Reconfiguring Windows CLM applications to use SSL HTTPS

Warning

Most BMC customers should not need to use these steps in their Cloud Lifecycle Management environment. For example, if you installed BMC Server Automation with the default settings, HTTPS on SSL is already enabled. You should not need to complete these steps if SSL is already enabled. You run the risk of accidentally breaking functionality that is already working properly.

This topic includes two main sets of highly unusual tasks that BMC customers might use to secure communication between specific Cloud Lifecycle Management applications.

  • How to reconfigure Cloud Portal Web Application and CLM Self-Checker to use HTTPS if you installed them originally with HTTP.
  • How to reconfigure SSL HTTPS on applications like BMC Server Automation or BMC Network Automation if necessary. 


Note

Mixing protocols in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (for example, AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in HTTP mode or in HTTPS mode.

Tip

Copy and paste the SSL commands into a text editor like Notepad++ or TextPad, strip out the line breaks, and modify the syntax for your environment. 

Before you begin

  • Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes! 
  • When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host. 
  • If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic. But many customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Symantec.

To reconfigure Cloud Portal Web Application from HTTP to HTTPS with a Self-Signed Certificate

Warning

If you installed Cloud Portal Web Application with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

Use the following steps to reconfigure HTTP to HTTPS using a Self-Signed Certificate. 

  1. Generate a certificate.
    For example:

    keytool -genkey -alias tomcat -keyalg RSA 
    -keystore "C:\clmuiSslCertificate.cert" 
    -dname "cn=vw-sjc-sln-qa32,ou=CLM,o=BMC,l=PUN,s=MH,c=IN" 
    -keypass "changeit" -storepass "changeit" -validity 36500
  2. Copy the certificate to the required location.
    For example:  
    C:\Program Files\BMC Software\CloudPortalWebApplication\clmui\Certificates\clmuiSslCertificate.cert 
  3. Update C:\Program Files\BMC Software\CloudPortalWebApplication\tomcat\conf\server.xml.
    1. Replace the Connector entry:

      <Connector connectionTimeout="20000" port="9070" 
      protocol="HTTP/1.1" redirectPort="9443"/>

       

    2. With the following information:

      <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" 
      keystoreFile="C:\Program Files\BMC Software\CloudPortalWebApplication\
      clmui\Certificates\clmuiSslCertificate.cert" keystorePass="changeit" 
      maxThreads="150" port="9443" scheme="https" secure="true" sslProtocol="TLS"/>

       

  4. Restart Cloud Portal Web Application service.

To reconfigure CLM Self-Checker from HTTP to HTTPS with a Self-Signed Certificate

Warning

If you installed CLM Self-Checker with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

Use the following steps to reconfigure HTTP to HTTPS using a Self-Signed Certificate. 

  1. Generate a certificate.
    For example:

    C:\Program Files\Java\jre1.7.0_55\bin>keytool -genkey 
    -alias tomcat -keyalg RSA 
    -keystore "C:\ selfcheckerSslCertificate.cert" 
    -dname "cn=vw-sjc-sln-qa32,ou=CLM,o=BMC,l=PUN,s=MH,c=IN" 
    -keypass "changeit" -storepass "changeit" -validity 36500
  2. Copy the certificate to the required location.
    For example:  
    C:\Program Files\BMC Software\SelfChecker\selfchecker\Certificates\selfcheckerSslCertificate.cert 
  3. Update C:\Program Files\BMC Software\SelfChecker\tomcat\conf\server.xml .
    1. Replace the Connector entry:

      <Connector connectionTimeout="20000" port="8090" 
      protocol="HTTP/1.1" redirectPort="8443"/>
    2. With the following information:

      <Connector SSLEnabled="true" clientAuth="false" 
      connectionTimeout="20000" 
      keystoreFile=" C:\Program Files\BMC Software\SelfChecker\selfchecker\
      Certificates\selfcheckerSslCertificate.cert" keystorePass="changeit" 
      maxThreads="150" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>
  4. Restart the Self Checker service.

To configure SSL with BMC Server Automation

Warning

If you installed BMC Server Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

For more information on using a CA-issued certificate or certificate chain rather than the default self-signed certificate, see Securing communication with CA certificates in the BMC Server Automation documentation. 

  1. On the BMC Server Automation host, create KeysCertificates, and CSR folders. 
  2. Stop the BladeLogic Application Server.
  3. Back up the bladelogic.keystore file, located at C:\Program Files\BMC Software\BladeLogic\appserver\br\deployments or C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments and then delete the original. 

