Enabling SSL HTTPS on core Linux CLM applications that currently use HTTP

Most core CLM applications already use SSL HTTPS mode (Hyper Text Transfer Protocol Secure) by default, for example, Platform Manager. This topic describes how to enable SSL HTTPS for the remaining Linux BMC Cloud Lifecycle Management applications that are currently in HTTP mode, for example, Mid Tier or Atrium Orchestrator. This topic provides detailed configuration steps to make the secured communication between the components.

Note

Mixing protocols in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (for example, AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in HTTP mode or in HTTPS mode.

Tip

Copy and paste the SSL commands into a text editor, strip out the line breaks, and modify the syntax for your environment.

Core CLM applications that support HTTPS on SSL during installation

The following table lists the core CLM applications that support HTTPS on SSL during installation:

Product	Self-sign certificate?	Notes on integration path
Platform Manager	Yes	Import the Platform Manager cacerts file into the JRE of the following products: Mid Tier AR Portal Java Cloud Portal Web Application (EUP) CLM Self-Check Monitor Cloud Portal and Database AR System server Atrium Orchestrator
Cloud Portal Web Application	Yes	Import Self-Checker certificate to display the Dashboard Data.
CLM Self-Check Monitor	Yes
BMC Server Automation (BBSA)	Yes
BMC Network Automation (BBNA)	Yes
Atrium Core Web Services	Yes	Default HTTPS port is 7776. If you use port 7776, update information in the BMC Network Automation console.
Mid Tier	No
BMC Atrium Orchestrator	No

Before you begin

Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes!
When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host.
If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL HTTPS.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic. But most customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Symantec.

To create a Root CA certificate using OpenSSL

Note

You need the RootCA.key when you configure the Mid Tier, Atrium Core Web Services, and BMC Atrium Orchestrator with HTTPS on SSL.

Download and install the 32-bit and 64-bit OpenSSL packages (openssl-1.0.0-20.el6_2.5.i686.rpm and openssl-1.0.0-20.el6_2.5.x86_64.rpm) on its own host.
For more information, see System requirements for Linux.
Create Keys, Certificates, and CSR folders.
These categories are for placing keys, certificates files, and so on.
Open a command prompt and navigate to openssl (for example, /usr/bin/openssl).

Generate the key pair for root CA.
Store this key pair in the Keys/RootCA.key file.

[root@vl-aus-csm-dv01 bin]# ./openssl genrsa -out /data1/Keys/RootCA.key 1024
Generating RSA private key, 1024 bit long modulus
.................................++++++
...........++++++
e is 65537 (0x10001)

Generate a self signed certificate for CA.
This CA certificate is used across all cloud products as a common certificate. Store the certificate in the RootCA.crt file.

Enter the following command:

./openssl req -config /opt/bmc/rscd/NSH/share/openssl.cnf -new -x509 
-days 365 -key /data1/Keys/RootCA.key -out /data1/Certificates/RootCA.crt

Create a Distinguished Name (DN)..
Make sure that you enter all required information. Many fields contain defaults. Some settings you can leave blank. If you enter a period, the field will be left blank.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BMC
Organizational Unit Name (eg, section) []:IDD
Common Name (eg, YOUR name) []:John Stamps
Email Address []:jstamps@bmc.com

Press Enter to create the certificate.

Configuring SSL for new 4.6 installations

When you are performing new installations, you must import SSL certificates for all deployment types (for example, Compact, Small, and Medium).

Note

For Compact deployment, you do not need to import the cacerts file since all the product components are on a single host.

Note

In version 4.6, only Compact, Small, and Medium deployments are supported.

To import Self-Signed certificates

The following CLM products already have HTTPS/SSL enabled by default:

Platform Manager
Self-Check Monitor
Cloud Portal Web Application
BMC Network Automation
BMC Server Automation
BMC Capacity Optimization (if you assigned HTTPS/8443 over SSL during installation)

If you installed Platform Manager with the installer planner on HTTPS/SSL with Small or Medium deployments, you still must import the cacerts file from the Platform Manager into the JRE on the following products:

Mid Tier
Cloud Portal Web Application
CLM Self-Check Monitor
Cloud Portal and Database AR System server
Atrium Orchestrator

Copy the cacerts file on the Platform Manager to the product host.
For version 4.6, copy the cacerts file from the installed Oracle 64-bit 1.8 JVM (for example, /opt/bmc/BMCCloudLifeCycleManagement/JVM_1.8.0_60/lib/security) to a folder on the target VM (for example, /data1).
Open a command window on the product host.
Change directories to the JRE bin directory.
For version 4.6, change directories to the Oracle 64-bit 1.8 JRE bin directory.

