Using third-party Certification Authority certificates

Using third-party CA certificates involves the following steps:

Create a new KeyStore.
Create a certificate signing request (CSR) using OpenSSL and send the CSR to CA. CA returns the signed certificate along with its own CA certificate.
Import the CA signed certificate for Apache Tomcat.
Configure Apache Web Server to support CA certificates.
Configure IBM Cognos to support CA certificates.

Note: Deployment notes for Linux

The Linux instructions are applicable only for deployments with an Oracle database.

Before you begin

Backup the following files or directories:

(Windows)
- <bdssaInstallDir>\tomcat\conf\bdsSslCertificate.cert
- <bdssaInstallDir>\webserver\conf\bmcsareports.key
- <bdssaInstallDir>\webserver\conf\bmcsareports.cert
- <bdssaInstallDir>\tomcat\conf\server.xml
- <bdssaInstallDir>\portal\configuration
(Linux)
- <bdssaInstallDir>/tomcat/conf/bdsSslCertificate.cert
- <bdssaInstallDir>/webserver/conf/bmcsareports.key
- <bdssaInstallDir>/webserver/conf/bmcsareports.cert
- <bdssaInstallDir>/tomcat/conf/server.xml
- <bdssaInstallDir>/portal/configuration

To create a new KeyStore

Log in to a computer where BMC Decision Support for Server Automation is installed.
Open the command prompt and navigate to the following directory:
- (Windows) <bdssaInstallDir>\webserver\conf
- (Linux) <bdssaInstallDir>/webserver/conf
Run the following command:

- (Windows)
  <bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
  
  For example,
  <bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore bdssa-keystore.jks -storepass password -dname "CN=bdssa89.example.com,OU=MyOu,O=MyOrg,L=Houston,ST=Texas,C=US" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
- (Linux)
  <bdssaInstallDir>/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks

To create a CSR request

Log in to a computer where BMC Decision Support for Server Automation is installed.
Open the command prompt and navigate to the following directory:
- (Windows) <bdssaInstallDir>\webserver\bin
- (Linux) <bdssaInstallDir>/webserver/bin
Create a certificate signing request (CSR) . Run the following command:
<bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore <nameKeystoreFile> -storepass <keystorePassword> -keypass <keystorePassword> -file <nameCSRFile>

For example,
<bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore bdssa-keystore.jks -storepass password -keypass password -file bdssa-csr.csr
This command creates the CSR in the directory from where you run the command.
Send the CSR file to a Certificate Authority (CA) for signing. Use one of the following options:
- Send the CSR to a commercial CA.
- Use your own CA and get the CSR signed by this CA.
CA returns the following signed certificate files that can be used for Apache and Cognos:
- CA certificate chain
- Application certificate.
  For example, ca-chain.cert.pem and bmcsareports.pem.
If the CA returns the signed key in a format other than p7b, create a signed key in the p7b format. Run the following command:
openssl crl2pkcs7 -nocrl -certfile <signedCertOtherFormat> -out <certs_p7b> -certfile <caCert> -certfile <intermediate cert> [ … -certfile …]
For example,
openssl crl2pkcs7 -nocrl -certfile bmcsareports.pem -out bmcsareports.p7b -certfile ca-chain.cert.pem

To import CA certificates for Apache Tomcat

Import the certificate into the KeyStore. Run the following command:

<bdssaInstallDir>/jre/bin/keytool -importcert -keystore <nameKeystoreFile> -file <certs_p7b> -storepass <keystorePassword> -keypass <keystorePassword> -alias tomcat -storetype jks -trustcacerts

For example,
<bdssaInstallDir>/jre/bin/keytool -importcert -keystore bdssa-keystore.jks -file bmcsareports.p7b -storepass password -keypass password -alias tomcat
-storetype jks -trustcacerts
Copy the KeyStore file (bdssa-keystore.jks) to the <bdssaInstallDir>/tomcat/conf directory.
Navigate to the <bdssaInstallDir>/tomcat/conf directory.
Update the server.xml file with the keystore file name and password in the ‘<Connector port="9443"’ section:
- (Windows)
  keystoreFile="C:\Program Files\BMC Software\BDSSA\tomcat\conf\bdssa-keystore.jks"
  keystorePass="password"
- (Linux)
  keystoreFile="/opt/bmc/BDSSA/tomcat/conf/bdssa-keystore.jks"
  keystorePass="password"
Restart the BMC Decision Support for Server Automation service.
- (Windows) sc restart bdstomcat
- (Linux) service bltomcat stop; service bltomcat start
Confirm that you can open the BMC Decision Support for Server Automation login page by using the following URL:
https://<bdssa host name>:9443/bds

