Reconfiguring Linux CLM applications to use SSL HTTPS
Warning
This topic includes two main sets of highly unusual tasks that BMC customers might use to secure communication between specific Cloud Lifecycle Management applications.
- How to reconfigure SSL HTTPS on applications like BMC Server Automation or BMC Network Automation if necessary.
- How to reconfigure the Linux versions of Cloud Portal Web Application and CLM Self-Checker to use HTTPS if you installed them originally with HTTP.
Note
Tip
Copy and paste the SSL commands into a text editor, strip out the line breaks, and modify the syntax for your environment.
Before you begin
- Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes!
- When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host.
- If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL HTTPS.
Note
- For detailed steps on creating Root CA certificates or importing self-signed certificates, see Enabling SSL HTTPS on core Windows CLM applications that currently use HTTP.
To configure SSL with BMC Server Automation
Warning
For more information on using a CA-issued certificate or certificate chain rather than the default self-signed certificate, see Securing communication with CA certificates in the BMC Server Automation documentation.
Note
- On the BMC Server Automation host, create Keys, Certificates, and CSR folders.
- Copy RootCA.key to /data1/Keys/.
- Copy RootCA.crt to /data1/Certificates/.
- Stop the BladeLogic Application Server.
For example:
/etc/init.d/blappserv stop Back up the bladelogic.keystore file and then delete the old file. This procedure creates a new bladelogic.keystore file.
By default, this file is located in /opt/bmc/bladelogic/NSH/br/deployments.- Open a command prompt and navigate to the jre/bin folder (for example, /usr/java/jdk1.7.0_75/jre/bin).
On the BMC Server Automation primary host, create a new keystore using the keytool utility.
If BMC Server Automation is behind a load balancer, you can use CN as the load-balancer name.clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -genkey -alias blade -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore What is your first and last name? [Unknown]: John Stamps What is the name of your organizational unit? [Unknown]: IDD What is the name of your organization? [Unknown]: BMC What is the name of your City or Locality? [Unknown]: San Jose What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct? [no]: yes clm-aus-005115# pwd /opt/bmc/bladelogic/NSH/br/deployments clm-aus-005115# ls -l bl* -rw-r--r-- 1 root root 1373 May 28 13:32 bladelogic.keystore -rw-r--r-- 1 bladmin bladmin 2040 May 19 06:43 bladelogic.keystore.bak
Create the Certificate Signing Request (CSR) from BMC Server Automation primary to retrieve the certificate from CA (that is, CLM).
clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -certreq -keyalg RSA -alias blade -file /data1/CSR/blade.csr -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore Enter keystore password: clm-aus-005115#
At the prompt, enter changeit as the password.Use the following openssl command (for example, /usr/bin/openssl) to generate a BladeLogic server certificate (blade.crt) on the BMC Server Automation primary host in the Certificates folder:
clm-aus-005115# /usr/bin/openssl x509 -req -days 365 -in /data1/CSR/blade.csr -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key -set_serial 01 -out /data1/Certificates/blade.crt Signature ok subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps Getting CA Private Key
On the BMC Server Automation primary host, import the Root CA certificate:
clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias blade -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore -trustcacerts -file /data1/Certificates/RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore clm-aus-005115#
- At the prompt, enter changeit as the password.
When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.
Import the blade.crt certificate:
clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias blade -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore -trustcacerts -file /data1/Certificates/blade.crt Enter keystore password: Certificate reply was installed in keystore
Your certificate reply is installed in the keystore.
- Copy the bladelogic.keystore file you just created to each of the deployments server folders (for example, /opt/bmc/bladelogic/NSH/br/deployments/_launcher).
- Start the BladeLogic Application Server.
For example:
/etc/init.d/blappserv start - Verify your changes to the BMC Server Automation URL by accessing the following link:
https://<BladeLogic>:10843 (where 10843 is the SSL port) - When you access BMC Server Automation URL the first time, review the certificate details.
- Log on to the BladeLogic Application Server.through BMC Server Automation Console.
In the login screen, click Options > Certificates > View to view the certificate. This screen displays the certificate details like issued to clm-hou-bbsa and Issued by CA (for example, CLM). - For BMC Server Automation secondary, follows steps 1 > 2 > 3 > 12 > 13 >14 >15 >16 >17 in order.
