Enabling SSL HTTPS on Linux non-CLM applications

This topic describes how to enable SSL HTTPS on Linux non-CLM applications, for example, BMC Capacity Optimization. It provides detailed configuration steps to make the secured communication between the components.

Note

Mixing protocols in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (for example, AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in HTTP mode or in HTTPS mode.

Tip

Copy and paste the SSL commands into a text editor, strip out the line breaks, and modify the syntax for your environment.

Before you begin

  • Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes! 
  • When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host. 
  • If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL HTTPS.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic.  But most customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Symantec.

To configure BMC Capacity Optimization with SSL

Warning

If you installed BMC Capacity Optimization with HTTPS on SSL, these instructions do not apply to you. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

This is a two-step process:

To generate a certificate and key to use with Apache

  1. Install the following packages on the host if they are not already present.

    • crypto-utils

    • mod_ssl

  2. After installing these packages, generate a new key and a new SSL certificate using the genkey $hostname command. 
    Here $hostname is the fully qualified domain name of your BMC Capacity Optimization application server machine.

  3. To create a certificate request, select the appropriate option.
    Enter the certificate fields with your information (Name, Firm, Country, and so on). If you do not want to manually insert a password every time you restart the Apache Httpd server (for example, if you are in an automatic HA environment), clear the encrypt key option.

  4. During key generation, review the following output on the console:

    [root@clm-bco ~]# genkey csm-bco
    /usr/bin/keyutil -c genreq -g 1024 
    -s "CN=csm-bco, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US" -v 24 -a 
    -o /etc/pki/tls/certs/csm-bco.0.csr 
    -k /etc/pki/tls/private/csm-bco.key -z /etc/pki/tls/.rand.24660
    cmdstr: genreq
    cmd_CertReq
    command:  genreq
    ...
    subject = CN=csm-bco, OU=IDD, O=BMC, L=PUN, ST=SAN JOSE, C=US
    valid for 1 months
    random seed from /etc/pki/tls/.rand.24660
    output will be written to /etc/pki/tls/certs/csm-bco.crt
    output key written to /etc/pki/tls/private/csm-bco.key

    The Certificate Signing Request (csm-bco.0.csr) file is generated at the /etc/pki/tls/certs location.

  5. Copy the csm-bco-0.csr file where you have CA or generate the CA certificate.
    Or send this csr file to CA to get certificate.

  6. Generate the certifcate, using the csm-bco-0.csr file. 

    /usr/bin/openssl x509 -req -days 365 -in /data1/CSR/csm-bco.0.csr 
    -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
    -set_serial 878 -out /data1/Certificates/csm-bco.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=csm-bco
    Getting CA Private Key

     

  7. When you finish generating the key, you have the following results:

    • $hostname.crt certificate file in /etc/pki/tls/certs/
    • $hostname.key key file in /etc/pki/tls/private/
  8. Create /pki/tls/certs and /pki/tls/private folders at $CPITBASE/3rd_party/apache2/etc.
  9. Copy /etc/pki/tls/certs/$hostname.crt to $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.cert.
  10. Copy /etc/pki/tls/private/$hostname.key to $CPITBASE/3rd_party/apache2/etc/pki/tls/ private/<hostname>.key.
  11. Change the owner of both the copied files and the created folders to the owner using BMC Capacity Optimization.

To enable HTTPS in Apache

Note

  • Make sure that the ssl.conf file is present under $CPITBASE/3rd_party/apache2/etc/httpd/conf.d. If not, then create it with following SSL contents.
  • Make sure that the mod_ssl.so file is present under $CPITBASE/3rd_party/apache2/etc/httpd/modules. If not, then copy it from the /etc/httpd/modules path.

To enable HTTPS in your BMC Capacity Optimization installation, perform the following steps:

  1. Modify the caplan.conf configuration file located at $CPITBASE/3rd_party/apache2/etc/httpd/conf.d, by adding the following information:

    SSLEngine on
    SSLProxyEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile 
    $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.crt
    SSLCertificateKeyFile  $CPITBASE/3rd_party/apache2 
    /etc/pki/tls/private/<hostname>.key
  2. Create the ssl.conf file in $CPITBASE/3rd_party/apache2/etc/httpd/conf.d and add the following content.

    LoadModule ssl_module modules/mod_ssl.so
    Listen 8443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
    SSLSessionCacheTimeout  300
    SSLMutex default
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin


    Make sure that you change the required SSL port.

  3. Restart Httpd using the $CPITBASE/cpit restart httpd command.
    The new URL to connect to BCO will be https://$hostname:8443/console
  4. Import the certificate into /gfs/cpit/jre/lib/security/cacerts for the trusted CA certificate.

    [root@clm-bco bin]# ./keytool -import -alias root 
    -keystore /gfs/cpit/jre/lib/security/cacerts -trustcacerts 
    -file /etc/pki/tls/certs/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=IDD, 
    O=BMC, L=SAN JOSE, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  5. When you access the BCO URL, review the following certificate:
     

To integrate BMC Capacity Optimization and Platform Manager changes into SSL

Note

If you are integrating BMC Capacity Optimization with HTTPS mode with PM, you do not need to perform any manual steps. The integration itself take care of all the required steps. 

Related topic

Using CLM applications with third-party Certification Authority certificates


Was this page helpful? Yes No Submitting... Thank you

Comments