To configure Apache Web Server to support CA certificates

Convert the keystore to the PKCS12 format so the key and certificate can be extracted. Run the following command:
<bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore <nameKeystoreFile> -destkeystore <newp12KeystoreFile> -deststoretype PKCS12 -srcalias tomcat -deststorepass <keystorePassword> -destkeypass <keystorePassword> -srcstorepass <keystorePassword>
For example,
<bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore bdssa-keystore.jks -destkeystore bdssa-keystore-p12.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass password -destkeypass password -srcstorepass password
Use openssl to extract the private key. Run the following command:
- (Windows)
  <bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>\webserver\conf\bmcsareports.key -passin pass:<keystore password>
- (Linux)
  openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.key -passin pass:<keystore password>
Use openssl to extract the certificate. Run the following command:
- (Windows)
  <bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> nokeys -clcertserts -out <bdssaInstallDir>\webserver\conf\bmcsareports.cert -passin pass:<keystore password>
- (Linux)
  openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.cert -passin pass:<keystore password>
Navigate to the <bdssaInstallDir>\webserver\conf\extra directory.
Open the httpd-ssl.conf file, and do the following:
1. Search for SSLCertificateKeyFile and specify the full path of the certificate private key file. For example,SSLCertificateKeyFile "<bdssaInstallDir>/webserver/conf/bdssaPrivateKey.key".
2. Search for SSLCertificateFile and uncomment the line containing this entry, and specify the full path of the signed certificate file. For example,{{code language="none"}}
  
  {{/code}}SSLCertificateFile "<bdssaInstallDir>/webserver/conf/bmcsareports.cert".
3. If the CA certificate is available, search for SSLCACertificateFile and uncomment the line containing this entry, and specify the full path of the CA certificate file. For example,SSLCACertificateFile "<bdssaInstallDir>/webserver/conf/ca-chain.cert.pem".
Restart the Apache server. Run the following command:
- (Windows) sc restart Apache2
- (Linux) <bdssaInstallDir>/webserver/bin/apachectl restart
Confirm that you can use the following URL to open the BMC Decision Support for Server Automation login page:
https://<bdssa host name>:9443/bds

To configure Cognos to support CA certificates

Create certificate signing request (CSR) files for the signing keys and encryption keys from the IBM® Cognos® keystores. Do the following:
1. Generate the SignRequest.csr and encryptRequest.csr files. Use the following commands:
  - (Windows)
    <bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword>
    <bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword>
  - (Linux)
    <bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword>
    <bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword>
    The default password is NoPassWordSet. If you do not want to change the password, then use the default password in the above commands instead of <newpassword>. Otherwise, use a new password. For information about the ThirdPartyCertificateTool used in this step, see ThirdPartyCertificateTool commands.
2. Send the signRequest.csr and encryptRequest.csr files to a CA for signing.
3. Ensure that the CA returns the following signed certificate files in the PEM (Base-64 encoded ASCII) format:
  - signRequest.csr signing key certificate
  - encryptRequest.csr encryption key certificate
  - CA certificate
  For more information about the steps, see Create certificate signing request files.
Import the CA certificates into IBM Cognos components. For information about the steps, see Import the CA certificates into IBM Cognos components.
Configure IBM Cognos BI Components to use certificates generated by your CA. For information about the steps, see Configure IBM Cognos BI Components to use certificates generated by your CA
.
To verify that the configuration was successful, log in to the reports portal and ensure that it is populated with data.

Reference documentation

For information about using certificates for Authentication Services, see Using certificates to secure communication between clients and Application Servers in the TrueSight Server Automation documentation.