Using third-party Certification Authority certificates
Using third-party CA certificates involves the following steps:
- Create a new KeyStore.
- Create a certificate signing request (CSR) using OpenSSL and send the CSR to CA. CA returns the signed certificate along with its own CA certificate.
- Import the CA signed certificate for Apache Tomcat.
- Configure Apache Web Server to support CA certificates.
- Configure IBM Cognos to support CA certificates.
Note: Deployment notes for Linux
Before you begin
Backup the following files or directories:
- (Windows)
- <bdssaInstallDir>\tomcat\conf\bdsSslCertificate.cert
- <bdssaInstallDir>\webserver\conf\bmcsareports.key
- <bdssaInstallDir>\webserver\conf\bmcsareports.cert
- <bdssaInstallDir>\tomcat\conf\server.xml
- <bdssaInstallDir>\portal\configuration
- (Linux)
- <bdssaInstallDir>/tomcat/conf/bdsSslCertificate.cert
- <bdssaInstallDir>/webserver/conf/bmcsareports.key
- <bdssaInstallDir>/webserver/conf/bmcsareports.cert
- <bdssaInstallDir>/tomcat/conf/server.xml
- <bdssaInstallDir>/portal/configuration
To create a new KeyStore
- Log in to a computer where BMC Decision Support for Server Automation is installed.
- Open the command prompt and navigate to the following directory:
- (Windows) <bdssaInstallDir>\webserver\conf
- (Linux) <bdssaInstallDir>/webserver/conf
- Run the following command:
(Windows)
<bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks For example, <bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore bdssa-keystore.jks -storepass password -dname "CN=bdssa89.example.com,OU=MyOu,O=MyOrg,L=Houston,ST=Texas,C=US" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
(Linux)
<bdssaInstallDir>/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
To create a CSR request
- Log in to a computer where BMC Decision Support for Server Automation is installed.
- Open the command prompt and navigate to the following directory:
- (Windows) <bdssaInstallDir>\webserver\bin
- (Linux) <bdssaInstallDir>/webserver/bin
Create a certificate signing request (CSR) . Run the following command:
<bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore <nameKeystoreFile> -storepass <keystorePassword> -keypass <keystorePassword> -file <nameCSRFile> For example, <bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore bdssa-keystore.jks -storepass password -keypass password -file bdssa-csr.csr
This command creates the CSR in the directory from where you run the command.
- Send the CSR file to a Certificate Authority (CA) for signing. Use one of the following options:
- Send the CSR to a commercial CA.
- Use your own CA and get the CSR signed by this CA.
- CA certificate chain
- Application certificate.
For example, ca-chain.cert.pem and bmcsareports.pem.
If the CA returns the signed key in a format other than p7b, create a signed key in the p7b format. Run the following command:
openssl crl2pkcs7 -nocrl -certfile <signedCertOtherFormat> -out <certs_p7b> -certfile <caCert> -certfile <intermediate cert> [ … -certfile …] For example, openssl crl2pkcs7 -nocrl -certfile bmcsareports.pem -out bmcsareports.p7b -certfile ca-chain.cert.pem
To import CA certificates for Apache Tomcat
Import the certificate into the KeyStore. Run the following command:
<bdssaInstallDir>/jre/bin/keytool -importcert -keystore <nameKeystoreFile> -file <certs_p7b> -storepass <keystorePassword> -keypass <keystorePassword> -alias tomcat -storetype jks -trustcacerts For example, <bdssaInstallDir>/jre/bin/keytool -importcert -keystore bdssa-keystore.jks -file bmcsareports.p7b -storepass password -keypass password -alias tomcat -storetype jks -trustcacerts
- Copy the KeyStore file (bdssa-keystore.jks) to the <bdssaInstallDir>/tomcat/conf directory.
- Navigate to the <bdssaInstallDir>/tomcat/conf directory.
- Update the server.xml file with the keystore file name and password in the ‘<Connector port="9443"’ section:
(Windows)
keystoreFile="C:\Program Files\BMC Software\BDSSA\tomcat\conf\bdssa-keystore.jks" keystorePass="password"
(Linux)
keystoreFile="/opt/bmc/BDSSA/tomcat/conf/bdssa-keystore.jks" keystorePass="password"
- Restart the BMC Decision Support for Server Automation service.
- (Windows)
sc restart bdstomcat
- (Linux)
service bltomcat stop; service bltomcat start
- (Windows)
- Confirm that you can open the BMC Decision Support for Server Automation login page by using the following URL:
https://<bdssa host name>:9443/bds
To configure Apache Web Server to support CA certificates
Convert the keystore to the PKCS12 format so the key and certificate can be extracted. Run the following command:
<bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore <nameKeystoreFile> -destkeystore <newp12KeystoreFile> -deststoretype PKCS12 -srcalias tomcat -deststorepass <keystorePassword> -destkeypass <keystorePassword> -srcstorepass <keystorePassword> For example, <bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore bdssa-keystore.jks -destkeystore bdssa-keystore-p12.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass password -destkeypass password -srcstorepass password
- Use openssl to extract the private key. Run the following command:
(Windows)
<bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>\webserver\conf\bmcsareports.key -passin pass:<keystore password>
(Linux)
openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.key -passin pass:<keystore password>
- Use openssl to extract the certificate. Run the following command:
(Windows)
<bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> nokeys -clcertserts -out <bdssaInstallDir>\webserver\conf\bmcsareports.cert -passin pass:<keystore password>
(Linux)
openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.cert -passin pass:<keystore password>
- Navigate to the <bdssaInstallDir>\webserver\conf\extra directory.
