Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Enabling SSL

This topic describes how to enable SSL for all the BMC Cloud Lifecycle Management components. It also provides detailed configuration steps to make the secured communication between the components. 

Before you begin

Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes! 

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic.  But most customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Verisign.

To create a Root CA certificate using OpenSSL

  1. Download and install OpenSSL1.0.1g on its own host.
    For example, review the download and install topic on the VMware documentation portal. 
  2. Create Keys, Certificates, and CSR folders.
    These categories are for placing keys, certificates files, and so on.
  3. Open a command prompt and navigate to the OpenSSL folder. 
  4. Generate the key pair for root CA.
    Store this key pair in the Keys/RootCA.key file.

    C:\OpenSSL-Win64\bin>openssl genrsa -out C:Keys\RootCA.key 1024
    Loading 'screen' into random state - done
    Generating RSA private key, 1024 bit long modulus
    ...............++++++
    ....................................................++++++
    e is 65537 (0x10001)

  5. Generate a self signed certificate for CA.
    This CA certificate is used across all cloud products as a common certificate. Store the certificate in the RootCA.crt file.

    1. Enter the following command:

      C:\OpenSSL-Win64\bin>openssl req -config Cn:\OpenSSL-Win64\bin\openSSL.conf -new -x509 -days 365 -key C:\Keys\RootCA.key
      -out Certificates\RootCA.crt

    2. Create a Distinguished Name (DN)..
      Make sure that you enter all required information. Many fields contain defaults. Some settings you can leave blank. If you enter a period, the field will be left blank. 

      Country Name []:IN
      State Name []:MAHA
      Locality []:PUN
      Organization Name []:BMC
      Organizational Unit Name []:CDL
      Common Name []:CLM
      Email Address []:clm.bmc.com
    3. Press Enter to create the certificate.

To configure the Mid Tier SSL

  1. On the Mid Tier host, create KeysCertificates, and CSR folders. 
  2. Stop the Mid Tier Tomcat server.
  3. Open a command prompt and navigate to the JRE folder. 
  4. Create a keypair using the keytool utility.
    If the Mid Tier is behind a load balancer, use CN as the load balancer name.  But here it is MT

    C:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks

  5. At the prompts, enter the required information to create the keypair, and then press Enter
  6. Create the Certificate Signing Request (CSR) from Mid Tier primary to retrieve the certificate from CA (i.e. CLM).

    C:\Program Files\Java\jre7\bin>keytool.exe -certreq -keyalg RSA -alias tomcat -file C:\CSR\mt.csr -keystore C:\Keys\keystore.jks


    At the prompt, enter changeit as the password.

  7. Copy the mt.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate, and then run the following command on the OpenSSL computer:

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\mt.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\mt_server.crt

  8. After the certificate is generated (mt_server.crt) in the Certificates folder, copy mt_server.crt and RootCA.crt to the Mid Tier primary and secondary computers into their Certificates folder.

  9. On the Mid Tier primary and secondary computers, import the Root CA certificate:

    C:\Program Files\Java\jre7\bin>keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\RootCA.crt
    1. At the prompt, enter changeit as the password.

    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore.  
  10. Import the mt_server.crt certificate:

    C:\Program Files\Java\jre7\bin>keytool.exe -import -alias tomcat -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\mt_server.crt

    At the prompt, enter changeit as the password.

    Your certificate reply is installed in the keystore.  

  11. Open the server.xml file (in Windows, the default location is C:\Program Files\Apache Software Foundation\Tomcat6.0\conf\server.xml) in a text editor and uncomment the SSL related sections.
    1. Search for the following text and uncomment out the Connector port section:

      <!-- Define a SSL HTTP/1.1 Connector on port 8443
               This connector uses the JSSE configuration, when using APR, the 
               connector should be using the OpenSSL style configuration
               described in the APR documentation -->
          <!--
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" />
          -->

       

    2. Modify the Connector port information as follows:

      <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
                 clientAuth="false" sslProtocol="TLS" 
                 keystoreFile="C:\Keys\keystore.jks"
      />

       Here you change the connector port to 9443 and add the keyStore file location. 

    3. Save the server.xml .

       

  12. Start the Tomcat server.
  13. Verify your changes to the Mid Tier or Mid Tier Load Balancer by accessing the following URL:
    https://<MidTier>:9443/arsys (where 9443 is SSL port)
    https://<LoadBalancer>:9443/arsys
  14. Add and confirm any security restrictions in your browser (as shown with Internet Explorer).
     
  15. When you access the Mid Tier the first time, review the certificate details, as shown with Internet Explorer.
    1. Review who the certificate is issued to (for example, MT) and who the certificate was issued by (for example, bmc.com).
    2. Review the certificate path or hierarchy.

To integrate the Mid Tier with Platform Manager

  1. Open the CMF:PluginConfiguration form in the E-AR server.
    1. Edit the CallBackURL from http to https.
    2. Edit the port to 9443.
    3. Save the record.
  2. Open the BMC.CLOUD:BMC_Callout form in the C-AR server. 

    Note

    The callout URI is generated only if CLM data exists. If you have no data, skip this step.

    1. Edit the callout URI from http to https.
    2. Edit the port to 9443.
    3. Save the record.
  3. Copy the RootCA.crt certificate from the Mid Tier computer to the Platform Manager computer (for example, to a Certificates folder).
  4. Open a command window, change directories to C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\bin (by default), and then import the certificate:

    C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\bin>keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\lib\security\cacerts" -trustcacerts -file "C:\Certificates\RootCA.crt"
  5. At the prompt, enter changeit as the password.
  6. When you see the Trust this certificate prompt, enter yes
    Your certificate is added to the keystore.  
     
  7. Restart the computers in the following order – C-AR server, Platform Manager, and then the E-AR server.

To configure Atrium Web Services SSL

  1. On the primary Atrium Core Web Services Registry host, create KeysCertificates, and CSR folders. 
  2. Stop the Atrium Tomcat server.
  3. Open a command prompt and navigate to the JRE folder. 
  4. Create a keypair using the keytool utility. 
    If the Atrium Web Services are behind a load balancer, you can use CN as the load-balancer name.  But here it is AWS.

    C:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks

  5. At the prompts, enter the required information to create the keypair, and then press Enter
  6. Create the Certificate Signing Request (CSR) from Atrium Web Services primary to retrieve the certificate from CA (that is, CLM).

    C:\Program Files\Java\jre7\bin>keytool.exe -certreq -keyalg RSA -alias tomcat -file C:\CSR\aws.csr -keystore C:\Keys\keystore.jks

     
    At the prompt, enter changeit as the password.

  7. Copy the aws.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (aws_server.crt), and then run the following command on the OpenSSL computer:

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\aws.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\aws_server.crt

     

  8. After the certificate is generated (aws_server.crt) in the Certificates folder, copy aws_server.crt and RootCA.crt to the AWS primary and secondary hosts into their Certificates folder.

  9. On the AWS primary and secondary hosts, import the Root CA certificate:

    C:\Program Files\Java\jre7\bin>keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\RootCA.crt

     

    1. At the prompt, enter changeit as the password.

    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore. 

  10. Import the aws_server.crt certificate:

    C:\Program Files\Java\jre7\bin>keytool.exe -import -alias tomcat -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\aws_server.crt


    Your certificate reply is installed in the keystore.  

