Using third-party Certification Authority certificates
Using third-party CA certificates involves the following steps:
- Create a new KeyStore.
- Create a certificate signing request (CSR) using OpenSSL and send the CSR to CA. CA returns the signed certificate along with its own CA certificate.
- Import the CA signed certificate for Apache Tomcat.
- Configure Apache Web Server to support CA certificates.
- Configure IBM Cognos to support CA certificates.
Before you begin
Backup the following files or directories:
- (Windows)
- <bdssaInstallDir>\tomcat\conf\bdsSslCertificate.cert
- <bdssaInstallDir>\webserver\conf\bmcsareports.key
- <bdssaInstallDir>\webserver\conf\bmcsareports.cert
- <bdssaInstallDir>\tomcat\conf\server.xml
- <bdssaInstallDir>\portal\configuration
- (Linux)
- <bdssaInstallDir>/tomcat/conf/bdsSslCertificate.cert
- <bdssaInstallDir>/webserver/conf/bmcsareports.key
- <bdssaInstallDir>/webserver/conf/bmcsareports.cert
- <bdssaInstallDir>/tomcat/conf/server.xml
- <bdssaInstallDir>/portal/configuration
To create a new KeyStore
- Log in to a computer where BMC Decision Support for Server Automation is installed.
- Open the command prompt and navigate to the following directory:
- (Windows) <bdssaInstallDir>\webserver\conf
- (Linux) <bdssaInstallDir>/webserver/conf
- Run the following command:
(Windows)
<bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
For example,
<bdssaInstallDir>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore bdssa-keystore.jks -storepass password -dname "CN=bdssa89.example.com,OU=MyOu,O=MyOrg,L=Houston,ST=Texas,C=US" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks(Linux)
<bdssaInstallDir>/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <nameKeystoreFile> -storepass <keystorePassword> -dname <distinguishedNameBdssaUrl> -keypass <keystorePassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
To create a CSR request
- Log in to a computer where BMC Decision Support for Server Automation is installed.
- Open the command prompt and navigate to the following directory:
- (Windows) <bdssaInstallDir>\webserver\bin
- (Linux) <bdssaInstallDir>/webserver/bin
Create a certificate signing request (CSR) . Run the following command:
<bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore <nameKeystoreFile> -storepass <keystorePassword> -keypass <keystorePassword> -file <nameCSRFile>
For example,
<bdssaInstallDir>/jre/bin/keytool -certreq -alias tomcat -keystore bdssa-keystore.jks -storepass password -keypass password -file bdssa-csr.csrThis command creates the CSR in the directory from where you run the command.
Send the CSR file to a Certificate Authority (CA) for signing. Use one of the following options:
- Send the CSR to a commercial CA.
- Use your own CA and get the CSR signed by this CA.
CA returns the following signed certificate files that can be used for Apache and Cognos:
- CA certificate chain
- Application certificate.
For example, ca-chain.cert.pem and bmcsareports.pem.
If the CA returns the signed key in a format other than p7b, create a signed key in the p7b format. Run the following command:
openssl crl2pkcs7 -nocrl -certfile <signedCertOtherFormat> -out <certs_p7b> -certfile <caCert> -certfile <intermediate cert> [ … -certfile …]
For example,
openssl crl2pkcs7 -nocrl -certfile bmcsareports.pem -out bmcsareports.p7b -certfile ca-chain.cert.pem
To import CA certificates for Apache Tomcat
Import the certificate into the KeyStore. Run the following command:
<bdssaInstallDir>/jre/bin/keytool -importcert -keystore <nameKeystoreFile> -file <certs_p7b> -storepass <keystorePassword> -keypass <keystorePassword> -alias tomcat -storetype jks -trustcacerts
For example,
<bdssaInstallDir>/jre/bin/keytool -importcert -keystore bdssa-keystore.jks -file bmcsareports.p7b -storepass password -keypass password -alias tomcat
-storetype jks -trustcacerts- Copy the KeyStore file (bdssa-keystore.jks) to the <bdssaInstallDir>/tomcat/conf directory.
- Navigate to the <bdssaInstallDir>/tomcat/conf directory.
Update the server.xml file with the keystore file name and password in the ‘<Connector port="9443"’ section:
(Windows)
keystoreFile="C:\Program Files\BMC Software\BDSSA\tomcat\conf\bdssa-keystore.jks"
keystorePass="password"
(Linux)
keystoreFile="/opt/bmc/BDSSA/tomcat/conf/bdssa-keystore.jks"
keystorePass="password"
- Restart the BMC Decision Support for Server Automation service.
