Configuring access to the BMC Digital Workplace Catalog server over SSL

To improve the security of your BMC Digital Workplace Catalog network communications, you can configure server authentication and encryption via the secure socket layer (SSL). Before you implement any security method, you should consult your organization's IT security team to select the required level of encryption to suit your business.

Before you begin

For a high availability deployment, first perform the tasks described in Configuring-BMC-Digital-Workplace-Catalog-for-high-availability.

SSL configuration options

Use one of the following methods to enable SSL encryption for BMC Digital Workplace Catalog access:

Method	Description	Reference
Configure SSL at the load balancer	When configuring SSL at the load balancer, only the network traffic to the load balancer is encrypted. The load balancer handles all communication to and fromBMC Digital Workplace without encryption. Network traffic to and from the load balancer are sent using the https protocol, and traffic from the load balancer the application servers is sent using the unencrypted http protocol. This method assumes that all communication after the load balancer is behind a firewall, so encryption is not necessary. Note: If this is a high availability deployment, you should offload the SSL configuration to the load balancer layer, instead of configuring SSL on individual nodes.	To configure SSL at the load balancer
Configure applications to encrypt using native SSL	When configuring SSL natively on all application servers, you must adapt the settings on each server to allow, and even enforce, encrypted https connections throughout the entire chain.	To modify web servers to use native SSL

To configure SSL at the load balancer

Configuring SSL at the load balancer requires the following steps:

To create the virtual server and SSL certificate
To establish a trust relationship between BMC Digital Workplace and
To test over HTTPS/SSL
To test the BMC Digital Workplace connection to over HTTPS/SSL

To create the virtual server and SSL certificate

Using a load balancer such as F5, create a virtual server, and configure it to use HTTPS.
You will set up access to the BMC Digital Workplace Catalog through the virtual server.
In a web browser, open the BMC Digital Workplace Catalog URL using the HTTPS protocol.
In the left side of the browser location bar, click the HTTPS alert.
Click View Certificate.
Click Export.
Save the certificate locally.

To establish a trust relationship between BMC Digital Workplace and BMC Digital Workplace Catalog

Copy the certificate to a location on the BMC Digital Workplace server.
Import the certificate using the Java keytool.exe.
For example, if you saved the certificate as c:\SBCertforMyIT.crt, enter the following on the command line of the BMC Digital Workplace server:
Windows command line
C:\Program Files\Java\jre1.8.0_91\bin>keytool.exe -importcert -alias sbcert -keystore "C:\Program Files\Java\jre1.8.0_91\lib\security\cacerts" -file c:\SBCertforMyIT.crt
Note: The default keystore password is changeit.
By importing the BMC Digital Workplace Catalog certificate into the BMC Digital Workplace server, you establish trust between BMC Digital Workplace and BMC Digital Workplace Catalog over SSL.
Log in to the BMC Digital Workplace Admin.
Go to More > Configuration > Enhanced Catalog.
Change to the SSL version of the BMC Digital Workplace Catalog URL.
For example, replace http://dwpcatalog-example.com:8008/api/myit-sb/ with https://dwpcatalog-example.com:8008/api/myit-sb/

To test BMC Digital Workplace Catalog over HTTPS/SSL

Log in to the BMC Digital Workplace Catalog using the HTTPS URL.
Windows command line
https://<dwp_server.com:8008>/myitsbe/
Perform common actions to test that BMC Digital Workplace Catalog works as expected, such as create and publish a new service.

To test the BMC Digital Workplace connection to BMC Digital Workplace Catalog over HTTPS/SSL

Log into the BMC Digital Workplace Admin. The administrator account must also have the permissions to manage the BMC Digital Workplace Catalog.
Go to Service Requests > Catalog > Catalog Sections.
Add a new catalog section.
Under Item categories, you should be able to see a folder of BMC Digital Workplace Catalog items that contains the services you published.

To modify web servers to use native SSL

To modify web servers to use native SSL, perform the following steps:

To import the SSL certificate into the Java keystore
To secure the keystore
To configure native SSL on the server

To import the SSL certificate into the Java keystore

Note

In both of the following examples, the alias must be named jetty.