  11. Open the server.xml file (in Windows, the default location is C:\Program Files\BMC Software\Atrium Web Registry\shared\tomcat\conf\server.xml) in a text editor and uncomment the SSL related sections.
    1. Search for the following text and uncomment out the Connector port section: 

      <!-- Define a SSL HTTP/1.1 Connector on port 8443
               This connector uses the JSSE configuration, when using APR, the 
               connector should be using the OpenSSL style configuration
               described in the APR documentation -->
          <!--
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" />
          -->

       

    2. Modify the Connector port information as follows:

      <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
                 clientAuth="false" sslProtocol="TLS" 
                 keystoreFile="C:\Keys\keystore.jks"
      />

       

      Here you change the connector port to 9443 and add the keyStore file location. 

    3. Save the server.xml .

  12. Start the AWS Tomcat server.
  13. Verify your changes to the AWS or AWS Load Balancer by accessing the following URL:
    https://<AWS>:9443/uddi (where 9443 is SSL port)
    https://<LoadBalancer>:9443/uddi
  14. Add and confirm any security restrictions in your browser.

  15. When you access AWS UDDI the first time, review the certificate details.
  16. Review who the certificate is issued to (for example, AWS) and who the certificate was issued by (for example, bmc.com).
  17. Review the certificate path or hierarchy.

To integrate Atrium Web Services with BMC Network Automation

  1. Log on to the Mid Tier to access the E-AR and C-AR servers.
    You can use https://<MidTier>:9443/arsys to access these servers. 
  2. Open the Server Information form for the E-AR and C-AR servers.
  3. Click the Advanced tab and modify the default web path URL with the updated https and port. For example:
     
    Make sure that you modify the default web path for both servers. 
  4. Restart the E-AR and C-AR servers.
  5. Log on to BMC Network Automation.
  6. Navigate to Admin > System Admin > System Parameters.
  7. Scroll down to the bottom of the page and modify the Web Services Base URL with the with the updated https and port 9443.
    For example:
     
    You can also modify the Enable CMDB Integration URL if it exists. 
  8. When you finish, verify that physical location is accessed by BMC Network Automation during POD creation through the Atrium Web Services.

    If you have successfully integrated Atrium Web service and BNA SSL communication, go to BMC Network Automation and try to create a POD. The physical location created in the AR System server should be visible in the list during POD creation.

To configure SSL with BMC Server Automation

  1. On the BMC Server Automation host, create KeysCertificates, and CSR folders. 
  2. Stop the BladeLogic Application Server.
  3. Back up the bladelogic.keystore files from each of the deployments server folders.
    For example, there is a bladelogic.keystore located in _template, _launcher, config_deployment, job_deployment, and so on. By default, these server folders are located in C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments
  4. Open a command prompt and navigate to the BladeLogic JRE folder (for example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin). 
  5. On the BMC Server Automation primary host, create a keypair using the keytool utility. 
    If BMC Server Automation is behind a load balancer, you can use CN as the load-balancer name.  But here it is clm-hou-bbsa.

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe -genkey -alias blade -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments\_template\bladelogic.keystore"

  6. At the prompts, enter the required information to create the keypair, and then press Enter
  7. Create the Certificate Signing Request (CSR) from BMC Server Automation primary to retrieve the certificate from CA (that is, CLM).

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe -certreq -keyalg RSA -alias blade -file C:\CSR\blade.csr -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments\_template\bladelogic.keystore"


    At the prompt, enter changeit as the password.

  8. Copy the blade.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (blade.crt), and then run the following command on the OpenSSL computer:

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\blade.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\blade.crt

     

  9. After the certificate is generated (blade.crt) in the Certificates folder, copy blade.crt and RootCA.crt to the BMC Server Automation primary host into its Certificates folder.

  10. On the BMC Server Automation primary host, import the Root CA certificate:

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments\_template\bladelogic.keystore" -trustcacerts -file C:\Certificates\RootCA.crt

     

    1. At the prompt, enter changeit as the password.
    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore. 

  11. Import the blade.crt certificate:

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe -import -alias blade -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments\_template\bladelogic.keystore" -trustcacerts -file C:\Certificates\blade.crt


    Your certificate reply is installed in the keystore.  

  12. Copy the bladelogic.keystore file you just created from the _template folder to each of the deployments server folders.
  13. Use blasadmin to change the deployment servers passwords. But use the following variations:
    1. For _template:

      C:\Program Files\BMC Software\BladeLogic\NSH\bin>blasadmin.exe -s _template
      blasadmin now running against deployment: _template
      Bladelogic Admin Utility; Version 8.3.00.115.
      Copyright (c) 2001-2012 BladeLogic, Inc. All rights reserved.
      Type 'help' for Bladmin help.
      bladmin:_template>set appserver CertPasswd changeit
      bladmin:_template>
    2. For _launcher:

      C:\Program Files\BMC Software\BladeLogic\NSH\bin>blasadmin.exe -s _launcher
      blasadmin now running against deployment: _launcher
      Bladelogic Admin Utility; Version 8.3.00.115.
      Copyright (c) 2001-2012 BladeLogic, Inc. All rights reserved.
      Type 'help' for Bladmin help.
      bladmin:_launcher>set appserverlauncher KeyStorePassword changeit
    3. For config_deployment:

      C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments>"C:\Program Files\BM
      C Software\BladeLogic\NSH\bin\blasadmin.exe" -s config_deployment_clm-hou-008414
       
      blasadmin now running against deployment: config_deployment_clm-hou-008414
      Bladelogic Admin Utility; Version 8.3.00.115.
      Copyright (c) 2001-2012 BladeLogic, Inc. All rights reserved.
      Type 'help' for Bladmin help.
      bladmin:config_deployment_clm-hou-008414>set appserver CertPasswd changeit
      bladmin:config_deployment_clm-hou-008414>
    4. For job_deployment1 and job_deployment2:

      C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments>"C:\Program Files\BM
      C Software\BladeLogic\NSH\bin\blasadmin.exe" -s job_deployment_1_clm-hou-008414
      
      blasadmin now running against deployment: job_deployment_1_clm-hou-008414
      Bladelogic Admin Utility; Version 8.3.00.115.
      Copyright (c) 2001-2012 BladeLogic, Inc. All rights reserved.
      Type 'help' for Bladmin help.
      bladmin:job_deployment_1_clm-hou-008414>set appserver CertPasswd changeit
      bladmin:job_deployment_1_clm-hou-008414>quit
      
      C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments>"C:\Program Files\BM
      C Software\BladeLogic\NSH\bin\blasadmin.exe" -s job_deployment_2_clm-hou-008414
      
      blasadmin now running against deployment: job_deployment_2_clm-hou-008414
      Bladelogic Admin Utility; Version 8.3.00.115.
      Copyright (c) 2001-2012 BladeLogic, Inc. All rights reserved.
      Type 'help' for Bladmin help.
      bladmin:job_deployment_2_clm-hou-008414>set appserver CertPasswd changeit
      bladmin:job_deployment_2_clm-hou-008414>
  14. To specify that a socket connection use SSL, use blasadmin to set the UseSSLSockets parameter to true for _template server:

    C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments>"C:\Program Files\BMC Software\BladeLogic\NSH\bin\blasadmin.exe" -s _template
    blasadmin now running against deployment: _template
    Bladelogic Admin Utility; Version 8.3.00.115.
    Copyright (c) 2001-2012 BladeLogic, Inc. All rights reserved.
    Type 'help' for Bladmin help.
    bladmin:_template>show appserver UseSSLSockets
    UseSSLSockets:false
    bladmin:_template>set appserver UseSSLSockets true
    bladmin:_template>


  15. Start the BladeLogic Application Server.
  16. Verify your changes to the BMC Server Automation URL by accessing the following link:
    https://<BladeLogic>:10843 (where 10843 is the SSL port)
  17. When you access BMC Server Automation URL the first time, review the certificate details, as shown with Internet Explorer.
     