- (Windows) sc restart bdstomcat
- (Linux) service bltomcat stop; service bltomcat start
- Confirm that you can open the BMC Decision Support for Server Automation login page by using the following URL:
https://<bdssa host name>:9443/bds
To configure Apache Web Server to support CA certificates
Convert the keystore to the PKCS12 format so the key and certificate can be extracted. Run the following command:
<bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore <nameKeystoreFile> -destkeystore <newp12KeystoreFile> -deststoretype PKCS12 -srcalias tomcat -deststorepass <keystorePassword> -destkeypass <keystorePassword> -srcstorepass <keystorePassword>
For example,
<bdssaInstallDir>jre/bin/keytool -importkeystore -srckeystore bdssa-keystore.jks -destkeystore bdssa-keystore-p12.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass password -destkeypass password -srcstorepass password- Use openssl to extract the private key. Run the following command:
(Windows)
<bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>\webserver\conf\bmcsareports.key -passin pass:<keystore password>(Linux)
openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.key -passin pass:<keystore password>
- Use openssl to extract the certificate. Run the following command:
(Windows)
<bdssaInstallDir>\webserver\bin\openssl.exe pkcs12 -in <newp12KeystoreFile> nokeys -clcertserts -out <bdssaInstallDir>\webserver\conf\bmcsareports.cert -passin pass:<keystore password>(Linux)
openssl -in <newp12KeystoreFile> -nodes -nocerts -out <bdssaInstallDir>/webserver/conf/bmcsareports.cert -passin pass:<keystore password>
- Navigate to the <bdssaInstallDir>\webserver\conf\extra directory.
- Open the httpd-ssl.conf file, and do the following:
- Search for SSLCertificateKeyFile and specify the full path of the certificate private key file. For example,SSLCertificateKeyFile "<bdssaInstallDir>/webserver/conf/bdssaPrivateKey.key".
- Search for SSLCertificateFile and uncomment the line containing this entry, and specify the full path of the signed certificate file. For example,{{code language="none"}}
{{/code}}SSLCertificateFile "<bdssaInstallDir>/webserver/conf/bmcsareports.cert". - If the CA certificate is available, search for SSLCACertificateFile and uncomment the line containing this entry, and specify the full path of the CA certificate file. For example,SSLCACertificateFile "<bdssaInstallDir>/webserver/conf/ca-chain.cert.pem".
- Restart the Apache server. Run the following command:
- (Windows) sc restart Apache2
- (Linux) <bdssaInstallDir>/webserver/bin/apachectl restart
- Confirm that you can use the following URL to open the BMC Decision Support for Server Automation login page:
https://<bdssa host name>:9443/bds
To configure Cognos to support CA certificates
- Create certificate signing request (CSR) files for the signing keys and encryption keys from the IBM® Cognos® keystores. Do the following:
- Generate the SignRequest.csr and encryptRequest.csr files. Use the following commands:
(Windows)
<bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword>
<bdssaInstallDir>\portal\bin\ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword>(Linux)
<bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -s -d "CN=SignCert,O=BMC SOFTWARE,C=CA" -r SignRequest.csr -p <newPassword>
<bdssaInstallDir>/portal/bin/./ThirdPartyCertificateTool.sh -c -e -d "CN=EncryptCert,O=BMC SOFTWARE,C=CA" -r encryptRequest.csr -p <newPassword>The default password is NoPassWordSet. If you do not want to change the password, then use the default password in the above commands instead of <newpassword>. Otherwise, use a new password. For information about the ThirdPartyCertificateTool used in this step, see ThirdPartyCertificateTool commands.
- Send the signRequest.csr and encryptRequest.csr files to a CA for signing.
Ensure that the CA returns the following signed certificate files in the PEM (Base-64 encoded ASCII) format:
- signRequest.csr signing key certificate
- encryptRequest.csr encryption key certificate
- CA certificate
For more information about the steps, see Create certificate signing request files.
- Generate the SignRequest.csr and encryptRequest.csr files. Use the following commands:
Import the CA certificates into IBM Cognos components. For information about the steps, see Import the CA certificates into IBM Cognos components.
Configure IBM Cognos BI Components to use certificates generated by your CA. For information about the steps, see Configure IBM Cognos BI Components to use certificates generated by your CA
.
- To verify that the configuration was successful, log in to the reports portal and ensure that it is populated with data.
Reference documentation
For information about using certificates for Authentication Services, see Using certificates to secure communication between clients and Application Servers in the TrueSight Server Automation documentation.