sign-On Server
and
Implementing private certificates in the TrueSight Presentation Server
.
The Remedy Single Sign-On Server and Presentation Server require on installation of a proper certificate chain setup when using the HTTPS protocol. The certificates from the remote listener must be imported into the truststore file of products, that is the default cacerts file. For details, see Implementing private certificates in TrueSight Operations Management . The default security configuration of TrueSight Capacity Optimization does not require certificates from the remote TLS listener, until TLS 1.2 protocol version is enabled.
I. Obtain a signed security certificate for the Presentation Server
Obtain a certificate that is signed by a certificate authority (CA) for the Presentation Server. For information, see Implementing private certificates in the TrueSight Presentation Server .
II. Install the Presentation Server certificate into the truststore of Application Server
The Application Server uses the cotruststore.ts truststore to store the public certificates for the communication with remote listeners. This truststore is bundled along with the Server installation stored in the <Server Installation Directory>/secure directory.
To install the Presentation Server certificate:
Log on to the host computer where the Application Server is installed.
Run the following command to add the directory path to the PATH environment variable. The default installation directory of the Application Server is /opt/bmc/BCO.
# Linux
export PATH=<Application Server Installation Directory>/jre/bin:$PATH
Navigate to the directory where the cotruststore.ts truststore file is located.
<Application Server Installation Directory>/secure
Note
Take a backup of the secure folder and save it in a location that is not in the Application Server install path. If you need to reinstall the Application Server in case it stops processing, you can restore this backed-up folder.
- Copy the TrueSight Presentation Server certificate to this directory.
- Copy cotruststore.ts truststore file and rename it as cotruststore-update.ts.
Run the following command to list all the keys in the cotruststore-update.ts truststore file:
keytool -list -keystore
<Application Server Installation Directory>
/secure/cotruststore.ts -storepass changeit -storetype JKSNote
changeit is the default password for the cotruststore-update.ts truststore.
If you have not imported the certificate before, the truststore file is empty. So, you can skip steps 7 and 8.
Run the following command to delete the existing certificate alias, dummy, if any:
keytool -delete -alias dummy -keystore <Application Server Installation Directory>/secure/cotruststore-update.ts -storepass changeit
Parameter description
dummy: Alias name for the root certificate. If the alias name of the root certificate is different, then use the relevant name in the preceding command.
Run the list command again to verify that the aliases are deleted:
keytool -list -keystore cotruststore-update.ts -storepass changeit
Run the following command to import the Presentation Server certificate:
#Import the TrueSight Presentation Server certificate
keytool -import -alias truesightserver -keystore cotruststore-update.ts -file truesightPS.cer -storetype JKS -storepass changeit
#When you are prompted with the Trust this certificate question, type Yes
Parameter description:
- truesightserver: Name of the Presentation Server alias.
- truesightPS.cer: Name of the Presentation Server certificate.
- cotruststore-update.ts: Name of the Application Server truststore.
Navigate to the directory where the cotruststore.ts truststore is located.
<Application Server Installation Directory>/secure
Rename the cotruststore.ts truststore file as cotruststore.ts.orig.
Copy cotruststore-update.ts truststore file and rename it as cotruststore.ts.
Restart the Application Server.
III. Configure the TrueSight Presentation Server to use TLS
Run the following command to ensure that the TrueSight Presentation Server is running:
#Microsoft Windows
tssh server status
#Unix
./tssh server status(Required only if other certification validation between the components is not enabled previously): Import the TrueSight Capacity Optimization Datahub AS Web Server certificate into the cotruststore.ts file.
Copy the cotruststore.ts file to the following directory on the Presentation Server:
- (Windows) <TrueSight Presentation Server Installation Directory>\truesightpserver\conf\secure
- (UNIX) <TrueSight Presentation Server Installation Directory>/truesightpserver/conf/secure
If the tssh property is not already set to tsps.co.conntype tls, run the following command to add the property in the Presentation Server:
#Microsoft Windows
tssh properties set tsps.co.conntype tls#Unix
./tssh properties set tsps.co.conntype tlsIn case of any issue, you might want to disable TLS by using this command:
#Microsoft Windows
tssh properties set tsps.co.conntype ssl#Unix
./tssh properties set tsps.co.conntype sslRestart the Presentation Server.
#Microsoft Windows
tssh server stop
tssh server start#Unix
./tssh server stop
nohup sh tssh server start &
The TrueSight Presentation Server is configured to communicate with the Application Server by using the TLS 1.2 protocol.
Comments
Default password is incorrect for cotruststore.ts, ships as: changeit
The password is updated to changeit in Step 9. Thanks, David.
Why are you copying the cotruststore.ts to the Presentation server? There is a /truesightpserver/conf/secure/tspstruststore.ts that is referenced by the property tsps.client.cell.keystore.filename, which by the way does use the storepass: get2net
Instead, I would think we would import our Certificate Authority's Root (and possibly Intermediate) CA Certificates, so we can trust any client they have signed.
Hi David,
I checked with the team to validate the steps. They confirmed that the steps are correct and it is not required to import the CA-signed certificates as they are already imported to cotruststore.
Thanks,
Bharati
Log in or register to comment.