  18. Log on to the BladeLogic Application Server.through BMC Server Automation Console.
    In the login screen, click Options > Certificates > View to view the certificate. This screen displays the certificate details like issued to clm-hou-bbsa and Issued by CA (for example, CLM).
     
  19. For BMC Server Automation secondary, follows steps 1 > 2 > 3 > 12 > 13 >14 >15 >16 >17 in order.

To configure SSL with BMC Server Automation and Platform Manager

  1. On the Platform Manager host, open the providers.json file.
  2. Change the protocol and the SSL port in the providers.json file for the BBSA_SERVER_PORT attribute value.

    For example:

      "name" : "BBSA_SERVER_PORT"
        },
        "attributeValue" : "10843",
        "description" : "BBSA Webservices Port",
        "guid" : "1a0e98f9-905e-4117-99dd-759f7ad41b71",
        "name" : "BBSA_SERVER_PORT"
      }, {
        "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
        "accessAttribute" : {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
          "datatype" : "STRING",
          "description" : "BBSA Server Protocol",
          "guid" : "3bf2db7a-af7e-4bc7-8674-63c6df997a75",
          "isOptional" : false,
          "isPassword" : false,
          "modifiableWithoutRestart" : false,
          "name" : "BBSA_SERVER_PROTOCOL"
        },
        "attributeValue" : "https",
        "description" : "BBSA Server Protocol",
  3. Save your changes and restart the Platform Manager.

To configure BMC Network Automation with SSL

  1. On the BMC Network Automation host, create KeysCertificates, and CSR folders. 
  2. Stop the BCA-Networks Web Server.
  3. Back up the .keytool file (by default, located at C:\BCA-Networks-Data) .
  4. On the primary BMC Network Automation host, open a command prompt and navigate to the BCA-Network JRE folder (for example, C:\Program Files\BMC Software\BCA-Networks\java\bin). 
  5. Create a keypair using the keytool utility. 
    If BMC Network Automation is behind a load balancer, you can use CN as the load-balancer name.  But here it is clm-bna. Use the following syntax so that keytool works properly:

    C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe -genkey -alias clm-bna -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore "C:\BCA-Networks-Data\.keystore"
    What is your first and last name?
      [Unknown]:  clm-bna
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  SAN JOSE
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=clm-bna, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
  6. At the prompts, enter the required information to create the keypair, and then press Enter
  7. Create the Certificate Signing Request (CSR) from BMC Network Automation primary to retrieve the certificate from CA (that is, CLM).

    C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe -certreq -keyalg RSA -alias clm-bna -file C:\CSR\clm-bna.csr -keystore "C:\BCA-Networks-Data\.keystore"


    At the prompt, enter changeit as the password.

  8. Copy the blm-bna.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (clm-bna.crt), and then run the following command on the OpenSSL computer:

    C:\OpenSSL-Win64\bin>openssl>openssl x509 -req -days 365 -in C:\CSR\clm-bna.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 04 -out C:\Certificates\clm-bna.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=clm-bna
    Getting CA Private Key

     

  9. After the certificate is generated (clm-bna.crt) in the Certificates folder, copy clm-bna.crt and RootCA.crt to the BMC Network Automation primary and secondary hosts into their Certificates folder.

  10. On the BMC Network Automation primary and secondary computers, import the first Root CA certificate into the C:\BCA-Networks-Data\.keystore file that we generated:

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe -import -alias root -keystore "C:\BCA-Networks-Data\.keystore" -trustcacerts -file C:\Certificates\RootCA.crt
    
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=C
    A, C=US
    Issuer: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=
    CA, C=US
    Serial number: 802aae2101b14487
    Valid from: Thu Apr 10 13:52:46 PDT 2014 until: Fri Apr 10 13:52:46 PDT 2015
    Certificate fingerprints:
             MD5:  15:4C:BE:02:B4:1D:6D:05:12:78:62:14:41:A5:AD:DA
             SHA1: DE:B4:DF:5D:4E:58:B2:0B:EB:37:D7:57:F9:71:13:6B:CE:A5:05:B9
             SHA256: A5:AC:79:D0:E3:21:BA:88:E7:78:77:CD:E8:18:88:14:96:CC:64:64:FD:
    D6:12:76:CE:BF:70:BB:28:82:30:D9
             Signature algorithm name: SHA1withRSA
             Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    #2: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    #3: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    1. At the prompt, enter changeit as the password.
    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore. 

    3. If you have a secondary BMC Network Automation computer, import only the RootCA certificate in the java\cacerts file.
  11. Import Root CA into the C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts file:

    C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe -import -alias root -keystore "c:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts" -trustcacerts -file c:\certificates\RootCA.crt
    
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=C
    A, C=US
    Issuer: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=
    CA, C=US
    Serial number: 802aae2101b14487
    Valid from: Thu Apr 10 13:52:46 PDT 2014 until: Fri Apr 10 13:52:46 PDT 2015
    Certificate fingerprints:
             MD5:  15:4C:BE:02:B4:1D:6D:05:12:78:62:14:41:A5:AD:DA
             SHA1: DE:B4:DF:5D:4E:58:B2:0B:EB:37:D7:57:F9:71:13:6B:CE:A5:05:B9
             SHA256: A5:AC:79:D0:E3:21:BA:88:E7:78:77:CD:E8:18:88:14:96:CC:64:64:FD:
    D6:12:76:CE:BF:70:BB:28:82:30:D9
             Signature algorithm name: SHA1withRSA
             Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    #2: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    #3: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

     

  12. Import the blm-bna.crt certificate:

    C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe -import -alias clm-bna -keystore C:\BCA-Networks-Data\.keystore -trustcacerts -file C:\Certificates\clm-bna.crt
    Enter keystore password:
    Certificate reply was installed in keystore


    Your certificate reply is installed in the keystore.  

  13. Open the BNA maintenance utility (by default, installed in C:\Program Files\BMC Software\BCA-Networks\utility).

    1. Click the encrypt tab and then enter and confirm the changeit password.

    2. Click Encrypt to generate the encryption string for changeit

    3. Use the generated string for the keyStorePassword  parameter in the server.xml file (by default, located at C:\Program Files\BMC Software\BCA-Networks\tomcat\conf).

  14. Start the BCA-Networks Web Server.

  15. Verify the BNA link by accessing https://<BNA-LB>:9443 where 9443 is SSL port.
  16. If you have a load balancer, failover the BNA service and verify that you can able to access the link with Cluster name and with the same certificate it displays.
  17. When you access the BMC Network Automation URL the first time, review the certificate details, and so on.

Note

No integration level changes are required for BMC Network Automation. In the provider.json file, the BNA section is already populated with the https protocol and SSL port. This SSL port should be same on which you configured BMC Network Automation.

To integrate Platform Manager with SSL

If you are running HA, you only need to run the following commands on the primary host. SSL-level certification is not required on the secondary HA host. 

