Reconfiguring Windows Platform Manager, Windows Cloud Portal, and Self-Checker to use HTTP instead of HTTPS

Warning

Most BMC customers should not need to use these steps in a normal Cloud Lifecycle Management environment. You would only reconfigure the Platform Manager to use HTTP in highly-unusual circumstances.

This topic describes how to reconfigure the Windows versions of Platform Manager, Windows Cloud Portal, and Self-Checker to use HTTP instead of the default HTTPS. It provides detailed configuration steps to make the secured communication between the components.

Note

Mixing protocols in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (for example, AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in HTTP mode or in HTTPS mode.

Tip

Copy and paste the SSL commands into a text editor like Notepad++ or TextPad, strip out the line breaks, and modify the syntax for your environment.

Before you begin

Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes!
When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host.
If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic. But many customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Symantec.

For detailed steps on creating Root CA certificates or importing self-signed certificates, see Enabling SSL HTTPS on Windows CLM applications that currently use HTTP.

To reconfigure Platform Manager from HTTPS to HTTP with a Self-Signed Certificate

Use the following steps to configure HTTPS to HTTP using a Self-Signed Certificate. If you are running HA, you only need to run the following commands on the primary host. SSL-level certification is not required on the secondary HA host.

Make sure the CSM service is running on the primary Platform Manager host.
On the primary Platform Manager host, create Keys, Certificates, and CSR folders.
Back up the keystore file (by default, located at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security).
Open a command prompt and navigate to the JRE folder (for example, C:\Program Files\java\jre7\bin).

Create a keypair using the keytool utility and store it at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security.

keytool.exe -genkey -alias PM -keyalg RSA -keysize 1024 
-keypass "changeit" -storepass "changeit" 
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore"
What is your first and last name?
  [Unknown]:  clm-hou-pm
What is the name of your organizational unit?
  [Unknown]:  IDD
What is the name of your organization?
  [Unknown]:  BMC
What is the name of your City or Locality?
  [Unknown]:  San Jose
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=clm-hou-pm, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
  [no]:  yes

At the prompts, enter the required information to create the keypair, and then press Enter. For example, use clm-hou-pm as the cluster name.

Create the Certificate Signing Request (PM.csr) to retrieve the certificate from Root CA.

keytool.exe -certreq -keyalg RSA -alias PM 
-file C:\CSR\PM.csr 
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore"
Enter keystore password:

At the prompt, enter changeit as the password.

Copy the PM.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (PM.crt), and then run the following command on the OpenSSL host:

 C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 
-in C:\CSR\PM.csr -CA C:\Certificates\RootCA.crt 
-CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\pm.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=clm-hou-pm
Getting CA Private Key

After the certificate is generated (PM.crt) in the Certificates folder, copy PM.crt and RootCA.crt to the Platform Manager primary host into the Certificates folder.

On the Platform Manager primary host, import the Root CA certificate:

 keytool.exe -import -alias root 
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore" 
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <root>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore

At the prompt, enter changeit as the password.
If you are prompted that the certificate already exists, enter yes anyway;
Your certificate is added to the keystore.

Import the Root CA certificate into the Platform Manager JVM cacerts file.

keytool.exe -import -alias root 
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
JVM_1.6.0_31\lib\security\cacerts" 
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Certificate was added to keystore

Import the PM.crt certificate:

keytool.exe -import -alias PM1 
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore" 
-trustcacerts -file C:\Certificates\PM.crt
Enter keystore password:
Certificate was added to keystore

Update the config.ini file (by default, located at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\configuration) with the following parameters:
```
org.osgi.service.http.port=7070
jetty.port=7070
jetty.ssl.password=changeit
jetty.ssl.keypassword=changeit
```
Make sure to save the config.ini file.
Update the the configuration in the ..\Platform_Manager\csm-bootstrap.properties file with the following changes:
```
PersistenceNodeProtocol=http
NodeProtocol=http
NodePort=7070
PersistenceNodePort=7070
```
Make sure to save the csm-bootstrap.properties file.

Update the configuration in the ..\Platform_Manager\configuration\cloudservices.json file with the following changes:

Set the secureJetty attribute value to false and the description to Use HTTP.

 {
  "cloudClass" : "com.bmc.cloud.model.beans.CloudService",
  "accessValues" : [ {
    "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
    "accessAttribute" : {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "Boolean",
      "description" : "Use HTTP",
      "guid" : "b15fc770-4119-4cd6-bea6-1efdc5ecc768",
      "isOptional" : false,
      "isPassword" : false,
      "length" : 255,
      "modifiableWithoutRestart" : false,
      "name" : "secureJetty"
    },
    "attributeValue" : "false",
    "description" : "Use HTTP",
    "guid" : "2aacb37d-0b0c-48f2-b85f-e010e3705f49",
    "name" : "secureJetty"
  }

Set the attribute value of Jetty port, CSM Local Port, and CSM Global Registry URL to 7070.
Make sure that you also set the localhost attribute value to "localhost:7070".