  4. Open a command prompt and navigate to the BladeLogic JRE folder (for example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin). 
  5. On the BMC Server Automation primary host, create a keypair using the keytool utility. 
    If BMC Server Automation is behind a load balancer, you can use CN as the load-balancer name. 

    Note

    In the keytool syntax, use the password you created when you installed BMC Server Automation, not changeit
    keytool.exe -genkey -alias blade -keyalg RSA -keysize 2048 
    -keypass "<password>" -storepass "<password>" 
    -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\br\
    deployments\_template\bladelogic.keystore"
    What is your first and last name?What is your first and last name?
      [Unknown]:  JOHN STAMPS
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  SAN JOSE
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=JOHN STAMPS, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
      [no]:  yes
  6. At the prompts, enter the required information to create the keypair, and then press Enter
  7. Create the Certificate Signing Request (CSR) from BMC Server Automation primary to retrieve the certificate from CA (that is, CLM).

    keytool.exe -certreq -keyalg RSA -alias blade 
    -file C:\CSR\blade.csr -keystore "C:\Program Files\BMC Software\
    BladeLogic\NSH\br\deployments\_template\bladelogic.keystore"
    Enter keystore password:


    At the prompt, enter the BMC Server Automation password, not changeit

  8. Copy the blade.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (blade.crt), and then run the following command on the OpenSSL computer:

    C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 
    -in C:\CSR\blade.csr -CA C:\Certificates\RootCA.crt 
    -CAkey C:\Keys\RootCA.key -set_serial 01 
    -out C:\Certificates\blade.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=JOHN STAMPS
    Getting CA Private Key
  9. After the certificate is generated (blade.crt) in the Certificates folder, copy blade.crt and RootCA.crt to the BMC Server Automation primary host into its Certificates folder.

  10. On the BMC Server Automation primary host, import the Root CA certificate:

    keytool.exe -import -alias blade 
    -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\
    br\deployments\_template\bladelogic.keystore" 
    -trustcacerts -file C:\Certificates\RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD, 
    O=BMC, L=SJ, ST=CA, C=US
    Issuer: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, 
    OU=IDD, O=BMC, L=SJ, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

    1. At the prompt, enter the BMC Server Automation password, not changeit
    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore. 

  11. Import the blade.crt certificate:

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe 
    -import -alias blade 
    -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\
    br\deployments\_template\bladelogic.keystore" 
    -trustcacerts -file C:\Certificates\blade.crt
    Enter keystore password:
    Certificate reply was installed in keystore


    Your certificate reply is installed in the keystore.  

  12. Copy the bladelogic.keystore file you just created from the _template folder to each of the deployments server folders.
  13. Start the BladeLogic Application Server.
  14. Verify your changes to the BMC Server Automation URL by accessing the following link:
    https://<BladeLogic>:10843 (where 10843 is the SSL port) 
  15. When you access BMC Server Automation URL the first time, review the certificate details. 
  16. Log on to the BladeLogic Application Server.through BMC Server Automation Console. 
    In the login screen, click Options > Certificates > View to view the certificate. This screen displays the certificate details like issued to clm-hou-bbsa and Issued by CA (for example, CLM).
  17. For BMC Server Automation secondary, follows the relevant steps (typically 1 > 2 > 3 > 12 > 13 >14 >15 >16 >17 in order).

To configure SSL with BMC Server Automation and Platform Manager

  1. On the Platform Manager host, open the providers.json file.
  2. Change the protocol and the SSL port in the providers.json file for the BBSA_SERVER_PORT attribute value.

    For example:

      "name" : "BBSA_SERVER_PORT"
        },
        "attributeValue" : "10843",
        "description" : "BBSA Webservices Port",
        "guid" : "1a0e98f9-905e-4117-99dd-759f7ad41b71",
        "name" : "BBSA_SERVER_PORT"
      }, {
        "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
        "accessAttribute" : {
          "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
          "datatype" : "STRING",
          "description" : "BBSA Server Protocol",
          "guid" : "3bf2db7a-af7e-4bc7-8674-63c6df997a75",
          "isOptional" : false,
          "isPassword" : false,
          "modifiableWithoutRestart" : false,
          "name" : "BBSA_SERVER_PROTOCOL"
        },
        "attributeValue" : "https",
        "description" : "BBSA Server Protocol",
  3. Save your changes and restart the Platform Manager.