  1. Make sure the CSM service is running on the primary Platform Manager host. 
  2. On the primary Platform Manager host, create KeysCertificates, and CSR folders. 
  3. Back up the keystore file (by default, located at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security).
  4. Open a command prompt and navigate to the JRE folder (for example, C:\Program Files\java\jre7\bin). 
  5. Create a keypair using the keytool utility and store it at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security

    C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\bin>keytool.exe -genkey -alias PM -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security\keystore"
    What is your first and last name?
      [Unknown]:  clm-hou-pm
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  San Jose
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=clm-hou-pm, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
      [no]:  yes


    At the prompts, enter the required information to create the keypair, and then press Enter
    For example, use clm-hou-pm as the cluster name. 

  6. Create the Certificate Signing Request (PM.csr) to retrieve the certificate from Root CA.

    C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\bin>keytool.exe -certreq -keyalg RSA -alias PM -file C:\CSR\PM.csr -keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security\keystore"
    Enter keystore password:

     At the prompt, enter changeit as the password.

  7. Copy the PM.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (PM.crt), and then run the following command on the OpenSSL host:

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\PM.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\pm.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=clm-hou-pm
    Getting CA Private Key
  8. After the certificate is generated (PM.crt) in the Certificates folder, copy PM.crt and RootCA.crt to the Platform Manager primary host into the Certificates folder.

  9. On the Platform Manager primary host, import the Root CA certificate:

    C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\bin>keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security\keystore" -trustcacerts -file C:\Certificates\RootCA.crt
    Enter keystore password:
    Certificate already exists in system-wide CA keystore under alias <root>
    Do you still want to add it to your own keystore? [no]:  yes
    Certificate was added to keystore
    1. At the prompt, enter changeit as the password.
    2. If you are prompted that the certificate already exists, enter yes anyway; 
      Your certificate is added to the keystore. 

  10. Import the Root CA certificate into the Platform Manager JVM cacerts file.

    C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\bin>keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\lib\security\cacerts" -trustcacerts -file c:\Certificates\RootCA.crt
    Enter keystore password:
    Certificate was added to keystore
  11. Import the PM.crt certificate:

    C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.6.0_31\bin>keytool.exe -import -alias PM1 -keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security\keystore" -trustcacerts -file c:\Certificates\PM.crt
    Enter keystore password:
    Certificate was added to keystore

     

  12. Update the config.ini file (by default, located at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\configuration) with the following parameters:

    org.osgi.service.http.port=9443
    jetty.port=9443
    jetty.ssl.password=changeit
    jetty.ssl.keypassword=changeit

    Make sure to save the config.ini file.

  13. Update the the configuration in the ..\Platform_Manager\csm-bootstrap.properties file with the following changes:

    PersistenceNodeProtocol=https
    NodeProtocol=https
    NodePort=9443
    PersistenceNodePort=9443

    Make sure to save the csm-bootstrap.properties file.

  14. Update the configuration in the ..\Platform_Manager\configuration\cloudservices.json file with the following changes:
    1. Set the secureJetty attribute value to true

      {
        "cloudClass" : "com.bmc.cloud.model.beans.CloudService",
        "accessValues" : [ {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
          "accessAttribute" : {
            "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
            "datatype" : "Boolean",
            "description" : "Use HTTPS",
            "guid" : "b15fc770-4119-4cd6-bea6-1efdc5ecc768",
            "isOptional" : false,
            "isPassword" : false,
            "length" : 255,
            "modifiableWithoutRestart" : false,
            "name" : "secureJetty"
          },
          "attributeValue" : "true",
          "description" : "Use HTTPS",
          "guid" : "2aacb37d-0b0c-48f2-b85f-e010e3705f49",
          "name" : "secureJetty"
        }
    2. Set the attribute value of Jetty portCSM Local Port, and CSM Global Registry URL to 9443.

      {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
          "accessAttribute" : {
            "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
            "datatype" : "Integer",
            "description" : "Jetty Port",
            "guid" : "f1f036cc-7050-4a08-9e00-2a38cedaeef9",
            "isOptional" : false,
            "isPassword" : false,
            "length" : 255,
            "modifiableWithoutRestart" : false,
            "name" : "jettyPort"
          },
          "attributeValue" : "9443",
          "description" : "Jetty Port",
          "guid" : "e2513a26-1c6c-4fd1-9267-d3ff3d00b94a",
          "name" : "jettyPort"
       }
      {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
          "accessAttribute" : {
            "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
            "datatype" : "Integer",
            "description" : "CSM Local Port",
            "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
            "isOptional" : false,
            "isPassword" : false,
            "length" : 255,
            "modifiableWithoutRestart" : false,
            "name" : "csm.local.port"
          },
          "attributeValue" : "9443",
          "description" : "CSM Local Port",
          "guid" : "b86fb3c3-d5c8-46dc-8d7d-5be05a392aff",
          "name" : "csm.local.port"
        }
       
      },{
        "cloudClass" : "com.bmc.cloud.model.beans.CloudService",
        "accessValues" : [ {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
          "accessAttribute" : {
            "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
            "datatype" : "String",
            "description" : "CSM Global Registry URL",
            "guid" : "5f49c658-e3fb-4ace-95aa-d5c13636a82e",
            "isOptional" : false,
            "isPassword" : false,
            "length" : 255,
            "modifiableWithoutRestart" : false,
            "name" : "csm.global.url"
          },
          "attributeValue" : "localhost:9443",
          "description" : "CSM Global Registry URL",
          "guid" : "45cb9fc3-ac7e-49de-88d4-4d1042c48061",
          "name" : "csm.global.url"
        }, {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
          "accessAttribute" : {
            "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
            "datatype" : "Integer",
            "description" : "CSM Local Port",
            "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
            "isOptional" : false,
            "isPassword" : false,
            "length" : 255,
            "modifiableWithoutRestart" : false,
            "name" : "csm.local.port"
          },
          "attributeValue" : 9443,
          "description" : "CSM Local Port",
          "guid" : "80e5622d-4dbc-49de-9ca6-deef7627e7f5",
          "name" : "csm.local.port"
        } ],
        "cloudServiceDefinition" : "/cloudservicedefinition/4bc19dbb-22e5-4a3d-a294-c3749e2b2947",
        "cloudServiceDefinitionObject" : {
          "cloudClass" : "com.bmc.cloud.model.beans.CloudServiceDefinition",
          "accessAttributes" : [ {
            "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
            "datatype" : "String",
            "description" : "CSM Global Registry URL",
            "guid" : "5f49c658-e3fb-4ace-95aa-d5c13636a82e",
            "hasValueObject" : [ {
              "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
              "attributeValue" : "localhost:9443",
              "guid" : "79c5b890-1b4e-4514-8e28-ddd216551b3c",
              "name" : "csm.global.url"
            } ],
            "isOptional" : false,
            "isPassword" : false,
            "length" : 255,
            "modifiableWithoutRestart" : false,
            "name" : "csm.global.url"
          }, {
            "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
            "datatype" : "Integer",
            "description" : "CSM Local Port",
            "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
            "hasValueObject" : [ {
              "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
              "attributeValue" : "9443",
              "guid" : "de64d5ff-ff11-4e2d-b1e0-941072b4ae95",
              "name" : "csm.local.port"

      Make sure to save the cloudservices.json file.

  15. Restart the Enterprise-AR server and Platform Manager.

  16. Use RESTClient to verify the Platform Manager SSL connection by using the SSL link.

To modify the Platform Manager integration with SSL

The following procedure applies if you are running multiple IT Service Management servers. 