Use cacerts to import the keystore certificate.
Make sure that you understand which JRE your application used during installation.
For example:

[root@clm-aus-005119 ~]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
-importkeystore -srckeystore /data1/cacerts 
-destkeystore /usr/java/jdk1.7.0_75/jre/bin/cacerts 
-srcstoretype JKS -deststoretype JKS -srcstorepass changeit 
-deststorepass changeit -noprompt
Entry for alias digicertassuredidrootca successfully imported.
...
Entry for alias verisignclass1g2ca successfully imported.
Import command completed:  81 entries successfully imported, 
0 entries failed or cancelled
[root@clm-aus-005119 ~]#

To monitor Dashboard data, import the CLM Self-Check Monitor certificate (selfcheckSslCertificate.cert) with the JRE used by the Cloud Portal Web Application (whether installed on the Platform Manager or on a separate host) during installation. The default location of selfcheckSslCertificate.cert is /opt/bmc/selfchecker/selfchecker/Certificates.
Restart the application service.
For example, restart the BMC CSM Portal service.
Clear the Mid Tier Plugins Cache.
Flush the browser cache.
Log on to the application, add and confirm the site exception, and so on.

To configure SSL HTTPS with the Mid Tier

On the Mid Tier host, create Keys, Certificates, and CSR folders.
Copy RootCA.key to /data1/Keys/.
Copy RootCA.crt to /data1/Certificates/.
Stop the Mid Tier Tomcat server.
For example:
```
/opt/apache/tomcat6.0/bin/shutdown.sh
```
Open a command prompt and navigate to the jre/bin folder.
For version 4.6, change directories to the Oracle 64-bit 1.8 JRE jre/bin directory.
Create a keypair using the keytool utility.
If the Mid Tier is behind a load balancer, use CN as the load balancer name. But here it is MT.
```
./keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 
-keypass "changeit" -storepass "changeit" -keystore /data1/Keys/keystore.jks
```

At the prompts, enter the required information to create the keypair, and then press Enter.

What is your first and last name?
  [Unknown]:  MT
What is the name of your organizational unit?
  [Unknown]:  IDD
What is the name of your organization?
  [Unknown]:  BMC
What is the name of your City or Locality?
  [Unknown]:  San Jose
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=MT, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
  [no]:  yes

Create the Certificate Signing Request (CSR) from Mid Tier primary to retrieve the certificate from CA (that is, CLM).
```
./keytool -certreq -keyalg RSA -alias tomcat 
-file /data1/CSR/mt.csr -keystore /data1/Keys/keystore.jks
```
At the prompt, enter changeit as the password.

Use the following openssl command (for example, /usr/bin/openssl)to generate a Mid Tier server certificate (mt_server.crt):

./openssl x509 -req -days 365 -in /data1/CSR/mt.csr 
-CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
-set_serial 01 -out /data1/Certificates/mt_server.crt

(HA only) After the certificate is generated (mt_server.crt) in the Certificates folder, copy mt_server.crt and RootCA.crt to the Mid Tier primary and secondary computers into their Certificates folder.

On the Mid Tier primary and secondary computers, import the Root CA certificate:

/usr/java/jdk1.7.0_75/jre/bin/keytool -import 
-alias root -keystore /data1/Keys/keystore.jks -trustcacerts 
-file /data1/Certificates/RootCA.crt

At the prompt, enter changeit as the password.

[root@clm-aus-005120 Certificates]# cd /usr/java/jdk1.7.0_75/jre/bin/
[root@clm-aus-005120 bin]# ./keytool -import -alias root 
-keystore /data1/Keys/keystore.jks -trustcacerts 
-file /data1/Certificates/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]:  yes
Certificate was added to keystore
[root@clm-aus-005120 bin]#

When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.

