Enabling TLS server certificate validation between the Presentation Server and the Application Server


The Capacity Optimization plugin in the TrueSight Presentation Server communicates with the Application Server (Datahub) component of TrueSight Capacity Optimization. You can use Transport Layer Security (TLS) authentication to secure connection between the TrueSight Presentation Server and the Application Server to ensure that the TrueSight Presentation Server sends encrypted data to the trusted Application Server only.

To enable TLS 1.2 with server certificate validation, complete the following steps:

  1. Obtain a signed certificate for the Presentation Server.
  2. Install the Presentation Server certificate into the truststore of the Application Server.
  3. Configure the TrueSight Presentation Server to use TLS.

Before you begin

Make sure that the following tasks are completed:

I. Obtain a signed security certificate for the Presentation Server

Obtain a certificate that is signed by a certificate authority (CA) for the Presentation Server. For information, see Implementing private certificates in the TrueSight Presentation Server.

II. Install the Presentation Server certificate into the truststore of Application Server

The Application Server uses the cotruststore.ts truststore to store the public certificates for the communication with remote listeners. This truststore is bundled along with the Server installation stored in the <Server Installation Directory>/secure directory.

To install the Presentation Server certificate:

  1. Log on to the host computer where the Application Server is installed.
  2. Run the following command to add the directory path to the PATH environment variable. The default installation directory of the Application Server is /opt/bmc/BCO.

    # Linux

    export PATH=<Application Server Installation Directory>/jre/bin:$PATH
  3. Navigate to the directory where the cotruststore.ts truststore file is located.

    <Application Server Installation Directory>/secure

    Note

    Take a backup of the secure folder and save it in a location that is not in the Application Server install path. If you need to reinstall the Application Server in case it stops processing, you can restore this backed-up folder.


  4. Copy the TrueSight Presentation Server certificate to this directory.
  5. Copy cotruststore.ts truststore file and rename it as cotruststore-update.ts.
  6. Run the following command to list all the keys in the cotruststore-update.ts truststore file:

    keytool -list -keystore <Application Server Installation Directory>/secure/cotruststore.ts -storepass changeit -storetype JKS

    Note

    changeit is the default password for the cotruststore-update.ts truststore.

    If you have not imported the certificate before, the truststore file is empty. So, you can skip steps 7 and 8. 

  7. Run the following command to delete the existing certificate alias, dummy, if any:

    keytool -delete -alias dummy -keystore <Application Server Installation Directory>/secure/cotruststore-update.ts -storepass changeit

    Parameter description

    dummy: Alias name for the root certificate. If the alias name of the root certificate is different, then use the relevant name in the preceding command.

  8. Run the list command again to verify that the aliases are deleted:

    keytool -list -keystore cotruststore-update.ts -storepass changeit
  9. Run the following command to import the Presentation Server certificate:

    #Import the TrueSight Presentation Server certificate
    keytool -import -alias truesightserver -keystore cotruststore-update.ts -file truesightPS.cer -storetype JKS -storepass changeit
    #When you are prompted with the Trust this certificate question, type Yes

    Parameter description:

    • truesightserver: Name of the Presentation Server alias.
    • truesightPS.cer: Name of the Presentation Server certificate.
    • cotruststore-update.ts: Name of the Application Server truststore.
  10. Navigate to the directory where the cotruststore.ts truststore is located.

    <Application Server Installation Directory>/secure

  11. Rename the cotruststore.ts truststore file as cotruststore.ts.orig.
  12. Copy cotruststore-update.ts truststore file and rename it as cotruststore.ts.
  13. Restart the Application Server.

III. Configure the TrueSight Presentation Server to use TLS

  1. Run the following command to ensure that the TrueSight Presentation Server is running:

    #Microsoft Windows 

    tssh server status

    #Unix
    ./tssh server status

  2. (Required only if other certification validation between the components is not enabled previously): Import the TrueSight Capacity Optimization Datahub AS Web Server certificate into the cotruststore.ts file.
  3. Copy the cotruststore.ts file to the following directory on the Presentation Server:
    • (Windows<TrueSight Presentation Server Installation Directory>\truesightpserver\conf\secure
    • (UNIX<TrueSight Presentation Server Installation Directory>/truesightpserver/conf/secure
  4. If the tssh property is not already set to tsps.co.conntype tls, run the following command to add the property in the Presentation Server:

    #Microsoft Windows
    tssh properties set tsps.co.conntype tls

    #Unix
    ./tssh properties set tsps.co.conntype tls

    In case of any issue, you might want to disable TLS by using this command:

    #Microsoft Windows
    tssh properties set tsps.co.conntype ssl

    #Unix
    ./tssh properties set tsps.co.conntype ssl

  5. Restart the Presentation Server.

    #Microsoft Windows
    tssh server stop
    tssh server start

    #Unix 

    ./tssh server stop

    nohup sh tssh server start & 

The TrueSight Presentation Server is configured to communicate with the Application Server by using the TLS 1.2 protocol. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*