Using CLM applications with third-party Certification Authority certificates

You can use third-party certificates with BMC Cloud Lifecycle Management applications. A certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.

In general, perform the following steps for supporting third-party CA certificates:

1. Use JRE keytool to create a private key and certificate sign-in request (CSR) and send the CSR to the signing authority. The signing authority returns the signed authority, along with the CA certificate. 
2. Use the keystore during product installation (for example, installing Cloud Portal Web Application). 
3. Configure the BMC Cloud Lifecycle Management products with the supporting CA certificates.

This topic contains the following information: 

Video series – Using third-party certificates with the BMC CLM Self-Check Monitor

The videos in this section provides detailed conceptual information and step-by-step instructions on how to use third-party certificates to install and configure the BMC CLM Self-Check Monitor. You use essentially the same steps with Platform Manager or the Cloud Portal Web Application. 

The following video (13:43) shows how to create third-party certificates:

 https://youtu.be/Tz2k_kp8Fl8

The following video (8:05) shows how to install BMC CLM Self-Check Monitor with a third-party certificate:

 https://youtu.be/R5ZkSuMpbJk

The following video (12:00) shows how to configure BMC CLM Self-Check Monitor with a third-party certificate:

 https://youtu.be/J4OUIArTKCU

To create keystores, private and public keys, and certificates

This section creates a third-party certificate to use with the Cloud Portal Web Application. You use essentially the same steps with any BMC Cloud Lifecycle Management product. 

1. From the command prompt, navigate to the directory where keytool is located.

2. Create the keystore and the private key (keystore.jks).
   A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key This example used changeit as the password.

   keytool -genkey -alias clmui -keyalg RSA -keystore 
   C:\Keys\keystore.jks -keysize 2048
   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]:  vw-aus-clmidd09.bmc.com
   What is the name of your organizational unit?
     [Unknown]:  BMC Software
   What is the name of your organization?
     [Unknown]:  IDD
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  California
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software, 
   O=IDD, L=San Jose, ST=California
   , C=US correct?
     [no]:  yes
   Enter key password for <clmui>
           (RETURN if same as keystore password):
   Re-enter new password:

3. Create the certificate sign-in request (CSR).
   This example used changeit as the password.

   keytool -certreq -alias clmui -file C:\CSR\clmui.csr 
   -keystore C:\Keys\keystore.jks -sigalg SHA1withRSA
   Enter keystore password:

4. Send the CSR file to a CA for signing using one of the following methods. CA returns a signed SSL certificate, for example, ssl_cert.cer.
   
   • Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
     • Symantec: http://digitalid.verisign.com/server
        
     • CertiSign Certificadora Digital Ltd: http://www.certisign.com.br
     • Uptime Commerce Ltd: http://www.uptimecommerce.com
     • BelSign NV/SA: http://www.belsign.be
   • Use your own CA and get the CSR signed by this CA.  

5. (optional) Download and import the Root CA certificate (for example, RootCA.cer) into the browser.
   Trial versions of the Root CA certificate must be installed on each browser where you will test it. This step is not necessary with production certificates. For more information, see the Symantec documentation on using root certificates.   

6. Download and import the Root CA certificate (for example, RootCA.cer) on the product host.
   Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

   keytool -import -trustcacerts -alias root 
   -keystore "C:\Keys\keystore.jks" 
   -file "C:\Certificates\RootCA.cer"

7. Download and import the intermediate certificate (for example, intermediate.cer) on the product host.
   Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

   keytool -import -trustcacerts -alias Intermediate 
   -keystore C:\Keys\keystore.jks 
   -file C:\Certificates\intermediate.cer 

   For more information, see the Symantec documentation on using intermediate certificates. 

8. Install the SSL certificate (for example, ssl_cert.cer) on the product host.
   The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, clmui.

   keytool -import -alias clmui 
   -keystore "C:\Keys\keystore.jks" -trustcacerts 
   -file "C:\Certificates\ssl_cert.cer"

   For more information, see the Symantec documentation on installing certificates on Tomcat.  

9. Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  
   For example:

   keytool -list -v 
   -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt

To install products with third-party certificates

This section describes how to install Cloud Portal Web Application with a third-party certificate. You use essentially the same steps with Platform Manager or CLM Self-Check Monitor. 