Import the mt_server.crt certificate:

./keytool -import -alias tomcat -keystore /data1/Keys/keystore.jks 
-trustcacerts -file /data1/Certificates/mt_server.crt

At the prompt, enter changeit as the password.

[root@clm-aus-005120 bin]# ./keytool -import -alias tomcat 
-keystore /data1/Keys/keystore.jks -trustcacerts 
-file /data1/Certificates/mt_server.crt
Enter keystore password:
Certificate reply was installed in keystore

Your certificate reply is installed in the keystore.

Open the server.xml file (in Linux, the default location is /opt/apache/tomcat6.0/conf/server.xml) in a text editor and uncomment the SSL related sections.

Search for the following text and uncomment out the Connector port section:

<!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

Modify the Connector port information as follows:

<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" 
           keystoreFile="/data1/Keys/keystore.jks"
		   keystorePass="<passwordMustEqualYourKeystorePassword>"
/>

Here you change the connector port to 9443 and add the keystore file location and keystore password.

Note

If you do not add the correct keystore password, the Tomcat server does not start properly.

Save server.xml .

Start the Tomcat server.
```
/opt/apache/tomcat6.0/bin/startup.sh
```
Verify your changes to the Mid Tier or Mid Tier Load Balancer by accessing the following URL:
https://<MidTier>:9443/arsys (where 9443 is SSL port)
https://<LoadBalancer>:9443/arsys
Add and confirm any security restrictions in your browser (as shown with Firefox).
When you access the Mid Tier the first time, review the certificate details, as shown with Internet Explorer.
1. Review the General tab and verify who the certificate is issued to (for example, MT) and who it was issued by (for example, bmc.com).
2. Click the Details tab and, review the certificate path or hierarchy.
3. Confirm the security exception and open the Mid Tier.

To integrate the Mid Tier with Platform Manager

Open the CMF:PluginConfiguration form in the Cloud Portal and Database AR System server.
1. Edit the CallBackURL from http to https.
2. Edit the port to 9443.
3. Save the record.
Copy the RootCA.crt certificate from the Mid Tier server to the Platform Manager server (for example, to a Certificates folder).

Open a command window, change directories to /usr/java/jdk1.7.0_75/jre/bin/ (by default), and then import the certificate:

./keytool -import -alias root 
-keystore "/usr/java/jdk1.7.0_75/jre7/lib/security/cacerts" 
-trustcacerts -file "/data1/Certificates/RootCA.crt"

At the prompt, enter changeit as the password.

When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.

[root@clm-aus-005121 Certificates]# cd /usr/java/jdk1.7.0_75/jre/bin/
[root@clm-aus-005121 bin]# ./keytool -import -alias root 
-keystore "/usr/java/jdk1.7.0_75/jre7/lib/security/cacerts" 
-trustcacerts -file "/data1/Certificates/RootCA.crt"
Enter keystore password:
Re-enter new password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

Restart the server in the following order – first Platform Manager and second the Cloud Portal and Database AR System server.

To configure Atrium Web Services SSL HTTPS

The following instructions apply only to Small or Medium deployments.

Note

In Compact Deployment, Atrium Web Services are not available as a separate component. Instead, they are installed as part of the Mid Tier. As a result, you do not need to configure SSL separately for Compact Deployment.

On the primary Atrium Core Web Services Registry host, create Keys, Certificates, and CSR folders.
Copy RootCA.key to /data1/Keys/.
Copy RootCA.crt to /data1/Certificates/.

Stop the Atrium Tomcat server.
For example:

/opt/bmc/AtriumWebRegistry/shared/tomcat/bin/shutdown.sh

Open a command prompt and navigate to the jre/bin folder (for example, /usr/java/jdk1.7.0_75/jre/).
Create a keypair using the keytool utility.
If the Atrium Web Services are behind a load balancer, you can use CN as the load-balancer name. But here it is AWS.
```
./keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 
-keypass "changeit" -storepass "changeit" -keystore /data1/Keys/keystore.jks
```

At the prompts, enter the required information to create the keypair, and then press Enter.