To configure SSL with BMC Server Automation and Platform Manager
- On the Platform Manager host, open the providers.json file (for example, /opt/bmc/BMCCloudLifeCycleManagement/Platform_Manager/configuration/providers.json).
Change the protocol and the SSL port in the providers.json file for the BBSA_SERVER_PORT attribute value.
For example:
"name" : "BBSA_SERVER_PORT" }, "attributeValue" : "10843", "description" : "BBSA Webservices Port", "guid" : "1a0e98f9-905e-4117-99dd-759f7ad41b71", "name" : "BBSA_SERVER_PORT" }, { "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue", "accessAttribute" : { "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute", "datatype" : "STRING", "description" : "BBSA Server Protocol", "guid" : "3bf2db7a-af7e-4bc7-8674-63c6df997a75", "isOptional" : false, "isPassword" : false, "modifiableWithoutRestart" : false, "name" : "BBSA_SERVER_PROTOCOL" }, "attributeValue" : "https", "description" : "BBSA Server Protocol",
- Save your changes and restart the Platform Manager.
To configure BMC Network Automation with SSL
Warning
Note
- On the BMC Network Automation host, create Keys, Certificates, and CSR folders.
- Copy RootCA.key to /data1/Keys/.
- Copy RootCA.crt to /data1/Certificates/.
- Stop the BCA-Networks Web Server.
For example:
/etc/init.d/enatomcat stop
/etc/init.d/xinetd stop - Back up the .keystore file (by default, located at /var/bca-networks-data) and then delete the old file. This procedure creates a new .keystore file.
- On the primary BMC Network Automation host, open a command prompt and navigate to the BCA-Network JRE folder (for example, /usr/java/jdk1.7.0_75/jre/bin).
Create a new keystore using the keytool utility.
If BMC Network Automation is behind a load balancer, you can use CN as the load-balancer name. Use the following syntax so that keytool works properly:[root@clm-aus-005116 bca-networks-data]# /usr/java/jdk1.7.0_75/jre/bin/keytool -genkey -alias clm-bna -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" -keystore /var/bca-networks-data/.keystore What is your first and last name? [Unknown]: John Stamps What is the name of your organizational unit? [Unknown]: IDD What is the name of your organization? [Unknown]: BMC What is the name of your City or Locality? [Unknown]: San Jose What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct? [no]: yes [root@clm-aus-005116 bca-networks-data]#
- At the prompts, enter the required information to create the keystore, and then press Enter.
Create the Certificate Signing Request (CSR) from BMC Network Automation primary to retrieve the certificate from CA (that is, CLM).
[root@clm-aus-005116 ~]# /usr/java/jdk1.7.0_75/jre/bin/keytool -certreq -keyalg RSA -alias clm-bna -file /data1/CSR/clm-bna.csr -keystore /var/bca-networks-data/.keystore Enter keystore password: [root@clm-aus-005116 ~]#
At the prompt, enter changeit as the password.
Use the following openssl command (for example, /usr/bin/openssl)to generate the BBNA server certificate (clm-bna.crt):
[root@clm-aus-005116 ~]# /usr/bin/openssl x509 -req -days 365 -in /data1/CSR/clm-bna.csr -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key -set_serial 04 -out /data1/Certificates/clm-bna.cr Signature ok subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps Getting CA Private Key
After the certificate is generated (clm-bna.crt) in the Certificates folder, copy clm-bna.crt and RootCA.crt to the BMC Network Automation primary and secondary hosts into their Certificates folder.
On the BMC Network Automation primary and secondary computers, import the first Root CA certificate into the /var/bca-networks-data/.keystore file that was generated:
[root@clm-aus-005116 ~]# /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias root -keystore /var/bca-networks-data/.keystore -trustcacerts -file /data1/Certificates/RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore [root@clm-aus-005116 ~]#
- At the prompt, enter changeit as the password.
When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.- If you have a secondary BMC Network Automation computer, import only the RootCA certificate in the java/cacerts file.