  1. In Enterprise-AR ITSM, open the CMF:PluginConfiguration form and change the Root URL from http to https and update the SSL port to 9443.
  2. In both ITSM hosts, import the RootCA certificate. 
    1. Copy the RootCA.crt certificate to both hosts in its own folder (for example, C:\Certificates).
    2. Import the certificate by entering following command.

      C:\Program Files\Java\jre7\bin>keytool -import -alias root -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt
      Enter keystore password:
      Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=C
      A, C=US
      Issuer: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=
      CA, C=US
      Serial number: 802aae2101b14487
      Valid from: Thu Apr 10 13:52:46 PDT 2014 until: Fri Apr 10 13:52:46 PDT 2015
      Certificate fingerprints:
               MD5:  15:4C:BE:02:B4:1D:6D:05:12:78:62:14:41:A5:AD:DA
               SHA1: DE:B4:DF:5D:4E:58:B2:0B:EB:37:D7:57:F9:71:13:6B:CE:A5:05:B9
               SHA256: A5:AC:79:D0:E3:21:BA:88:E7:78:77:CD:E8:18:88:14:96:CC:64:64:FD:
      D6:12:76:CE:BF:70:BB:28:82:30:D9
               Signature algorithm name: SHA1withRSA
               Version: 3
      Extensions:
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
      0010: 0D 6C 58 51                                        .lXQ
      ]
      ]
      #2: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
      0010: 0D 6C 58 51                                        .lXQ
      ]
      ]
      #3: ObjectId: 2.5.29.19 Criticality=false
      BasicConstraints:[
        CA:true
        PathLen:2147483647
      ]
      Trust this certificate? [no]:  yes
      Certificate was added to keystore


      You do not need to import RootCA into the C:\ProgramFile\Java\Jre\bin path. 

  3. Restart the Platform Manager and AR System servers.

  4. Verify your changes by putting the RESTClient on the ITSM host and connecting to the Platform Manager host with SSL URL and the trustcacerts path of Cloud Java (as above).

To configure BMC Capacity Optimization with SSL

This is a two-step process:

To generate a certificate and key to use with Apache

  1. Install the following packages on the host if they are not already present.

    • crypto-utils

    • mod_ssl

  2. After installing these packages, generate a new key and a new SSL certificate using the genkey $hostname command. 
    Here $hostname is the fully qualified domain name of your BMC Capacity Optimization application server machine.

  3. To create a certificate request, select the appropriate option.
    Enter the certificate fields with your information (Name, Firm, Country, and so on). If you do not want to manually insert a password every time you restart the Apache Httpd server (for

    example, if you are in an automatic HA environment), clear the encrypt key option.

  4. During key generation, review the following output on the console:

    [root@clm-bco ~]# genkey csm-bco
    /usr/bin/keyutil -c genreq -g 1024 -s "CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN" -v 24 -a -o /etc/pki/tls/certs/csm-bco.0.csr -k /etc/pki/tls/private/csm-bco.key -z /etc/pki/tls/.rand.24660
    cmdstr: genreq
    cmd_CertReq
    command:  genreq
    keysize = 1024 bits
    subject = CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    valid for 24 months
    output will be written to /etc/pki/tls/certs/csm-bco.0.csr
    output key written to /etc/pki/tls/private/csm-bco.key
    random seed from /etc/pki/tls/.rand.24660
    Generating key. This may take a few moments...
    Made a key
    Opened /etc/pki/tls/certs/csm-bco.0.csr for writing
    Wrote the CSR to /etc/pki/tls/certs/csm-bco.0.csr
    Wrote 882 bytes of encoded data to /etc/pki/tls/private/csm-bco.key
    Wrote the key to:
    /etc/pki/tls/private/csm-bco.key
    /usr/bin/keyutil -c makecert -g 1024 -s "CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN" -v 1 -a -z /etc/pki/tls/.rand.24660 -o /etc/pki/tls/certs/csm-bco.crt -k /etc/pki/tls/private/csm-bco.key
    cmdstr: makecert
    cmd_CreateNewCert
    command:  makecert
    keysize = 1024 bits
    subject = CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    valid for 1 months
    random seed from /etc/pki/tls/.rand.24660
    output will be written to /etc/pki/tls/certs/csm-bco.crt
    output key written to /etc/pki/tls/private/csm-bco.key

    The Certificate Signing Request (csm-bco.0.csr) file is generated at the /etc/pki/tls/certs location.

  5. Copy the csm-bco-0.csr file where you have CA or generate the CA certificate.
    Or send this csr file to CA to get certificate.

  6. On the OpenSSL host, generate the certifcate, using the csm-bco-0.csr file. 

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\csm-bco.0.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 878 -out C:\Certificates\csm-bco.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=IN/ST=MAHA/L=PUN/O=BMC/OU=CDL/CN=csm-bco
    Getting CA Private Key

     

  7. When you finish generating the key, you have the following results:

    • $hostname.crt certificate file in /etc/pki/tls/certs/
    • $hostname.key key file in /etc/pki/tls/private/
  8. Create /pki/tls/certs and /pki/tls/private folders at $CPITBASE/3rd_party/apache2/etc.
  9. Copy /etc/pki/tls/certs/$hostname.crt to $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.cert.
  10. Copy /etc/pki/tls/private/$hostname.key to $CPITBASE/3rd_party/apache2/etc/pki/tls/ private/<hostname>.key.
  11. Change the owner of both the copied files and the created folders to the owner using BMC Capacity Optimization.

To enable HTTPS in Apache

Note

  • Make sure that the ssl.conf file is present under $CPITBASE/3rd_party/apache2/etc/httpd/conf.d. If not, then create it with following SSL contents.
  • Make sure that the mod_ssl.so file is present under $CPITBASE/3rd_party/apache2/etc/httpd/modules. If not, then copy it from the /etc/httpd/modules path.

To enable HTTPS in your BMC Capacity Optimization installation, perform the following steps:

  1. Modify the caplan.conf configuration file located at $CPITBASE/3rd_party/apache2/etc/httpd/conf.d, by adding the following information:

    SSLEngine on
    SSLProxyEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.crt
    SSLCertificateKeyFile  $CPITBASE/3rd_party/apache2 /etc/pki/tls/private/<hostname>.key
  2. Create the ssl.conf file in $CPITBASE/3rd_party/apache2/etc/httpd/conf.d and add the following content.

    LoadModule ssl_module modules/mod_ssl.so
    Listen 8443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
    SSLSessionCacheTimeout  300
    SSLMutex default
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin


    Make sure that you change the required SSL port.

  3. Restart Httpd using the $CPITBASE/cpit restart httpd command.
    The new URL to connect to BCO will be https://$hostname:8443/console
  4. Import the certificate into /gfs/cpit/jre/lib/security/cacerts for the trusted CA certificate.