[root@clm-aus-005118 bin]# ./keytool -genkey -alias tomcat 
-keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" 
-keystore /data1/Keys/keystore.jks
What is your first and last name?
  [Unknown]:  AWS
What is the name of your organizational unit?
  [Unknown]:  IDD
What is the name of your organization?
  [Unknown]:  BMC
What is the name of your City or Locality?
  [Unknown]:  San Jose
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=AWS, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
  [no]:  yes

Create the Certificate Signing Request (CSR) from Atrium Web Services primary to retrieve the certificate from CA (that is, CLM).
```
[root@clm-aus-005118 bin]# ./keytool -certreq -keyalg RSA 
-alias tomcat -file /data1/CSR/aws.csr -keystore /data1/Keys/keystore.jks
Enter keystore password:
```
At the prompt, enter changeit as the password.

Use the following openssl command (for example, /usr/bin/openssl)to generate an Atrium Core Web Server certificate (aws_server.crt):

./openssl x509 -req -days 365 -in /data1/CSR/aws.csr 
-CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
-set_serial 01 -out /data1/Certificates/aws_server.crt
Signature ok
subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=AWS
Getting CA Private Key

After the certificate is generated (aws_server.crt) in the Certificates folder, copy aws_server.crt and RootCA.crt to the AWS primary and secondary hosts into their Certificates folder.

On the AWS primary and secondary hosts, import the Root CA certificate:

[root@clm-aus-005118 bin]# ./keytool -import -alias root 
-keystore /data1/Keys/keystore.jks -trustcacerts 
-file /data1/Certificates/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]:  yes
Certificate was added to keystore
[root@clm-aus-005118 bin]#

At the prompt, enter changeit as the password.
When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.

Import the aws_server.crt certificate:

[root@clm-aus-005118 bin]# ./keytool -import -alias tomcat 
-keystore /data1/Keys/keystore.jks -trustcacerts 
-file /data1/Certificates/aws_server.crt
Enter keystore password:k
Certificate reply was installed in keystore

At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.

Open the server.xml file (in Linux, the default location is /opt/bmc/AtriumWebRegistry/shared/tomcat/conf/server.xml) in a text editor and uncomment the SSL related sections.

Search for the following text and uncomment out the Connector port section:

<!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

Modify the Connector port information as follows:

<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" 
           keystoreFile="/data1/Keys/keystore.jks"
/>

Here you change the connector port to 9443 and add the keyStore file location.

Save the server.xml .

Start the AWS Tomcat server.
For example:

/opt/bmc/AtriumWebRegistry/shared/tomcat/bin/startup.sh

Verify your changes to the AWS or AWS Load Balancer by accessing the following URL:
https://<AWS>:9443 (where 9443 is SSL port)
https://<LoadBalancer>:9443
Add and confirm any security restrictions in your browser.
When you access AWS the first time, review the certificate details.
Review who the certificate is issued to (for example, AWS) and who the certificate was issued by (for example, bmc.com).
Review the certificate path or hierarchy.

To integrate Atrium Web Services running on HTTPS with BMC Network Automation

The following instructions apply only to Small or Medium deployments.

Note

In Compact Deployment, Atrium Web Services are not available as a separate component. Instead, they are installed as part of the Mid Tier. As a result, you do not need to configure SSL separately for Compact Deployment.

Log on to the Mid Tier to access the Cloud Portal and Database AR System server.
You can use https://<MidTier>:9443/arsys to access the Cloud Portal and Database AR System server.
Note

If you are running a dual AR System server environment, modify the default web path for the Enterprise-AR and Cloud-AR servers.
Open the Server Information form for the Cloud Portal and Database AR System server.
Click the Advanced tab, and modify the URL in the Default Web Path field with the updated https and port (for example, 9443).Click the Advanced tab and modify the default web path URL with the updated https and port.
For example, you might enter https://vw-san-clmidd:9443/arsys/.
Restart the Cloud Portal and Database AR System server.
Log on to BMC Network Automation.
Click the Admin tab, and navigate to System Admin > System Parameters.
In the Enable CMDB Integration section, modify the Web Service Endpoint URL field with the updated https and port 9443 URL (for example, https://bnaServer:9443/cmdbws/server/cmdbws.wsdl).
Click Save.
The BMC Network Automation console verifies your changes.
When you finish, verify that physical location is accessed by BMC Network Automation during POD creation through the Atrium Web Services.
If you have successfully integrated Atrium Web service and BNA SSL communication, go to BMC Network Automation and try to create a POD. The physical location created in the AR System server should be visible in the list during POD creation.