If you have an existing Java keystore, import the signed primary certificate into the Java keystore:
keytool -import -trustcacerts -alias jetty -file mydomain.crt -keystore keystore

If you do not have a certificate, create a new keystore by using a new password to secure the certificate:
keytool -keystore keystore -alias jetty -genkey -keyalg RSA

To secure the keystore

After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key:
- CN—Common Name of the certificate owner (usually the name of the host)
- OU—Organizational Unit of the certificate owner
- O—Organization to which the certificate owner belongs
- L—Locality name of the certificate owner
- ST—State or province of the certificate owner
- C—Country of the certificate owner
Note: The keystore file is created in the current directory of the command window.
Obfuscate the SSL connector keystore password to enforce security.
For more information, see Obfuscating the password.
Update the <installLocation>/jetty/etc/jetty-http.xml file with the sslContextFactory configurations. Remove the comment from the following configuration blocks if they are present in the file.
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
   <Call name="addCustomizer">
       <Arg>
           <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
       </Arg>
   </Call>
</New>

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
   <Set name="KeyStorePath">/opt/bmc/digitalworkplace/certs/keystore</Set>
   <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
   <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
   <Set name="TrustStorePath">/opt/bmc/digitalworkplace/truststore/cacerts</Set>
   <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
   <Set name="IncludeCipherSuites">
       <Array type="String">
           <Item>TLS_DHE_RSA.*</Item>
           <Item>TLS_ECDHE.*</Item>
       </Array>
   </Set>
   <Set name="ExcludeCipherSuites">
       <Array type="String">
           <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
           <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
           <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
           <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
           <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
           <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
           <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
           <Item>.*NULL.*</Item>
           <Item>.*RC4.*</Item>
           <Item>.*MD5.*</Item>
           <Item>.*DES.*</Item>
           <Item>.*DSS.*</Item>
           <Item>.*_DHE_RSA_.*</Item>
       </Array>
   </Set>
   <Set name="ExcludeProtocols">
       <Array type="java.lang.String">
           <Item>SSL</Item>
           <Item>SSLv2</Item>
           <Item>SSLv2Hello</Item>
           <Item>SSLv3</Item>
       </Array>
   </Set>
</New>
<New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
   <Arg name="sslContextFactory">
       <Ref refid="sslContextFactory" />
   </Arg>
   <Arg name="next">http/1.1</Arg>
</New>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
   <Arg name="server"><Ref refid="Server" /></Arg>
   <Arg name="factories">
       <Array type="org.eclipse.jetty.server.ConnectionFactory">
           <Item><Ref refid="sslConnectionFactory" /></Item>
           <Item>
               <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                   <Arg name="config"><Ref refid="httpsConfig" /></Arg>
               </New>
           </Item>
       </Array>
   </Arg>
   <Set name="port">8443</Set>
</New>
<Call name="setConnectors">
   <Arg>
       <Array type="org.eclipse.jetty.server.ServerConnector">
           <Item>
               <Ref refid="sslConnector" />
           </Item>
       </Array>
   </Arg>
</Call>
Validate the xml file by running the following command:
xmllint --noout jetty-http.xml
If there are xml errors, they will be highlighted. If the xml file is valid, no output will be returned.

To configure native SSL on the BMC Digital Workplace Catalog server

On the BMC Digital Workplace Catalog server, open <installLocation>/sb/env/set_script_variables.sh
Change the following parameters to reflect the https url and port.
Replace the <DWP-server> references with your server specific entries:
export UISERVICE_URL=https://<DWP-server-name>:8443/api/myit-sb/ui
export RX_SERVER=https://<DWP-server-fqdn.com>:8443
Add the following parameters
export CONNECTOR_BASE_URL=https://<DWP-server-name>:8443
export CONNECTOR_TRUST_ALL_SSL_CERTIFICATES=true
Open <installLocation>/sb/rxscripts/bin/setenv.sh
Change the parameters in the following block:
export rx_host=localhost
export rx_url_scheme=http
export rx_port=8008
export rx_trace="--trace-ascii ./trace.log"
to the following:
export rx_host=clm-aus-013781.bmc.com
# enter the actual server name here

export rx_url_scheme=https
export rx_port=8443
export rx_trace="-k --trace-ascii ./trace.log"
# unset rx_trace
Note
The unset rx_trace parameter must be commented out.
Restart the BMC Digital Workplace Catalog server as in Starting-and-stopping-the-BMC-Digital-Workplace-Catalog-server.

Troubleshooting SSL issues

If after making changes to move to SSL, there are issues with the SLL configuration, there will be the following error on startup:

"Your login failed. Please check your username and password."

To troubleshoot SSL issues

Add the following line to /bin/arserverd.conf:
#jvm.option

jvm.option.XX=-Djavax.net.debug=ssl
#XX is the "+1" value to an existing jvm.option with the biggest number. and place it after that line.
Restart the BMC Digital Workplace Catalogserver.
Review the arerror.log for any SLL issues.

To fix user synchronization issues

If you encounter any user sync errors in the arerror.log, perform the following steps:

Open to edit the following script:/artools/user_group_sync.sh
Replace the following line:
/usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/"-Dtenant_admin_user="$sb_user"-Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled"
With the following line:
/usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/" -Dtenant_admin_user="$sb_user" -Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled" -Djavax.net.ssl.trustStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.keyStorePassword=password com.bmc.myservice.tools.etl.Main
Save the changes.

Where to go from here

Complete the remaining procedures in Configuring-after-installation-of-BMC-Digital-Workplace-Catalog that are required for your deployment scenario.