    [root@clm-bco bin]# ./keytool -import -alias root -keystore /gfs/cpit/jre/lib/security/cacerts -trustcacerts -file /etc/pki/tls/certs/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Issuer: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Serial number: bfae9d478d3085c1
    Valid from: Fri Apr 26 14:32:23 IST 2013 until: Sat Apr 26 14:32:23 IST 2014
    Certificate fingerprints:
             MD5:  E7:87:3D:B3:33:82:9F:17:0B:F6:78:D1:0D:64:EB:F5
             SHA1: 47:85:B7:4E:46:C4:8F:21:31:29:86:47:C5:7A:3C:7F:65:B6:36:27
             Signature algorithm name: SHA1withRSA
             Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  5. When you access the BCO URL, review the following certificate:
     

To integrate BMC Capacity Optimization and Platform Manager changes into SSL

  1. On the Platform Manager host, change the BCO section in the provider.json file for the protocol and ports as follows:

    attributeValue" : "8443",
        "guid" : "708d7696-1ba5-4be7-ab5f-d58cb3e07abb",
        "name" : "BCO_CONSOLE_SERVER_PORT"
    ……
    attributeValue" : "https",
        "guid" : "53e9bd82-cab8-4233-94fa-25d0d69fa466",
        "name" : "BCO_CONSOLE_SERVER_PROTOCOL

     

  2. Restart the Platform Manager service.
    You also can un-register BMC Capacity Optimization and register it again.  

To configure BMC Atrium Orchestrator with SSL

A HA environment typically has the following components installed.

  • Host A (Primary): AM and CDP installed
  • Host B (Secondary): AM and HACDP installed
  • Host C: AO Repository
  • Host D: SQL DB for AM and Repo
  1. On the main AO hosts (for example, Host A, B, and C), create KeysCertificates, and CSR folders.
  2. Stop the Access Manager, Configuration Distribution Peer (CDP), and Repository servers.

  3. Open a command prompt and navigate to the JRE folder (for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin). 
  4. On primary Host A, create a keypair using the keytool utility. 
    If Atrium Orchestrator is behind a load balancer, use CN as the load balancer name.  But here it is clm-hou-ao.  
    At the prompts, enter the required information to create the keypair, and then press Enter

    C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin>keytool.exe -genkey -alias AO -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks
    What is your first and last name?
      [Unknown]:  clm-hou-ao
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  SAN JOSE
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=clm-hou-ao, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
      [no]:  yes
  5. Create the Certificate Signing Request (ao.csr) from AO primary to retrieve the certificate from CA (i.e. CLM).

    At the prompt, enter changeit as the password.

    C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin>keytool.exe -certreq -keyalg RSA -alias AO -file C:\CSR\ao.csr -keystore C:\Keys\keystore.jks
    Enter keystore password:
  6. Copy the ao.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate, and then run the following command on the OpenSSL computer:

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\ao.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 999 -out C:\Certificates\ao.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=clm-hou-ao
    Getting CA Private Key
  7. After the certificate is generated (ao.crt) in the Certificates folder, copy ao.crt andRootCA.crt to the AO primary, AO secondary, and AO Repo computers into their Certificates folder.

To configure Access Manager to work with SSL

  1. On the AO primary and AO secondary hosts, import the Root CA certificate.
    At the prompt, enter changeit as the password. When you see the Trust this certificate prompt, enter yes. Your certificate is added to the keystore.  

    C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin>keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=C
    A, C=US
    Issuer: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=
    CA, C=US
    Serial number: 802aae2101b14487
    Valid from: Thu Apr 10 15:52:46 CDT 2014 until: Fri Apr 10 15:52:46 CDT 2015
    Certificate fingerprints:
             MD5:  15:4C:BE:02:B4:1D:6D:05:12:78:62:14:41:A5:AD:DA
             SHA1: DE:B4:DF:5D:4E:58:B2:0B:EB:37:D7:57:F9:71:13:6B:CE:A5:05:B9
             Signature algorithm name: SHA1withRSA
             Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    #3: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  2. Import the ao.crt certificate into the AO JVM security folder.
    At the prompt, enter changeit as the password.
    Your certificate reply is installed in the keystore.  

    C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin>keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=C
    A, C=US
    Issuer: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=
    CA, C=US
    Serial number: 802aae2101b14487
    Valid from: Thu Apr 10 15:52:46 CDT 2014 until: Fri Apr 10 15:52:46 CDT 2015
    Certificate fingerprints:
             MD5:  15:4C:BE:02:B4:1D:6D:05:12:78:62:14:41:A5:AD:DA
             SHA1: DE:B4:DF:5D:4E:58:B2:0B:EB:37:D7:57:F9:71:13:6B:CE:A5:05:B9
             Signature algorithm name: SHA1withRSA
             Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    #3: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76  3(`....G..J.k..v
    0010: 0D 6C 58 51                                        .lXQ
    ]
    ]
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  3. Import the ao.crt certificate into keystore.jks (for example, C:\Keys\keystore.jks):

    C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin>keytool.exe -import -alias AO -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\ao.crt
    Enter keystore password:
    Certificate reply was installed in keystore
  4. Open the Access Manager server.xml file (in Windows, for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\tomcat\conf\server.xml) in a text editor and uncomment the SSL related sections. 

    1. Search for the following text and uncomment out the Connector port section:

      <!-- Define a SSL HTTP/1.1 Connector on port 8443
               This connector uses the JSSE configuration, when using APR, the 
               connector should be using the OpenSSL style configuration
               described in the APR documentation -->
          <!--
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" />
          -->
    2. Modify the Connector port information as follows.
      Uncomment the following section and update the required port (for example, 8443) and add the keystoreFile path for keystore
      Make sure that you save the file.

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" 
      			   keystoreFile="C:\Keys\keystore.jks"
      />

       

  5. Update the Login page entry in the context.xml file (for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\tomcat\conf\context.xml) as follows:

    <Environment name="com.bmc.security.am.LOGIN_PAGE" override="true" type="java.lang.String" value="https://clm-hou-007778:8443/baoam/login.jsf"/>
  6. Start the Access Manager server and verify the URL.
    For example:
    https://<AMPrimaryHost>:8443/baoam

  7. Add and confirm any security restrictions in your browser.
    The certificate should display Issued by: bmc.com and Issued to: clm-hou-ao
  8. Make the same changes to the secondary Access Manager server.
    1. Copy the keystore file.
    2. Update the server.xml and context.xml files.
    3. Import the Root CA certificate.
    4. Start the secondary Access Manager server. 
    5. Verify the URL.

To configure AO Repository to work with SSL

  1. Copy the keystore.jks file from AM primary (for example, C:\Keys folder) to the Repository host (under the C:\Keys folder).
  2. Copy the RootCA.crt file from primary AM to the C:\Certificates folder on the Repository host.
  3. Import the Root CA certificate.
    At the prompt, enter changeit as the password. When you see the Trust this certificate prompt, enter yes. Your certificate is added to the keystore.  

    C:\Program Files\BMC Software\AO\REPO\jvm\bin>keytool.exe -import -alias root -keystore " C:\Program Files\BMC Software\AO\REPO\jvm\lib\security\cacerts" -trustcacerts -file c:\certificates\RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Issuer: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Serial number: bfae9d478d3085c1
    Valid from: Fri Apr 26 02:02:23 PDT 2013 until: Sat Apr 26 02:02:23 PDT 2014
    Certificate fingerprints:
             MD5:  E7:87:3D:B3:33:82:9F:17:0B:F6:78:D1:0D:64:EB:F5
             SHA1: 47:85:B7:4E:46:C4:8F:21:31:29:86:47:C5:7A:3C:7F:65:B6:36:27
             Signature algorithm name: SHA1withRSA
             Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

     

  4. Modify the server.xml file (for example, C:\Program Files\BMC Software\AO\REPO\tomcat\conf\server.xml) as follows:
    Uncomment the following section and update the required port (for example, 9443) and add the keystoreFile path for keystore.