To configure BMC Atrium Orchestrator with SSL HTTPS

An HA environment typically has the following components installed.

Host A Primary: AMREPO (Access Manager and Repository) and CDP installed
Host B Secondary: AMREPO and HACDP installed
Host C: SQL DB for AMREPO

In non-HA environments, BMC Atrium Orchestrator Access Manager and Repository are installed on a single server.Installing Small Deployment Linux for version 4.7

On the main AO hosts (for example, Host A and B), create Keys, Certificates, and CSR folders.
Copy RootCA.key to /data1/Keys/.
Copy RootCA.crt to /data1/Certificates/.
Stop the Access Manager, Configuration Distribution Peer (CDP), and Repository servers.
For example:
```
/opt/bmc/ao-platform/amrepo/bin/bao.sh stop
/opt/bmc/ao-platform/cdp/bin/bao.sh stop
```
Open a command prompt and navigate to the JRE folder (for example, /opt/bmc/ao-platform/amrepo/jvm/bin).

On primary Host A, create a keypair using the keytool utility.
If Atrium Orchestrator is behind a load balancer, use CN as the load balancer name. At the prompts, enter the required information to create the keypair, and then press Enter.

[root@clm-aus-005119 bin]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
-genkey -alias AO -keyalg RSA -keysize 1024 -keypass "changeit" 
-storepass "changeit" -keystore /data1/Keys/keystore.jks
What is your first and last name?
  [Unknown]:  John Stamps
What is the name of your organizational unit?
  [Unknown]:  IDD
What is the name of your organization?
  [Unknown]:  BMC
What is the name of your City or Locality?
  [Unknown]:  San Jose
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose, 
ST=CA, C=US correct?
  [no]:  yes
[root@clm-aus-005119 bin]#

Create the Certificate Signing Request (ao.csr) from AO primary to retrieve the certificate from CA (that is, CLM).
At the prompt, enter changeit as the password.

[root@clm-aus-005119 bin]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
-certreq -keyalg RSA -alias AO -file /data1/CSR/ao.csr 
-keystore /data1/Keys/keystore.jks
Enter keystore password:
[root@clm-aus-005119 bin]#

Use the following openssl command (for example, /usr/bin/openssl) to generate an Atrium Orchestrator certificate (ao.crt) in the Certificates folder.:

[root@clm-aus-005119 CSR]# /usr/bin/openssl x509 -req 
-days 365 -in /data1/CSR/ao.csr -CA /data1/Certificates/RootCA.crt 
-CAkey /data1/Keys/RootCA.key -set_serial 999 
-out /data1/Certificates/ao.crt
Signature ok
subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps
Getting CA Private Key
[root@clm-aus-005119 CSR]#

After the certificate is generated (ao.crt) in the Certificates folder, copy ao.crt and RootCA.crt to the AO primary, AO secondary, and AO Repo computers into their Certificates folder.

To configure AMREPO to work with SSL HTTPS

On the AO primary and AO secondary hosts, import the Root CA certificate.
At the prompt, enter changeit as the password. When you see the Trust this certificate prompt, enter yes. Your certificate is added to the keystore.

[root@clm-aus-005119 Certificates]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
-import -alias root -keystore /data1/Keys/keystore.jks -trustcacerts 
-file /data1/Certificates/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]:  yes
Certificate was added to keystore
[root@clm-aus-005119 Certificates]#

Import the ao.crt certificate into the AO jvm security folder.
At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.