- Open the httpd-ssl.conf file, and do the following:
- Search for
SSLCertificateKeyFile
and specify the full path of the certificate private key file. For example,
.
SSLCertificateKeyFile "<bdssaInstallDir>/webserver/conf/bdssaPrivateKey.key" - Search for
SSLCertificateFile
and uncomment the line containing this entry, and specify the full path of the signed certificate file. For example,SSLCertificateFile "<bdssaInstallDir>/webserver/conf/bmcsareports.cert"
. - If the CA certificate is available, search for
SSLCACertificateFile
and uncomment the line containing this entry, and specify the full path of the CA certificate file. For example,
.
SSLCACertificateFile "<bdssaInstallDir>/webserver/conf/ca-chain.cert.pem"
- Search for
- Restart the Apache server. Run the following command:
- (Windows)
sc restart Apache2
- (Linux)
<bdssaInstallDir>/webserver/bin/apachectl restart
- (Windows)
- Confirm that you can use the following URL to open the BMC Decision Support for Server Automation login page:
https://<bdssa host name>:9443/bds
To configure Cognos to support CA certificates
Create certificate signing request (CSR) files for the signing keys and encryption keys from the IBM® Cognos® keystores. Do the following:
Generate the SignRequest.csr and encryptRequest.csr files. Use the following commands:
(Windows)
<bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword> <bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword>
(Linux)
<bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword> <bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword>
The default password is NoPassWordSet. If you do not want to change the password, then use the default password in the above commands instead of <newpassword>. Otherwise, use a new password. For information about the ThirdPartyCertificateTool used in this step, see ThirdPartyCertificateTool commands
.
Send the signRequest.csr and encryptRequest.csr files to a CA for signing.
Ensure that the CA returns the following signed certificate files in the PEM (Base-64 encoded ASCII) format:
- signRequest.csr signing key certificate
- encryptRequest.csr encryption key certificate
- CA certificate
.
Import the CA certificates into IBM Cognos components. For information about the steps, see Import the CA certificates into IBM Cognos components
.
- Configure IBM Cognos BI Components to use certificates generated by your CA. For information about the steps, see Configure IBM Cognos BI Components to use certificates generated by your CA
.
- To verify that the configuration was successful, log in to the reports portal and ensure that it is populated with data.
Reference documentation
For information about using certificates for Authentication Services, see Using certificates to secure communication between clients and Application Servers in the TrueSight Server Automation documentation.
Comments
Steps to create self-signed certificate:
2) C:\Program Files\BMC Software\BDSSA\webserver\bin>openssl.exe req -newkey rsa:2048 -nodes -keyout bmcsareports.key -x509 -days 365 -out bmcsareports.cert
This generates following two files:
bmcsareports.key
bmcsareports.cert
3) Take backup of current certificate which is about to expire or expired to a temporary location and place the one created above under C:\Program Files\BMC Software\BDSSA\webserver\conf
4) Restarted the webserver tomcat and then browsed the cognos url and the date created and expired extended
Hi Ankur, created a defect for verifying the steps: https://jira.bmc.com/browse/DRBSP-14807. Added you as a watcher to keep you posted about the changes.
We went through this process and were unable to get it to work. In order to get the cert to work we did the following
Private Key - SSLCertificateKeyFile "D:/PROGRA~1/BMCSOF~1/BDSSA/webserver/conf/bmcsareports_new.key"
Issues Cert - SSLCertificateFile "D:/Program Files/BMC Software/BDSSA/webserver/conf/bdssareports.pem"
Hi Kyle, Have created an internal defect (https://jira.bmc.com/browse/DRBSP-14807) to add the correct steps.
Command mentioned in the document doesn’t work. Why there are two paths in the command CA cert file and keystore. Also not sure which keystore to used as jCAKeystore file doesn’t exist in the mentioned path. When I ran this command it failed with error CAM-CRP-1201 Unexpected text: '/opt/SP/bmc/BDSSA/portal/bin/ca_chain.pem' . ./ThirdPartyCertificateTool.sh -T -i -r -t /portal/configuration/certs/jCAKeystore -p NoPassWordSet So in order to make it work, I modified the command:. /ThirdPartyCertificateTool.sh -i -T -r /opt/SP/bmc/BDSSA/portal/bin/ca_chain.pem -p changeit Is this correct? Also As per below procedure, encryption key password needs to be changed from cogconfig but it’s not visible.
"The ThirdPartyCertificateTool command used in this step imports the CA certificate with the key store (jCAKeystore in this case) password if you specify the password. If -p is not included, NoPassWordSet is used as a default password. If you want to specify a different password, perform the following steps before executing this command: 1. From the IBM Cognos Configuration, change the Signing key store password, the Encryption key storepassword, and the Certificate Authority key store password. 2. Navigate to the BDSSAInstallationDirectory/portal/configuration directory, open the cogstartup_oracle.xml.tmpl or cogstartup_sqlserver.xml.tmpl file (depending on the database), and edit the passwords in the following directives: certificateAuthorityKeyFilePassword, signKeyFilePassword, and encryptKeyFilePassword."
We are experiencing the same issue as Atul Barthwal. Any news on the resolution of this problem?
Log in or register to comment.