Enabling SSL HTTPS on Linux non-CLM applications
This topic describes how to enable SSL HTTPS on Linux non-CLM applications, for example, BMC Capacity Optimization. It provides detailed configuration steps to make the secured communication between the components.
Copy and paste the SSL commands into a text editor, strip out the line breaks, and modify the syntax for your environment.
Before you begin
- Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes!
- When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host.
- If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL HTTPS.
- For detailed steps on creating Root CA certificates or importing self-signed certificates, see Enabling SSL HTTPS on core Windows CLM applications that currently use HTTP.
To configure BMC Capacity Optimization with SSL
This is a two-step process:
- Generating a certificate and key to use with Apache
- Enabling Apache to use HTTPS for BMC Capacity Optimization
To generate a certificate and key to use with Apache
Install the following packages on the host if they are not already present.
After installing these packages, generate a new key and a new SSL certificate using the genkey $hostname command.
Here $hostname is the fully qualified domain name of your BMC Capacity Optimization application server machine.
To create a certificate request, select the appropriate option.
Enter the certificate fields with your information (Name, Firm, Country, and so on). If you do not want to manually insert a password every time you restart the Apache Httpd server (for example, if you are in an automatic HA environment), clear the encrypt key option.
During key generation, review the following output on the console:
[root@clm-bco ~]# genkey csm-bco /usr/bin/keyutil -c genreq -g 1024 -s "CN=csm-bco, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US" -v 24 -a -o /etc/pki/tls/certs/csm-bco.0.csr -k /etc/pki/tls/private/csm-bco.key -z /etc/pki/tls/.rand.24660 cmdstr: genreq cmd_CertReq command: genreq ... subject = CN=csm-bco, OU=IDD, O=BMC, L=PUN, ST=SAN JOSE, C=US valid for 1 months random seed from /etc/pki/tls/.rand.24660 output will be written to /etc/pki/tls/certs/csm-bco.crt output key written to /etc/pki/tls/private/csm-bco.key
The Certificate Signing Request (csm-bco.0.csr) file is generated at the /etc/pki/tls/certs location.
Copy the csm-bco-0.csr file where you have CA or generate the CA certificate.
Or send this csr file to CA to get certificate.
Generate the certifcate, using the csm-bco-0.csr file.
/usr/bin/openssl x509 -req -days 365 -in /data1/CSR/csm-bco.0.csr -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key -set_serial 878 -out /data1/Certificates/csm-bco.crt Loading 'screen' into random state - done Signature ok subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=csm-bco Getting CA Private Key
When you finish generating the key, you have the following results:
- $hostname.crt certificate file in /etc/pki/tls/certs/
- $hostname.key key file in /etc/pki/tls/private/
- Create /pki/tls/certs and /pki/tls/private folders at $CPITBASE/3rd_party/apache2/etc.
- Copy /etc/pki/tls/certs/$hostname.crt to $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.cert.
- Copy /etc/pki/tls/private/$hostname.key to $CPITBASE/3rd_party/apache2/etc/pki/tls/ private/<hostname>.key.
- Change the owner of both the copied files and the created folders to the owner using BMC Capacity Optimization.
To enable HTTPS in Apache
- Make sure that the ssl.conf file is present under $CPITBASE/3rd_party/apache2/etc/httpd/conf.d. If not, then create it with following SSL contents.
- Make sure that the mod_ssl.so file is present under $CPITBASE/3rd_party/apache2/etc/httpd/modules. If not, then copy it from the /etc/httpd/modules path.
To enable HTTPS in your BMC Capacity Optimization installation, perform the following steps:
Modify the caplan.conf configuration file located at $CPITBASE/3rd_party/apache2/etc/httpd/conf.d, by adding the following information:
SSLEngine on SSLProxyEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.crt SSLCertificateKeyFile $CPITBASE/3rd_party/apache2 /etc/pki/tls/private/<hostname>.key
Create the ssl.conf file in $CPITBASE/3rd_party/apache2/etc/httpd/conf.d and add the following content.
LoadModule ssl_module modules/mod_ssl.so Listen 8443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin
Make sure that you change the required SSL port.
- Restart Httpd using the $CPITBASE/cpit restart httpd command.
The new URL to connect to BCO will be https://$hostname:8443/console.
Import the certificate into /gfs/cpit/jre/lib/security/cacerts for the trusted CA certificate.
[root@clm-bco bin]# ./keytool -import -alias root -keystore /gfs/cpit/jre/lib/security/cacerts -trustcacerts -file /etc/pki/tls/certs/RootCA.crt Enter keystore password: Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore
- When you access the BCO URL, review the following certificate:
To integrate BMC Capacity Optimization and Platform Manager changes into SSL