Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Using third-party Certification Authority certificates

Using third-party CA certificates involves the following steps:

  1. Create a new KeyStore.
  2. Create a certificate signing request (CSR) using OpenSSL and send the CSR to CA. CA returns the signed certificate along with its own CA certificate.
  3. Import the CA signed certificate for Apache Tomcat.
  4. Configure Apache Web Server to support CA certificates. 
  5. Configure IBM Cognos to support CA certificates.

Note: Deployment notes for Linux

The Linux instructions are applicable only for deployments with an Oracle database.

Before you begin

Backup the following files or directories:

  • (Windows)
    • <bdssaInstallDir>\tomcat\conf\bdsSslCertificate.cert
    • <bdssaInstallDir>\webserver\conf\bmcsareports.key
    • <bdssaInstallDir>\webserver\conf\bmcsareports.cert
    • <bdssaInstallDir>\tomcat\conf\server.xml
    • <bdssaInstallDir>\portal\configuration
  • (Linux)
    • <bdssaInstallDir>/tomcat/conf/bdsSslCertificate.cert
    • <bdssaInstallDir>/webserver/conf/bmcsareports.key
    • <bdssaInstallDir>/webserver/conf/bmcsareports.cert
    • <bdssaInstallDir>/tomcat/conf/server.xml
    • <bdssaInstallDir>/portal/configuration

To create a new KeyStore

  1. Log in to a computer where BMC Decision Support for Server Automation is installed.
  2. Open the command prompt and navigate to the following directory:
    • (Windows) <bdssaInstallDir>\webserver\conf
    • (Linux) <bdssaInstallDir>/webserver/conf
  3. Run the following command:
    • (Windows)

      <bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
      
      For example,
      <bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore bdssa-keystore.jks -storepass password -dname "CN=bdssa89.example.com,OU=MyOu,O=MyOrg,L=Houston,ST=Texas,C=US" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
    • (Linux)

      <bdssaInstallDir>/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks 

To create a CSR request

  1. Log in to a computer where BMC Decision Support for Server Automation is installed.
  2. Open the command prompt and navigate to the following directory:
    • (Windows) <bdssaInstallDir>\webserver\bin
    • (Linux) <bdssaInstallDir>/webserver/bin
  3. Create a certificate signing request (CSR) . Run the following command: 

    <bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore <nameKeystoreFile> -storepass <keystorePassword> -keypass <keystorePassword> -file <nameCSRFile>
    
    For example, 
    <bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore bdssa-keystore.jks -storepass password -keypass password -file bdssa-csr.csr

    This command creates the CSR in the directory from where you run the command.

  4. Send the CSR file to a Certificate Authority (CA)  for signing. Use one of the following options: 
    • Send the CSR to a commercial CA.
    • Use your own CA and get the CSR signed by this CA.
    CA returns the following signed certificate files that can be used for Apache and Cognos:
    • CA certificate chain 
    • Application certificate. 
      For example, ca-chain.cert.pem and bmcsareports.pem.
  5. If the CA returns the signed key in a format other than p7b, create a signed key in the p7b format. Run the following command:

    openssl crl2pkcs7 -nocrl -certfile <signedCertOtherFormat> -out <certs_p7b> -certfile <caCert> -certfile <intermediate cert> [ … -certfile …]
    For example, 
    openssl crl2pkcs7 -nocrl -certfile bmcsareports.pem -out bmcsareports.p7b -certfile ca-chain.cert.pem

To import CA certificates for Apache Tomcat

  1. Import the certificate into the KeyStore. Run the following command:

    <bdssaInstallDir>/jre/bin/keytool -importcert -keystore <nameKeystoreFile> -file <certs_p7b> -storepass <keystorePassword> -keypass <keystorePassword> -alias tomcat -storetype jks -trustcacerts
    