{
    "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
    "accessAttribute" : {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "Integer",
      "description" : "Jetty Port",
      "guid" : "f1f036cc-7050-4a08-9e00-2a38cedaeef9",
      "isOptional" : false,
      "isPassword" : false,
      "length" : 255,
      "modifiableWithoutRestart" : false,
      "name" : "jettyPort"
    },
    "attributeValue" : "7070",
    "description" : "Jetty Port",
    "guid" : "e2513a26-1c6c-4fd1-9267-d3ff3d00b94a",
    "name" : "jettyPort"
 }
{
    "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
    "accessAttribute" : {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "Integer",
      "description" : "CSM Local Port",
      "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
      "isOptional" : false,
      "isPassword" : false,
      "length" : 255,
      "modifiableWithoutRestart" : false,
      "name" : "csm.local.port"
    },
    "attributeValue" : "7070",
    "description" : "CSM Local Port",
    "guid" : "b86fb3c3-d5c8-46dc-8d7d-5be05a392aff",
    "name" : "csm.local.port"
  }
 
},{
  "cloudClass" : "com.bmc.cloud.model.beans.CloudService",
  "accessValues" : [ {
    "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
    "accessAttribute" : {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "String",
      "description" : "CSM Global Registry URL",
      "guid" : "5f49c658-e3fb-4ace-95aa-d5c13636a82e",
      "isOptional" : false,
      "isPassword" : false,
      "length" : 255,
      "modifiableWithoutRestart" : false,
      "name" : "csm.global.url"
    },
    "attributeValue" : "localhost:7070",
    "description" : "CSM Global Registry URL",
    "guid" : "45cb9fc3-ac7e-49de-88d4-4d1042c48061",
    "name" : "csm.global.url"
  }, {
    "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
    "accessAttribute" : {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "Integer",
      "description" : "CSM Local Port",
      "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
      "isOptional" : false,
      "isPassword" : false,
      "length" : 255,
      "modifiableWithoutRestart" : false,
      "name" : "csm.local.port"
    },
    "attributeValue" : 7070,
    "description" : "CSM Local Port",
    "guid" : "80e5622d-4dbc-49de-9ca6-deef7627e7f5",
    "name" : "csm.local.port"
  } ],
  "cloudServiceDefinition" : "/cloudservicedefinition/4bc19dbb-22e5
-4a3d-a294-c3749e2b2947",
  "cloudServiceDefinitionObject" : {
    "cloudClass" : "com.bmc.cloud.model.beans.CloudServiceDefinition",
    "accessAttributes" : [ {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "String",
      "description" : "CSM Global Registry URL",
      "guid" : "5f49c658-e3fb-4ace-95aa-d5c13636a82e",
      "hasValueObject" : [ {
        "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
        "attributeValue" : "localhost:7070",
        "guid" : "79c5b890-1b4e-4514-8e28-ddd216551b3c",
        "name" : "csm.global.url"
      } ],
      "isOptional" : false,
      "isPassword" : false,
      "length" : 255,
      "modifiableWithoutRestart" : false,
      "name" : "csm.global.url"
    }, {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
      "datatype" : "Integer",
      "description" : "CSM Local Port",
      "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
      "hasValueObject" : [ {
        "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
        "attributeValue" : "7070",
        "guid" : "de64d5ff-ff11-4e2d-

Make sure to save the cloudservices.json file.

Set the value parameter in the ..\Platform_Manager\configuration\PreferenceGroup.json file to http and 7070.
Note

If you plan to have Self-Check Monitor and Cloud Portal Web Application (installed on separate hosts) also on HTTP, make sure the protocol and port values related to these products are updated accordingly.
```
 {
      "cloudClass": "com.bmc.cloud.model.beans.PreferenceGroupNameValuePair",
      "guid": "98d27d82-44fc-41c8-bde0-007f0fa8fc2f",
      "name": "clmui base URL",
      "value": "http://clm-aus-005121/clmui"
  },{
```
Stop the CSM service and then perform the following actions:
1. Back up the cache and data folders in .\Platform_Manager.
2. Back up the org.eclipse.* folders in .\Platform_Manager\configuration.
3. Delete the cache, data, and org.eclipse.* folders.
Update the Platform Manager Root URL in the CMF:PluginConfiguration form on the Cloud Portal and Database AR System server to http and 7070.
Start the CSM service.
Restart the Cloud Portal and Database AR System service.
Use RESTClient to verify the Platform Manager SSL connection by using the SSL link.

To reconfigure Cloud Portal Web Application from HTTPS to HTTP

Use the following steps to configure HTTPS to HTTP.

Update C:\Program Files\BMC Software\CloudPortalWebApplication\tomcat\conf\server.xml.

Replace the Connector entry:

<Connector SSLEnabled="true" clientAuth="false" 
connectionTimeout="20000" keystoreFile="C:\Program Files\BMC Software\
CloudPortalWebApplication\clmui\Certificates\clmuiSslCertificate.cert" 
keystorePass="changeit" maxThreads="150" port="9443" scheme="https" 
secure="true" sslProtocol="TLS"/>

With the following information:

<Connector connectionTimeout="20000" port="9070" 
protocol="HTTP/1.1" redirectPort="9443"/>

Restart Cloud Portal Web Application service.

To reconfigure CLM Self-Checker from HTTPS to HTTP

Use the following steps to configure HTTPS to HTTP.

Update C:\Program Files\BMC Software\SelfChecker\tomcat\conf\server.xml.

Replace the Connector entry:

<Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" 
keystoreFile="C:\Program Files\BMC Software\SelfChecker\
selfchecker\Certificates\selfcheckerSslCertificate.cert" 
keystorePass="changeit" maxThreads="150" port="8443"
scheme="https" secure="true" sslProtocol="TLS"/>

With the following information:

<Connector connectionTimeout="20000" port="8090" 
protocol="HTTP/1.1" redirectPort="8443"/>

Restart the Self Checker service.

Reconfiguring Windows Platform Manager, Windows Cloud Portal, and Self-Checker to use HTTP instead of HTTPS

Before you begin

To reconfigure Platform Manager from HTTPS to HTTP with a Self-Signed Certificate

To reconfigure Cloud Portal Web Application from HTTPS to HTTP

To reconfigure CLM Self-Checker from HTTPS to HTTP

Related topic

Comments