Enabling SSL HTTPS on Windows non-CLM applications

This topic describes how to enable SSL HTTPS on Windows non-CLM applications, for example, BMC MyIT. It provides detailed configuration steps to make the secured communication between the components.

Note

Mixing protocols in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (for example, AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in HTTP mode or in HTTPS mode.

Tip

Copy and paste the SSL commands into a text editor like Notepad++ or TextPad, strip out the line breaks, and modify the syntax for your environment. 

Before you begin

  • Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes! 
  • When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host. 
  • If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic. But many customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Verisign.

To configure BMC Capacity Optimization with SSL

Warning

If you installed BMC Capacity Optimization with HTTPS on SSL, these instructions do not apply to you. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

This is a two-step process:

To generate a certificate and key to use with Apache

  1. Install the following packages on the host if they are not already present.

    • crypto-utils

    • mod_ssl

  2. After installing these packages, generate a new key and a new SSL certificate using the genkey $hostname command. 
    Here $hostname is the fully qualified domain name of your BMC Capacity Optimization application server machine.

  3. To create a certificate request, select the appropriate option.
    Enter the certificate fields with your information (Name, Firm, Country, and so on). If you do not want to manually insert a password every time you restart the Apache Httpd server (for

    example, if you are in an automatic HA environment), clear the encrypt key option.

  4. During key generation, review the following output on the console:

    [root@clm-bco ~]# genkey csm-bco
    /usr/bin/keyutil -c genreq -g 2048 -s "CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN" -v 24 -a -o /etc/pki/tls/certs/csm-bco.0.csr -k /etc/pki/tls/private/csm-bco.key -z /etc/pki/tls/.rand.24660
    cmdstr: genreq
    cmd_CertReq
    command:  genreq
    keysize = 2048 bits
    subject = CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    valid for 24 months
    output will be written to /etc/pki/tls/certs/csm-bco.0.csr
    output key written to /etc/pki/tls/private/csm-bco.key
    random seed from /etc/pki/tls/.rand.24660
    Generating key. This may take a few moments...
    Made a key
    Opened /etc/pki/tls/certs/csm-bco.0.csr for writing
    Wrote the CSR to /etc/pki/tls/certs/csm-bco.0.csr
    Wrote 882 bytes of encoded data to /etc/pki/tls/private/csm-bco.key
    Wrote the key to:
    /etc/pki/tls/private/csm-bco.key
    /usr/bin/keyutil -c makecert -g 2048 -s "CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN" -v 1 -a -z /etc/pki/tls/.rand.24660 -o /etc/pki/tls/certs/csm-bco.crt -k /etc/pki/tls/private/csm-bco.key
    cmdstr: makecert
    cmd_CreateNewCert
    command:  makecert
    keysize = 2048 bits
    subject = CN=csm-bco, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    valid for 1 months
    random seed from /etc/pki/tls/.rand.24660
    output will be written to /etc/pki/tls/certs/csm-bco.crt
    output key written to /etc/pki/tls/private/csm-bco.key

    The Certificate Signing Request (csm-bco.0.csr) file is generated at the /etc/pki/tls/certs location.

  5. Copy the csm-bco-0.csr file where you have CA or generate the CA certificate.
    Or send this csr file to CA to get certificate.

  6. On the OpenSSL host, generate the certifcate, using the csm-bco-0.csr file. 

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\csm-bco.0.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 878 -out C:\Certificates\csm-bco.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=IN/ST=MAHA/L=PUN/O=BMC/OU=CDL/CN=csm-bco
    Getting CA Private Key

     

  7. When you finish generating the key, you have the following results:

    • $hostname.crt certificate file in /etc/pki/tls/certs/
    • $hostname.key key file in /etc/pki/tls/private/
  8. Create /pki/tls/certs and /pki/tls/private folders at $CPITBASE/3rd_party/apache2/etc.
  9. Copy /etc/pki/tls/certs/$hostname.crt to $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.cert.
  10. Copy /etc/pki/tls/private/$hostname.key to $CPITBASE/3rd_party/apache2/etc/pki/tls/ private/<hostname>.key.
  11. Change the owner of both the copied files and the created folders to the owner using BMC Capacity Optimization.