    For example,
    <bdssaInstallDir>/jre/bin/keytool -importcert -keystore bdssa-keystore.jks -file bmcsareports.p7b -storepass password -keypass password -alias tomcat
    -storetype jks -trustcacerts
  2. Copy the KeyStore file (bdssa-keystore.jks) to the <bdssaInstallDir>/tomcat/conf directory.
  3. Navigate to the <bdssaInstallDir>/tomcat/conf directory.
  4. Update the server.xml file with the keystore file name and password in the ‘<Connector port="9443"’ section:
    • (Windows)

      keystoreFile="C:\Program Files\BMC Software\BDSSA\tomcat\conf\bdssa-keystore.jks"
      keystorePass="password"
    • (Linux)

      keystoreFile="/opt/bmc/BDSSA/tomcat/conf/bdssa-keystore.jks"
      keystorePass="password"
  5. Restart the BMC Decision Support for Server Automation service.
    • (Windowssc restart bdstomcat
    • (Linuxservice bltomcat stop; service bltomcat start
  6. Confirm that you can open the BMC Decision Support for Server Automation login page by using the following URL:
    https://<bdssa host name>:9443/bds

To configure Apache Web Server to support CA certificates

  1. Convert the keystore to the PKCS12 format so the key and certificate can be extracted. Run the following command:

    <bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore <nameKeystoreFile> -destkeystore <newp12KeystoreFile> -deststoretype PKCS12 -srcalias tomcat -deststorepass <keystorePassword> -destkeypass <keystorePassword> -srcstorepass <keystorePassword>
    For example,
    <bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore bdssa-keystore.jks -destkeystore bdssa-keystore-p12.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass password -destkeypass password -srcstorepass password
  2. Use openssl to extract the private key. Run the following command:
    • (Windows)

      <bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>\webserver\conf\bmcsareports.key -passin pass:<keystore password>
    • (Linux)

      openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.key -passin pass:<keystore password>
  3. Use openssl to extract the certificate. Run the following command:
    • (Windows)

      <bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> nokeys -clcertserts -out <bdssaInstallDir>\webserver\conf\bmcsareports.cert -passin pass:<keystore password>
    • (Linux)

      openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.cert -passin pass:<keystore password>
  4. Navigate to the <bdssaInstallDir>\webserver\conf\extra directory.
  5. Open the httpd-ssl.conf file, and do the following:
    1. Search for SSLCertificateKeyFile and specify the full path of the certificate private key file. For example,
      SSLCertificateKeyFile "<bdssaInstallDir>/webserver/conf/bdssaPrivateKey.key"
      .
    2. Search for  SSLCertificateFile and uncomment the line containing this entry, and specify the full path of the signed certificate file. For example,
      SSLCertificateFile "<bdssaInstallDir>/webserver/conf/bmcsareports.cert".
    3. If the CA certificate is available, search for SSLCACertificateFile and uncomment the line containing this entry, and specify the full path of the CA certificate file. For example,
      SSLCACertificateFile "<bdssaInstallDir>/webserver/conf/ca-chain.cert.pem"
      .
  6. Restart the Apache server. Run the following command:
    • (Windowssc restart Apache2
    • (Linux<bdssaInstallDir>/webserver/bin/apachectl restart
  7. Confirm that you can use the following URL to open the BMC Decision Support for Server Automation login page:
    https://<bdssa host name>:9443/bds

To configure Cognos to support CA certificates

  1. Create certificate signing request (CSR) files for the signing keys and encryption keys from the IBM® Cognos® keystores. Do the following:

    1. Generate the SignRequest.csr and encryptRequest.csr files. Use the following commands:

      • (Windows)

        <bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword> 
        <bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword> 
      • (Linux)

        <bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword> 
        <bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword> 

        The default password is NoPassWordSet. If you do not want to change the password, then use the default password in the above commands instead of <newpassword>.  Otherwise, use a new password. For information about the ThirdPartyCertificateTool used in this step, see  ThirdPartyCertificateTool commands . 

    2. Send the signRequest.csr and encryptRequest.csr files to a CA  for signing. 

    3. Ensure that the CA returns the following signed certificate files in the PEM (Base-64 encoded ASCII) format:

      • signRequest.csr signing key certificate
      • encryptRequest.csr encryption key certificate 
      • CA certificate 
      For more information about the steps, see  Create certificate signing request files .
  2. Import the CA certificates into IBM Cognos components. For information about the steps, see  Import the CA certificates into IBM Cognos components .