Import Root CA into the /opt/bmc/bca-networks/java/lib/security/cacerts file:
[root@clm-aus-005116 /]# /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias root -keystore /opt/bmc/bca-networks/java/lib/security/cacerts -trustcacerts -file /data1/Certificates/RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore [root@clm-aus-005116 /]#
Import the blm-bna.crt certificate:
[root@clm-aus-005116 /]# /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias clm-bna -keystore /var/bca-networks-data/.keystore -trustcacerts -file /data1/Certificates/clm-bna.crt Enter keystore password: Certificate reply was installed in keystore [root@clm-aus-005116 /]#
Your certificate reply is installed in the keystore.
Generate the encryption string for changeit.
Open the BNA maintenance utility (by default, installed in /opt/bmc/bca-networks/utility).
Click the Encrypt tab.
Enter and confirm the changeit password.
Click Encrypt to generate the encryption string for changeit.
Use the generated string for the keystorePassword parameter in the server.xml file (by default, located at /opt/bmc/bca-networks/tomcat/conf).
Start the BCA-Networks Web Server.
For example:
/etc/init.d/enatomcat start
/etc/init.d/xinetd start- Verify the BNA link by accessing https://<BNA-LB>:11443/bca-networks where 11443 is SSL port.
The default login is sysadmin/sysadmin. - If you have a load balancer, failover the BNA service and verify that you can able to access the link with Cluster name and with the same certificate it displays.
When you access the BMC Network Automation URL the first time, review the certificate details, and so on.
Note
To configure Cloud Portal Web Application from HTTP to HTTPS with a Self-Signed Certificate
Warning
Use the following steps to configure HTTP to HTTPS using a Self-Signed Certificate on the Cloud Portal Web Application host.
Generate a certificate (if the certificate does not exist).
For example:[root@clm-aus-005289 data1]# /opt/bmc/CloudPortalWebApplication/jre/bin/keytool -genkey -alias clmui -keyalg RSA -keystore /data1/Certificates/clmuiSslCertificate.cert -dname "cn=vw-sjc-sln-qa32,ou=CLM,o=BMC,l=SAN JOSE,s=CA,c=US" -keypass "changeit" -storepass "changeit" -validity 36500 [root@clm-aus-005289 data1]#
- Copy the certificate to the required location.
For example:
/opt/bmc/CloudPortalWebApplication/clmui/Certificates - Update /opt/bmc/CloudPortalWebApplication/tomcat/conf/server.xml.
Replace the Connector entry:
<Connector connectionTimeout="20000" port="9070" protocol="HTTP/1.1" redirectPort="9443"/>
With the following information:
<Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" keystoreFile="/opt/bmc/CloudPortalWebApplication/clmui/Certificates /clmuiSslCertificate.cert" keystorePass="changeit" maxThreads="150" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>
Stop and restart Cloud Portal Web Application service.
For example:/opt/bmc/CloudPortalWebApplication/tomcat/bin/shutdown.sh /opt/bmc/CloudPortalWebApplication/tomcat/bin/startup.sh
To configure CLM Self-Checker from HTTP to HTTPS with a Self-Signed Certificate
Warning
Use the following steps to configure HTTP to HTTPS using a Self-Signed Certificate.
Generate a certificate (if the certificate does not exist).
For example:[root@clm-aus-005282 ~]# /opt/bmc/selfchecker/jre/bin/keytool -genkey -alias clmselfchecker -keyalg RSA -keystore /data1/Certificates/selfcheckerSslCertificate.cert -dname "cn=clm-aus-005282,ou=IDD,o=BMC,l=San Jose,s=CA,c=US" -keypass "changeit" -storepass "changeit" -validity 36500 [root@clm-aus-005282 ~]#
- Copy the certificate to the required location.
For example:
/opt/bmc/selfchecker/selfchecker/Certificates/selfcheckerSslCertificate.cert - Update /opt/bmc/selfchecker/tomcat/conf/server.xml .
Replace the Connector entry:
<Connector connectionTimeout="20000" port="8090" protocol="HTTP/1.1" redirectPort="8443"/>
With the following information:
<Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" keystoreFile="/opt/bmc/selfchecker/selfchecker/Certificates /selfcheckSslCertificate.cert" keystorePass="changeit" maxThreads="150" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>
Stop and restart the Self Checker service.
For example:/opt/bmc/selfchecker/tomcat/bin/shutdown.sh /opt/bmc/selfchecker/tomcat/bin/startup.sh
Related topic
Using CLM applications with third-party Certification Authority certificates
Comments
Log in or register to comment.