Configuring data encryption
This topic provides an overview of data encryption and instructions for provisioning the report server with a trust store.
How encryption works between reports client and reports server
For traffic between the reports client and the reports server, BMC Server Automation relies on the HTTPS protocol (HTTP over TLS) to enable a secure communication between the web browser and reports server. Users authenticate themselves to the reports server over the HTTPS session.
The TLS communication protocol automatically negotiates an encryption algorithm to secure data. Server-side certificates are used during the TLS handshake to establish session keys for encrypting traffic between the web browser and the reports server. By default the reports server uses a self-signed certificate, but you can replace it with a custom certificate. To generate a new certificate, you can use a tool such as OpenSSL.
A default installation of BMC Decision Support for Server Automation sets up a BMC Server Automation Authentication Service, called BMC SARA Authentication (Windows) and blauthservice (UNIX). The reports server accesses this Authentication Service to authenticate a user and acquire single sign-on (SSO) credentials in the name of the authenticating user.
By default, the
mkcertstore utility extracts and uses the SSL certificate that was created during the BMC Decision Support for Server Automation installation. During installation, a default certificate password, password, is generated.
The installation program then runs the following command on Microsoft Windows:
<BDSSAInstallationDirectory>\bin\mkcertstore.exe "CN=<hostName>" "<BDSSAInstallationDirectory>\br\deployments\_template\bladelogic.keystore" "<certificatePassword>"
The installation program then runs the following command on UNIX:
<BDSSAInstallationDirectory>/br/mkcertstore "CN=<hostName>" "<BDSSAInstallationDirectory>/br/deployments/_template/bladelogic.keystore" "<certificatePassword>"
In these commands:
<hostName>stands for the host name of the reports server computer.
<certificatePassword>stands for the certificate password.
If the trust certificate is not generated after installing BMC Decision Support for Server Automation, you can use the preceding commands to manually generate a certificate. While running the command, provide password as the value of certificatePassword. After generating the certificate, you need to provision the reports server with a PKCS#12 trust store, as described in the following procedure.
Provisioning the reports server with a PKCS#12 trust store
- On the reports server, use the
mkpkcs12utility to generate a PKCS#12 trust store, as follows:
(Windows) Enter the following command from the BDSSAInstallationDirectory\bin directory:
(UNIX) Enter the following command from the BDSSAInstallationDirectory/br directory:
mkpkcs12utility generates a file called client_keystore.pkcs12 at the location you have specified.
- Copy the client_keystore.pkcs12 file to the following location on the reports server:
- (Windows) BDSSAInstallationDirectory\portal\configuration
- (UNIX) BDSSAInstallationDirectory/portal/configuration
- Restart the Cognos service.