To enable HTTPS in Apache

Note

  • Make sure that the ssl.conf file is present under $CPITBASE/3rd_party/apache2/etc/httpd/conf.d. If not, then create it with following SSL contents.
  • Make sure that the mod_ssl.so file is present under $CPITBASE/3rd_party/apache2/etc/httpd/modules. If not, then copy it from the /etc/httpd/modules path.

To enable HTTPS in your BMC Capacity Optimization installation, perform the following steps:

  1. Modify the caplan.conf configuration file located at $CPITBASE/3rd_party/apache2/etc/httpd/conf.d, by adding the following information:

    SSLEngine on
    SSLProxyEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.crt
    SSLCertificateKeyFile  $CPITBASE/3rd_party/apache2 /etc/pki/tls/private/<hostname>.key
  2. Create the ssl.conf file in $CPITBASE/3rd_party/apache2/etc/httpd/conf.d and add the following content.

    LoadModule ssl_module modules/mod_ssl.so
    Listen 8443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
    SSLSessionCacheTimeout  300
    SSLMutex default
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin


    Make sure that you change the required SSL port.

  3. Restart Httpd using the $CPITBASE/cpit restart httpd command.
    The new URL to connect to BCO will be https://$hostname:8443/console
  4. Import the certificate into /gfs/cpit/jre/lib/security/cacerts for the trusted CA certificate.

    [root@clm-bco bin]# ./keytool -import -alias root -keystore /gfs/cpit/jre/lib/security/cacerts -trustcacerts -file /etc/pki/tls/certs/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Issuer: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=CDL, O=BMC, L=PUN, ST=MAHA, C=IN
    Serial number: bfae9d478d3085c1
    Valid from: Fri Apr 26 14:32:23 IST 2013 until: Sat Apr 26 14:32:23 IST 2014
    Certificate fingerprints:
             MD5:  E7:87:3D:B3:33:82:9F:17:0B:F6:78:D1:0D:64:EB:F5
             SHA1: 47:85:B7:4E:46:C4:8F:21:31:29:86:47:C5:7A:3C:7F:65:B6:36:27
             Signature algorithm name: SHA1withRSA
             Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  5. When you access the BCO URL, review the following certificate:
     

To integrate BMC Capacity Optimization and Platform Manager changes into SSL

Note

If you are integrating BMC Capacity Optimization with HTTPS mode with PM, you do not need to perform any manual steps. The integration itself take care of all the required steps.

To configure BMC MyIT from HTTP to HTTPS with a Self-Signed Certificate

Warning

Do not complete these steps if SSL is already enabled with BMC MyIT. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 
  1. Generate a certificate.
    For example:

    %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA 
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  clm-aus-011540,bmc.com
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC Software
    What is the name of your City or Locality?
      [Unknown]:  San Jose
    What is the name of your State or Province?
      [Unknown]:  California
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN="clm-aus-011540,bmc.com", OU=IDD, O=BMC Software, L=San Jose, ST=Californi
    a, C=US correct?
      [no]:  yes
    Enter key password for <tomcat>
            (RETURN if same as keystore password):

    .keystore file is generated in %USERPROFILE% (Windows) or $HOME (Linux), and the file is protected with a password.

  2. Place the generated file in the CATALINA_BASE/external-conf folder (for example, C:\Program Files\Apache Software Foundation\Tomcat8.0\external-conf).
  3. Update CATALINA_BASE/conf/server.xml to enable HTTPS Connector.

    Note

    This section also includes the ciphers that fix the weak ephemeral Diffie-Hellman key error that you see with Google Chrome browsers. 


    Uncomment the following section, and update the section as follows (for example, add the keystoreFile path for keystore), and so on.

        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS"
                   ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, 
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, 
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256, 
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521, 
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384, 
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384, 
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521, TLS_RSA_WITH_NULL_SHA256, 
                    TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA"
    				keystoreFile="${catalina.base}/external-conf/.keystore" 
                   sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
  4. Restart the Tomcat server (SmartIT/MyIT Application).

  5. To check the configuration, open https://localhost:8443/ or https://localhost:8443/ux/myitapp in a browser.
    Upon initial access, a warning about an non-trusted certificate appears (because this is a self-signed certificate, not generated by a trusted CA).

  6. Click OK to continue.
    You should successfully be logged on to the MyIT application using SSL. 


Related topic

Using CLM applications with third-party Certification Authority certificates

Was this page helpful? Yes No Submitting... Thank you

Comments