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Keys\keystore.jks"/>

     

  5. Modify the context.xml file (for example, C:\Program Files\BMC Software\AO\REPO\tomcat\conf\context.xmlin a text editor.
    Update the following entry with corrected port and https.

    <Environment name="com.bmc.security.am.LOGIN_PAGE" override="true" type="java.lang.String" value="https://vw-hou-sln-qa18:9443/baoam/login.jsf"/>

     

  6. Start the Repository server and verify the URL.
    For example:
    https://<RepoHost>:9443/baoam

To configure primary and secondary CDP to work with SSL

Note

 For CDP, use the same RootCA.crt and keystore.jksfiles you previously generated. In addition, use the keystore.jks file from the C:\Keys\keystore.jks path.

  1. Modify the server.xml file (for example, C:\Program Files\BMC Software\AO\AM\CDP\tomcat\conf\server.xml) as follows.
    Uncomment the following section and update the required port (for example, 9443) and add the keystoreFile path for keystore.

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Keys\keystore.jks"/>

     

  2. Modify the context.xml file (for example, C:\Program Files\BMC Software\AO\AM\CDP\tomcat\conf\context.xml) in a text editor.
    Update the following entries with corrected port and https.

    <Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" value="https://vw-hou-sln-qa20:9443/baorepo/http"/>
    <Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://clm-hou-ao:9443/baocdp/ws/console"/>
  3. Import the ROOTCA.crt certificate into the primary CDP JVM security folder.
    At the prompt, enter changeit as the password.
    Your certificate reply is installed in the keystore.

    C:\Program Files\BMC Software\AO\AM\CDP\jvm\bin>keytool.exe -import -alias root -keystore "c:\Program Files\BMC Software\AO\AM\CDP\jvm\lib\security\cacerts" -trustcacerts -file c:\certificates\RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Issuer: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Serial number: bfae9d478d3085c1
    Valid from: Fri Apr 26 02:02:23 PDT 2013 until: Sat Apr 26 02:02:23 PDT 2014
    Certificate fingerprints:
             MD5:  E7:87:3D:B3:33:82:9F:17:0B:F6:78:D1:0D:64:EB:F5
             SHA1: 47:85:B7:4E:46:C4:8F:21:31:29:86:47:C5:7A:3C:7F:65:B6:36:27
             Signature algorithm name: SHA1withRSA
             Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  4. Import the ROOTCA.crt certificate into the secondary CDP JVM security folder.
  5. On the secondary CDP host, modify the context.xml file (for example, C:\Program Files\BMC Software\AO\AM\CDP\tomcat\conf\context.xml) in a text editor.
    Update the following entries with corrected port and https.

    Parameter name="com.bmc.ao.HACDP_CONFIGURATION" override="true" value="https://admin:admin123@vw-hou-sln-qa18:9443/baocdp/ws/install?grid=GRID1&amp;peer=HACDP"/>
      <Environment name="grid-name" override="true" type="java.lang.String" value="GRID1"/>
      <Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://vw-hou-sln-qa18:9443/baocdp/ws/console"/>
  6. Start the CDP server on both nodes and verify the URL.
    For example:
    https://<CDPHost>:9443/baocdp
  7. Add and confirm any security restrictions in your browser.
    The certificate should display Issued by: bmc.com and Issued to: clm-hou-ao.  

Note

When you access the BMC Server Automation application server from Atrium Orchestrator hosts, it should display the following certificate details.

To configure BMC Server Automation and Atrium Orchestrator with SSL

You already generated the keystore.jks file in C:\Keys\keystore.jks and the RootCA.crt file in C:\Certificates on both hosts.

  1. Import the RootCA.crt certificate into the Bladelogic java security file on both nodes as follows:

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\jre\lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt
  2. Log into the BMC Server Automation server from both hosts with defaultProfile and verify the certificate obtained. 

To configure Atrium Orchestrator and Platform Manager with SSL

  1. On the Platform Manager server, update the Provider.json file for AO details like https and ports number wherever required.
    For example:

    [{
      "cloudClass" : "com.bmc.cloud.model.beans.Provider",
      "accessValues" : [ {
        "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
        "accessAttribute" : {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
          "datatype" : "STRING",
          "guid" : "52461ff1-2ec4-11e0-91fa-0800200c9a66",
          "isOptional" : false,
          "isPassword" : false,
          "modifiableWithoutRestart" : false,
          "name" : "AO_SERVER_URL"
        },
        "attributeValue" : "https://clm-hou-007778:9443/baocdp/orca",
        "guid" : "78274c00-9d52-4b7a-bd07-7e7bfa413855",
        "name" : "AO_SERVER_URL"
      }
  2. Restart Platform Manager. 

To configure Atrium Orchestrator and ITSM with SSL

  1. On Enterprise-AR, open the CMF PluginConfiguration form and update Atrium Orchestrator details like FIELD_AO_PROTOCOL, the FIELD_AO_PORT, and so on. 
  2. Restart the AR System server. 

To configure the BPPM router with SSL

This is the Windows HA setup where BPPM is installed on a shared disk. The BPPM Router, BPPM Leaf, and DCH are installed.

  1. Set the following environmental variable on the primary and secondary servers. 

    OPENSSL_CONF= C:\Program Files\BMC Software\ProactiveNet\pw\ApacheGroup\Apache\conf\openssl.cnf

    Note

    Perform the following steps only on the primary node.

     

  2. Make sure that the Cluster is active on the primary node and that BPPM Services are running on the primary node
  3. Create KeysCertificates, and CSR folders on the primary node. 
  4. Stop the Apache httpd service
  5. Create a private keypair for the Apache server using the keytool utility. 
    For example:

    InstallationDirectory \pw\ApacheGroup\Apache\bin C:\Program Files\BMC Software\ProactiveNet\pw\ApacheGroup\Apache\bin>openssl.exe
    genrsa -des3 -out my-server.key 1024
    Loading 'screen' into random state - done
    Generating RSA private key, 1024 bit long modulus
    ...................................++++++
    ................++++++
    e is 65537 (0x10001)
    Enter pass phrase for my-server.key:
    Verifying - Enter pass phrase for my-server.key:.

     

  6. Copy the openssl.cnf file into Apache bin directory.
    For example, copy 
     \pw\ApacheGroup\Apache\conf\openssl.cnf into the <InstallationDirectory>\pw

    \ApacheGroup\Apache\bin directory.

  7.  Create the Certificate Signing Request (ao.csr) with the server RSA private key.

    C:\Program Files\BMC Software\ProactiveNet\pw\ApacheGroup\Apache\bin>openssl.exe
     req -new -key my-server.key -out my-server.csr -config ./openssl.cnf
    Enter pass phrase for my-server.key:
    Loading 'screen' into random state - done
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:IN
    State or Province Name (full name) [Some-State]:MAHA
    Locality Name (eg, city) []:PUN
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:BMC
    Organizational Unit Name (eg, section) []:CDL
    Common Name (eg, YOUR name) []:hou-clust-07
    Email Address []:bppm.bmc.com
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

     

  8. Copy the csr file (my-server.csr) to the OpenSSL host or to CA to obtain certificate as follows:

    D:\GnuWin32\workspace>openssl x509 -req -days 365 -in C:\CSR\my-server.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -out C:\Certificates\my-server.cert -set_serial 777
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=IN/ST=MAHA/L=PUN/O=BMC/OU=CDL/CN=hou-clust-07/emailAddress=bppm.bmc.c
    om
    Getting CA Private Key
  9. Remove the pass phrase from the private key, and then copy the my-server.key to my-server.key.org

    C:\Program Files\BMC Software\ProactiveNet\pw\ApacheGroup\Apache\bin>openssl.exe
     rsa -in ..\conf\my-server.key.org -out ..\conf\my-server.key
    Enter pass phrase for ..\conf\my-server.key.org:
    writing RSA key
  10. Replace the dummy key and certificate files with the real key and certificate files that you have created at following path:

    C:\Program Files\BMC Software\ProactiveNet\pw\ApacheGroup\Apache\conf\

  11. Comment out port 80 in the httpd file, for example:
    C
    :\Program Files\BMC Software\ProactiveNet\pw\ApacheGroup\Apache\conf\httpd.