  3. Configure IBM Cognos BI Components to use certificates generated by your CA. For information about the steps, see  Configure IBM Cognos BI Components to use certificates generated by your CA .
  4. To verify that the configuration was successful, log in to the reports portal and ensure that it is populated with data.

Reference documentation

For information about using certificates for Authentication Services, see Using certificates to secure communication between clients and Application Servers in the TrueSight Server Automation documentation.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments

  1. Ankur Maloo

    Steps to create self-signed certificate:

     1) C:\Program Files\BMC Software\BDSSA\webserver\bin>set OPENSSL_CONF=c:\Program Files\BMC Software\BDSSA\webserver\conf\openssl.cnf

    2) C:\Program Files\BMC Software\BDSSA\webserver\bin>openssl.exe req -newkey rsa:2048 -nodes -keyout bmcsareports.key -x509 -days 365 -out bmcsareports.cert

     This generates following two files:

     bmcsareports.key

    bmcsareports.cert

     3) Take backup of current certificate which is about to expire or expired to a temporary location and place the one created above under C:\Program Files\BMC Software\BDSSA\webserver\conf

     4) Restarted the webserver tomcat and then browsed the cognos url and the date created and expired extended

    Jun 06, 2017 04:09
    1. Ranu Ganguly

      Hi Ankur, created a defect for verifying the steps: https://jira.bmc.com/browse/DRBSP-14807. Added you as a watcher to keep you posted about the changes.

      Mar 18, 2019 08:25
  2. Kyle Sorg

    We went through this process and were unable to get it to work. In order to get the cert to work we did the following

    Private Key - SSLCertificateKeyFile "D:/PROGRA~1/BMCSOF~1/BDSSA/webserver/conf/bmcsareports_new.key"

    Issues Cert - SSLCertificateFile "D:/Program Files/BMC Software/BDSSA/webserver/conf/bdssareports.pem"

    Nov 21, 2017 02:28
    1. Ranu Ganguly

      Hi Kyle, Have created an internal defect (https://jira.bmc.com/browse/DRBSP-14807) to add the correct steps. 

      Mar 18, 2019 08:27
  3. Atul Barthwal

    Command mentioned in the document doesn’t work. Why there are two paths in the command CA cert file and keystore. Also not sure which keystore to used as jCAKeystore file doesn’t exist in the mentioned path. When I ran this command it failed with error CAM-CRP-1201 Unexpected text: '/opt/SP/bmc/BDSSA/portal/bin/ca_chain.pem' . ./ThirdPartyCertificateTool.sh -T -i -r -t /portal/configuration/certs/jCAKeystore -p NoPassWordSet So in order to make it work, I modified the command:. /ThirdPartyCertificateTool.sh -i -T -r /opt/SP/bmc/BDSSA/portal/bin/ca_chain.pem -p changeit Is this correct? Also As per below procedure, encryption key password needs to be changed from cogconfig but it’s not visible.

    "The ThirdPartyCertificateTool command used in this step imports the CA certificate with the key store (jCAKeystore in this case) password if you specify the password. If -p is not included, NoPassWordSet is used as a default password. If you want to specify a different password, perform the following steps before executing this command: 1. From the IBM Cognos Configuration, change the Signing key store password, the Encryption key storepassword, and the Certificate Authority key store password. 2. Navigate to the BDSSAInstallationDirectory/portal/configuration directory, open the cogstartup_oracle.xml.tmpl or cogstartup_sqlserver.xml.tmpl file (depending on the database), and edit the passwords in the following directives: certificateAuthorityKeyFilePassword, signKeyFilePassword, and encryptKeyFilePassword."

    May 17, 2019 05:50
  4. Sofie Gypen

    We are experiencing the same issue as Atul Barthwal. Any news on the resolution of this problem?

    Jul 22, 2019 06:29