To configure BMC Network Automation with SSL

Warning

If you installed BMC Network Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

Note

The BMC Network Automation CLI might not use the default JVM bundled with BNA (for example, C:\Program Files\BMC Software\BCA-Networks\java\bin). In this case, you must import the root (and any intermediate) certificates into the keystore of the native JVM of the OS (in Windows, for example, C:\Program Files\Jave\jre7\lib\security\cacert).

  1. On the BMC Network Automation host, create KeysCertificates, and CSR folders. 
  2. Stop the BCA-Networks Web Server.
  3. Back up the .keystore file (by default, located at C:\BCA-Networks-Data) and then delete the original.
  4. On the primary BMC Network Automation host, open a command prompt and navigate to the BCA-Network JRE folder (for example, C:\Program Files\BMC Software\BCA-Networks\java\bin). 
  5. Create a keypair using the keytool utility. 
    If BMC Network Automation is behind a load balancer, you can use CN as the load-balancer name.  Use the following syntax so that keytool works properly:

    C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe 
    -genkey -alias clm-bna -keyalg RSA -keysize 2048 -keypass "changeit" 
    -storepass "changeit" -keystore "C:\BCA-Networks-Data\.keystore"
    What is your first and last name?
      [Unknown]:  JOHN STAMPS
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  SAN JOSE
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=JOHN STAMPS, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
      [no]:  yes
  6. At the prompts, enter the required information to create the keypair, and then press Enter
  7. Create the Certificate Signing Request (CSR) from BMC Network Automation primary to retrieve the certificate from CA (that is, CLM).

    keytool.exe -certreq -keyalg RSA -alias clm-bna 
    -file C:\CSR\clm-bna.csr -keystore "C:\BCA-Networks-Data\.keystore"
    Enter keystore password:


    At the prompt, enter changeit as the password.

  8. Copy the clm-bna.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (clm-bna.crt), and then run the following command on the OpenSSL computer:

    C:\OpenSSL-Win64\bin>openssl>openssl x509 -req -days 365 
    -in C:\CSR\clm-bna.csr -CA C:\Certificates\RootCA.crt 
    -CAkey C:\Keys\RootCA.key -set_serial 04 
    -out C:\Certificates\clm-bna.crt
    Loading 'screen' into random state - done
    Signature ok
    subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=clm-bna
    Getting CA Private Key
  9. After the certificate is generated (clm-bna.crt) in the Certificates folder, copy clm-bna.crt and RootCA.crt to the BMC Network Automation primary and secondary hosts into their Certificates folder.

  10. On the BMC Network Automation primary and secondary computers, import the first Root CA certificate into the C:\BCA-Networks-Data\.keystore file that we generated:

    C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe 
    -import -alias root -keystore "C:\BCA-Networks-Data\.keystore" 
    -trustcacerts -file C:\Certificates\RootCA.crt
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, 
    OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    1. At the prompt, enter changeit as the password.
    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore. 

    3. If you have a secondary BMC Network Automation computer, import only the RootCA certificate in the java\cacerts file.
  11. Import Root CA into the C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts file:

    C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe 
    -import -alias root 
    -keystore "C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts" 
    -trustcacerts -file C:\certificates\RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, 
    O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

     

  12. Import the blm-bna.crt certificate:

    C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe 
    -import -alias clm-bna -keystore C:\BCA-Networks-Data\.keystore 
    -trustcacerts -file C:\Certificates\clm-bna.crt
    Enter keystore password:
    Certificate reply was installed in keystore


    Your certificate reply is installed in the keystore.  

  13. Generate the encryption string for changeit.

    1. Open the BNA maintenance utility (by default, installed in C:\Program Files\BMC Software\BCA-Networks\utility).

    2. Click the Encrypt tab.

    3. Enter and confirm the changeit password.

    4. Click Encrypt to generate the encryption string for changeit

    5. Use the generated string for the keystorePassword  parameter in the server.xml file (by default, located at C:\Program Files\BMC Software\BCA-Networks\tomcat\conf).

  14. Start the BCA-Networks Web Server.

  15. Verify the BNA link by accessing https://<BNA-LB>:443 where 443 is SSL port.
  16. If you have a load balancer, failover the BNA service and verify that you can able to access the link with Cluster name and with the same certificate it displays.
  17. When you access the BMC Network Automation URL the first time, review the certificate details, and so on.

Note

No integration level changes are required for BMC Network Automation. In the providers.json file on the Platform Manager host, the BNA section is already populated with the https protocol and SSL port. This SSL port should be same on which you configured BMC Network Automation.

Related topic

Using CLM applications with third-party Certification Authority certificates

Was this page helpful? Yes No Submitting... Thank you

Comments