  12. Restart the Apache httpd service.

  13. Verify the BPPM URL (for example, https://<BPPM_hostname>:9443) and check the certificate. 

To configure the BMC ProactiveNet Agent Controller with SSL on the leaf server

To communicate the agent controller to the BMC ProactiveNet Agent on SSL, perform the following configuration on the Agent Controller on the leaf server.

  1. Create a private keypair for the Apache server using the keytool utility. 
    For example:

    C:\Program Files\BMC Software\ProactiveNet\pw\jre\bin>keytool.exe -genkey -alias agent_controller -keyalg RSA -validity 365 -keystore pnserver.ks
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  agent_controller
    What is the name of your organizational unit?
      [Unknown]:  CDL
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  PUN
    What is the name of your State or Province?
      [Unknown]:  MAHA
    What is the two-letter country code for this unit?
      [Unknown]:  IN
    Is CN=agent_controller, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN correct?
      [no]:  yes
    Enter key password for <agent_controller>
            (RETURN if same as keystore password): 

     

  2. Create the Certificate Signing Request with the server RSA private key.

    C:\Program
    Files\BMC Software\ProactiveNet\pw\jre\bin>keytool.exe -certreq -keyalg RSA -alias agent_controller -file C:\CSR\pnserver.csr -keystore pnserver.ks
    Enter keystore
    password:
  3. Copy the csr file (pnserver.csr) to the OpenSSL host to obtain certificate as follows:

    D:\GnuWin32\workspace>openssl x509 -req -days 365 -in C:\CSR\pnserver.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -out C:\Certificates\pnserver.crt -set_serial 343
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=IN/ST=MAHA/L=PUN/O=BMC/OU=CDL/CN=agent_controller
    Getting CA Private Key
  4. Generate the certificate by using pnserver.csr.

    D:\GnuWin32\workspace>openssl x509 -req -days 365 -in C:\CSR\pnserver.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -out C:\Certificates\pnserver.crt -set_serial 343
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=IN/ST=MAHA/L=PUN/O=BMC/OU=CDL/CN=agent_controller
    Getting CA Private Key
  5. Copy the certificate (pnserver.crt) and RootCA.crt to the BPPM leaf Server machine.
  6. Import the Agent Controller certificate:

    C:\Program Files\BMC Software\ProactiveNet\pw\jre\bin>keytool.exe -import -alias agent_controller -keystore pnserver.ks -trustcacerts -file C:\Certificates\pnserver.crt
    Enter keystore password:
    Certificate reply was installed in keystore

     

  7. Copy pnserver.ks to the respective pronto/conf directory of the agent computer.
  8. Change the following entry in the pronet.conf file of the remote agent computer.

     

    This parameter should be the correct file name as ..pnserver.ks

     

    pronet.apps.ipc.ssl.context.controller.keystore.filename

     

  9. Change the following entry in the .ks_pass file in the pronet/conf/ directory of the remote computer.
    Here the password is changeit (entered during the creation of pnserver.ks).

    pronet.apps.ipc.ssl.context.agent.keystore.passwd=changeit

     

  10. Restart the leaf server services and verify by logging into the BPPM Administrator console.

To configure SSL with the BMC ProactiveNet Agent on DCH

The DCH host contains the BPPM Agent and the Patrol Agent. You must configure SSL on the BPPM Agent level to communicate with the Agent Controller on the Leaf Server.

  1. Create a private keypair using the keytool utility. 
    For example:

    C:\Program Files\BMC Software\BPPMAgent\jre\bin>keytool.exe -genkey -alias agent -keyalg RSA -validity 365 -keystore pnagent.ks
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  BPPMAgent
    What is the name of your organizational unit?
      [Unknown]:  CDL
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  PUN
    What is the name of your State or Province?
      [Unknown]:  IN
    What is the two-letter country code for this unit?
      [Unknown]:  INC
    Is CN=BPPMAgent, OU=CDL, O=BMC, L=PUN, ST=IN, C=INC correct?
      [no]:  yes
    Enter key password for <agent>

     

    If you are prompted to enter a key password for the agent, click Enter if it is the same as the keystore password.

  2. Create the Certificate Signing Request.

    C:\Program Files\BMC Software\BPPMAgent\jre\bin>keytool.exe -certreq -keyalg RSA -alias agent -file c:\pnagent.csr -keystore pnagent.ks
    Enter keystore password:

     

  3. Copy the csr file (pnagent.csr) to the OpenSSL host or to CA to obtain certificate as follows:

    D:\GnuWin32\workspace>openssl x509 -req -days 365 -in C:\CSR\pnagent.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -out C:\Certificates\pnagent.crt -set_serial 543
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=INC/ST=IN/L=PUN/O=BMC/OU=CDL/CN=BPPMAgent
    Getting CA Private Key

     

  4. Copy the certificate (pnagent.crt) and RootCA.crt to the BPPM Server machine.
  5. Import first root CA certificate into the new keystore (pnagent.ks).

    C:\Program Files\BMC Software\BPPMAgent\jre\bin>keytool.exe -import -alias root
    -keystore pnagent.ks -trustcacerts -file C:\RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Issuer: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Serial number: bfae9d478d3085c1
    Valid from: Fri Apr 26 02:02:23 PDT 2013 until: Sat Apr 26 02:02:23 PDT 2014
    Certificate fingerprints:
             MD5:  E7:87:3D:B3:33:82:9F:17:0B:F6:78:D1:0D:64:EB:F5
             SHA1: 47:85:B7:4E:46:C4:8F:21:31:29:86:47:C5:7A:3C:7F:65:B6:36:27
             Signature algorithm name: SHA1withRSA
             Version: 1
    Trust this certificate? [no]:  yes
  6. Import the Agent Controller certificate:

    C:\Program Files\BMC Software\BPPMAgent\jre\bin>keytool.exe -import -alias agent -keystore pnagent.ks -trustcacerts -file C:\pnagent.crt
    Enter keystore password:
    Certificate reply was installed in keystore
  7. Copy pnagent.ks to the respective pronto/conf directory of the agent computer.
  8. Verify the following entry in the pronet.conf file of the agent computer.

    pronet.apps.ipc.ssl.context.agent.keystore.filename=pronto/conf/pnagent.ks
  9. Change the following entry in the .ks_pass file present in the pronet/conf/ directory of the remote computer.
    Here the password is changeit (entered during the creation of pnserver.ks).

    pronet.apps.ipc.ssl.context.agent.keystore.passwd=changeit

     

  10. Restart the BPPM Agent service.
Was this page helpful? Yes No Submitting... Thank you

Comments