[root@clm-aus-005119 security]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
-import -alias root 
-keystore /opt/bmc/ao-platform/amrepo/jvm/lib/security/cacerts 
-trustcacerts -file /data1/Certificates/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
O=BMC, L=San Jose, ST=CA, C=US
... 
Trust this certificate? [no]:  yes
Certificate was added to keystore
[root@clm-aus-005119 security]#

Import the ao.crt certificate into keystore.jks (for example, /data1/Keys/keystore.jks):

[root@clm-aus-005119 security]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
-import -alias AO -keystore /data1/Keys/keystore.jks 
-trustcacerts -file /data1/Certificates/ao.crt
Enter keystore password:
Certificate reply was installed in keystore
[root@clm-aus-005119 security]#

Open the Access Manager server.xml file (in Windows, for example, /opt/bmc/ao-platform/amrepo/tomcat/conf/server.xml) in a text editor and uncomment the SSL related sections.

Search for the following text and uncomment out the Connector port section:

<!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

Modify the Connector port information as follows.
Uncomment the following section and update the required port (for example, 8443) and add the keystoreFile path for keystore.
Make sure that you save the file.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
			   keystoreFile="/data1/Keys/keystore.jks"
/>

Update the Login page entry in the context.xml file (for example, /opt/bmc/ao-platform/amrepo/tomcat/conf/context.xml) as follows:

<Environment name="com.bmc.security.am.LOGIN_PAGE" override="true" 
type="java.lang.String" value="https://clm-aus-995119:8443/baoam/login.jsf"/>

Start the Access Manager server.
For example:

/opt/bmc/ao-platform/amrepo/bin/bao.sh start
/opt/bmc/ao-platform/cdp/bin/bao.sh start

Verify the URL.
For example:
https://<AMPrimaryHost>:8443/baoam
Add and confirm any security restrictions in your browser.
The default login is admin/admin123.
The certificate should display who you issued to and who it is issued by. For example:
Make the same changes to the secondary Access Manager server.
1. Copy the keystore file.
2. Update the server.xml and context.xml files.
3. Import the Root CA certificate.
4. Start the secondary Access Manager server.
5. Verify the URL.

To configure primary and secondary CDP to work with SSL HTTPS

Note

For CDP, use the same RootCA.crt and keystore.jks files you previously generated. In addition, use the keystore.jks file from the /data1/Keys/keystore.jks path.

Modify the server.xml file (for example, /opt/bmc/ao-platform/cdp/tomcat/conf/server.xml) as follows.
Uncomment the following section and update the required port (for example, 9443) and add the keystoreFile path for keystore.
```
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS" 
 keystoreFile="/data1/Keys/keystore.jks"/>
```
Modify the context.xml file (for example, /opt/bmc/ao-platform/cdp/tomcat/context.xml) in a text editor.
Update the following entry with corrected port and https.
```
<Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" 
value="https://clm-aus-005119:9443/baorepo/http"/>
```

Import the ROOTCA.crt certificate into the primary CDP JVM security folder.
At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.

/opt/bmc/ao-platform/amrepo/jvm/bin/keytool -import -alias root 
-keystore /opt/bmc/ao-platform/cdp/jvm/lib/security/cacerts 
-trustcacerts -file /data1/Certificates/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

Import the ROOTCA.crt certificate into the secondary CDP JVM security folder.

On the secondary CDP host, modify the context.xml file (for example, /opt/bmc/ao-platform/cdp/tomcat/conf/context.xml) in a text editor.
Update the following entries with corrected port and https.

Parameter name="com.bmc.ao.HACDP_CONFIGURATION" override="true" 
value="https://admin:admin123@vw-hou-sln-qa18:9443/baocdp/ws/install?
grid=GRID1&amp;peer=HACDP"/>
  <Environment name="grid-name" override="true" type="java.lang.String" 
   value="GRID1"/>
  <Environment name="peer-endpoint-urls" override="true" 
   type="java.lang.String" 
   value="https://vw-hou-sln-qa18:9443/baocdp/ws/console"/>

Start the CDP server on both nodes.
For example:
```
/opt/bmc/ao-platform/cdp/bin/bao.sh start
```
Verify the URL and then add and confirm any security restrictions in your browser.
The certificate should display who you issued to and who it is issued by.
For example:
https://<CDPHost>:9443/baocdp

Note

When you access the BMC Server Automation application server from Atrium Orchestrator hosts, it should display the following certificate details.

To configure BMC Server Automation and Atrium Orchestrator with SSL HTTPS

You already generated the bladelogic.keystore file for BMC Server Automation, the keystore file in /data1/Keys/keystore.jks for Atrium Orchestrator, and the RootCA.crt files in /data1/Certificates on both hosts.