1. Run the product installation (for example, the Platform Manager, CLM Self-Check Monitor, or Cloud Portal Web Application).
2. At the Custom CA Certificate Configuration panel:
   1. Select YES.
   2. Enter the location of the third-party certificate and password.
      
      
      
3. Continue with the installation. 

To configure third-party certificates

This section describes how to configure a third-party certificate used with the Cloud Portal Web Application.

After you install Platform Manager, Self-Check Monitor, or the Cloud Portal Web Application with the installer planner on HTTPS/SSL with Small or Medium deployments, configure the third-party certificates on the following products:

• Mid Tier
• Cloud Portal Web Application
• CLM Self-Check Monitor
• Cloud Portal and Database AR System server
• Atrium Orchestrator

1. Copy the Platform Manager cacerts file to the product host. 

2. Import the Platform Manager cacerts file into the SSL certificate. 
   Make sure the entries are successfully imported. 

   keytool -importkeystore -srckeystore "C:\TEMP\cacerts" 
   -destkeystore "C:\Keys\ssl_cert.cer" -srcstoretype JKS 
   -deststoretype JKS -noprompt

3. Import the keystore (cacerts) certificate in the application cacerts.
   Make sure that you understand which JRE your application used during installation. This example imports the keystore certificate into the cacerts of the external JRE used by the installer. 

   keyTool -importkeystore -srckeystore "C:\TEMP\cacerts" 
   -destkeystore "C:\Program Files\Java\jre7\lib\security\cacerts" 
   -srcstoretype JKS -deststoretype JKS -srcstorepass changeit 
   -deststorepass changeit -noprompt

   On the other hand, this example imports the keystore certificate into the cacerts of the bundled JRE used by the Cloud Portal Web Application (clmui). 

   keytool -importkeystore -srckeystore "C:\TEMP\cacerts" 
   -destkeystore "C:\Program Files\BMC Software\
   CloudPortalWebApplication\jre\lib\security\cacerts" 
   -srcstoretype JKS -deststoretype JKS -srcstorepass changeit  
   -deststorepass changeit -noprompt

4. Configure the server.xml file (for example, C:\Program Files\BMC Software\CloudPortalWebApplication\tomcat\conf on the Cloud Portal Web Application host) to enable SSL in Tomcat by replacing the default keystore file (clmuiSslCertificate.cert) with the location of your third-party keystore file.

    <Connector SSLEnabled="true" clientAuth="false" 
   connectionTimeout="20000" keystoreFile="C:\Keys\keystore.jks" 
   keystorePass="changeit" maxThreads="150" port="8443" 
   scheme="https" secure="true" sslProtocol="TLS"/>

5. Restart the product service, for example, BMC CSM Portal. 

6. Download and install the SSL certificate into each browser you use to test your SSL certificate.
   For more information, see the Symantec documentation on browser certificates. 

   Tip

   This example uses Google Chrome, because Chrome includes network tools (press F12) to troubleshoot connection problems with HTTPS. 
   1. Import the SSL certificate into the Trusted Root Certificate Authorities on your browser. 
   2. When you are prompted to add the certificate to the root store, click Yes. 
   3. Enter the HTTPS URL to your product host. 
      Use the FQDN, for example:
      https://<FQDNproductHost>:8443 
   4. Access the HTTPS lock (it should be green, not red) and review the SSL certificate. 
      

7. To verify that your HTTPS configuration was successful, open the following URL in a browser:
   https://<FQDNproductHost>:<port>/clmui
   https://vw-aus-clmidd09.bmc.com:8443/clmui 
   

   Note

   If you are warned that your server is not trusted, this is a serious error and you must troubleshoot the root cause. You likely made one or more crucial mistakes when you installed or configured the chain of certificates.
8. Log on as a CLM user.
   If you correctly configured the third-party SSL certificate, you should not see any server errors (for example, error 500 where the server cannot find a valid certification path to the requested target) and the application window should appear. The following screenshot also displays the Google Chrome diagnostic tools for networking. 
   

Related topic

Using certificates to secure communication between clients and Application Servers (in the BMC Server Automation 8.6 documentation)