Import the RootCA.crt certificate into the Bladelogic java security file on the BMC Server Automation node:

clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias root 
-keystore /opt/bmc/bladelogic/NSH/jre/lib/security/cacerts -trustcacerts 
-file /data1/Certificates/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]:  yes
Certificate was added to keystore
clm-aus-005115#

Import the RootCA.crt certificate into the Bladelogic java security file on the Atrium Orchestrator node:

[root@clm-aus-005119 /]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
-import -alias root -keystore /opt/bmc/bladelogic/NSH/jre/lib/security/cacerts 
-trustcacerts -file /data1/Certificates/RootCA.crt
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <root>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore
[root@clm-aus-005119 /]#

Log into the BMC Server Automation server from both hosts with defaultProfile and verify the certificate obtained.

To configure Atrium Orchestrator and Platform Manager with SSL HTTPS

On the Platform Manager server, update the providers.json file for BAO details like https and port numbers wherever required.
For example:

[{
  "cloudClass" : "com.bmc.cloud.model.beans.Provider",
  "accessValues" : [ {
    "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
    "accessAttribute" : {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "STRING",
      "guid" : "52461ff1-2ec4-11e0-91fa-0800200c9a66",
      "isOptional" : false,
      "isPassword" : false,
      "modifiableWithoutRestart" : false,
      "name" : "AO_SERVER_URL"
    },
    "attributeValue" : "https://clm-aus-005119:9443/baocdp/orca",
    "guid" : "78274c00-9d52-4b7a-bd07-7e7bfa413855",
    "name" : "AO_SERVER_URL"
  }

Stop and restart Platform Manager.
For example:

/etc/init.d/bmccsm stop
/etc/init.d/bmccsm start

To configure Atrium Orchestrator and ITSM with SSL HTTPS

On the Cloud Portal and Database server, open the CMF:PluginConfiguration form and update Atrium Orchestrator details like FIELD_AO_PROTOCOL, the FIELD_AO_PORT, and so on.

Stop and restart the AR System server.
For example:

/data1/bmc/ARSystem/bin/arsystem stop
/data1/bmc/ARSystem/bin/arsystem start

To modify the Platform Manager to use HTTPS with multiple ITSM servers

The following procedure applies if you are running multiple IT Service Management servers.

In Cloud Portal and Database ITSM, open the CMF:PluginConfiguration form and change the Root URL from http to https and update the SSL port to 9443.

In both ITSM hosts, import the RootCA certificate.

Copy the RootCA.crt certificate to both hosts in its own folder (for example, /data1/Certificates).

Import the certificate by entering following command.

/usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias root 
-keystore 
/opt/bmc/BMCCloudLifeCycleManagement/JVM_1.7.0_55/lib/security/cacerts 
-trustcacerts -file /data1/Certificates/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, 
OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

You do not need to import RootCA into the /usr/java/jdk1.7.0_75/jre/bin path.

Restart the Platform Manager and AR System servers.
Verify your changes by putting the RESTClient on the ITSM host and connecting to the Platform Manager host with SSL URL and the trustcacerts path of Cloud Java (as above).

Enabling SSL HTTPS on core Linux CLM applications that currently use HTTP

Core CLM applications that support HTTPS on SSL during installation

Before you begin

To create a Root CA certificate using OpenSSL

Configuring SSL for new 4.6 installations

To import Self-Signed certificates

To configure SSL HTTPS with the Mid Tier

To integrate the Mid Tier with Platform Manager

To configure Atrium Web Services SSL HTTPS

To integrate Atrium Web Services running on HTTPS with BMC Network Automation

To configure BMC Atrium Orchestrator with SSL HTTPS

To configure AMREPO to work with SSL HTTPS

To configure primary and secondary CDP to work with SSL HTTPS

To configure BMC Server Automation and Atrium Orchestrator with SSL HTTPS

To configure Atrium Orchestrator and Platform Manager with SSL HTTPS

To configure Atrium Orchestrator and ITSM with SSL HTTPS

To modify the Platform Manager to use HTTPS with multiple ITSM servers

Related topic

Comments