This documentation supports the 18.02 version of BMC Digital Workplace. To view the latest version, select the version from the Product version menu.

Configuring access to the BMC Digital Workplace Catalog server over SSL

To improve the security of your BMC Digital Workplace Catalog network communications, you can configure server authentication and encryption via the secure socket layer (SSL). Before you implement any security method, you should consult your organization's IT security team to select the required level of encryption to suit your business.

Before you begin

For a high availability deployment, first perform the tasks described in Configuring BMC Digital Workplace Catalog for high availability.

SSL configuration options

Use one of the following methods to enable SSL encryption for BMC Digital Workplace Catalog access:

MethodDescriptionReference
Configure SSL at the load balancer

When configuring SSL at the load balancer, only the network traffic to the load balancer is encrypted. The load balancer handles all communication to and fromBMC Digital Workplace without encryption. Network traffic to and from the load balancer are sent using the https protocol, and traffic from the load balancer the application servers is sent using the unencrypted http protocol. This method assumes that all communication after the load balancer is behind a firewall, so encryption is not necessary.

Note: If this is a high availability deployment, you should offload the SSL configuration to the load balancer layer, instead of configuring SSL on individual nodes.

To configure SSL at the load balancer
Configure applications to encrypt using native SSLWhen configuring SSL natively on all application servers, you must adapt the settings on each server to allow, and even enforce, encrypted https connections throughout the entire chain.To modify web servers to use native SSL

To configure SSL at the load balancer

Configuring SSL at the load balancer requires the following steps:

To create the virtual server and SSL certificate

  1. Using a load balancer such as F5, create a virtual server, and configure it to use HTTPS.
    You will set up access to the BMC Digital Workplace Catalog through the virtual server.
  2. In a web browser, open the BMC Digital Workplace Catalog URL using the HTTPS protocol.
  3. In the left side of the browser location bar, click the HTTPS alert.
  4. Click View Certificate.
  5. Click Export.
  6. Save the certificate locally.

To establish a trust relationship between BMC Digital Workplace and BMC Digital Workplace Catalog

  1. Copy the certificate to a location on the BMC Digital Workplace server.
  2. Import the certificate using the Java keytool.exe.

    For example, if you saved the certificate as c:\SBCertforMyIT.crt, enter the following on the command line of the BMC Digital Workplace server:

    Windows command line
    C:\Program Files\Java\jre1.8.0_91\bin>keytool.exe -importcert -alias sbcert -keystore "C:\Program Files\Java\jre1.8.0_91\lib\security\cacerts" -file c:\SBCertforMyIT.crt

    Note: The default keystore password is changeit.

    By importing the BMC Digital Workplace Catalog certificate into the BMC Digital Workplace server, you establish trust between BMC Digital Workplace and BMC Digital Workplace Catalog over SSL.

  3. Log in to the BMC Digital Workplace Admin.
  4. Go to More > Configuration > Enhanced Catalog.
  5. Change to the SSL version of the BMC Digital Workplace Catalog URL.

    For example, replace http://dwpcatalog-example.com:8008/api/myit-sb/ with https://dwpcatalog-example.com:8008/api/myit-sb/

To test BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log in to the BMC Digital Workplace Catalog using the HTTPS URL.

    Windows command line
    https://<dwp_server.com:8008>/myitsbe/
  2. Perform common actions to test that BMC Digital Workplace Catalog works as expected, such as create and publish a new service.

To test the BMC Digital Workplace connection to BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log into the BMC Digital Workplace Admin. The administrator account must also have the permissions to manage the BMC Digital Workplace Catalog.

  2. Go to Service Requests > Catalog > Catalog Sections.
  3. Add a new catalog section.
  4. Under Item categories, you should be able to see a folder of BMC Digital Workplace Catalog items that contains the services you published.

To modify web servers to use native SSL

To modify web servers to use native SSL, perform the following steps:

To import the SSL certificate into the Java keystore

Note

In both of the following examples, the alias must be named jetty.

  • If you have an existing Java keystore, import the signed primary certificate into the Java keystore:

    keytool -import -trustcacerts -alias jetty -file mydomain.crt -keystore keystore
  • If you do not have a certificate, create a new keystore by using a new password to secure the certificate:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA

To secure the keystore

  1. After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key:

    • CN—Common Name of the certificate owner (usually the name of the host)
    • OU—Organizational Unit of the certificate owner
    • O—Organization to which the certificate owner belongs
    • L—Locality name of the certificate owner
    • ST—State or province of the certificate owner
    • C—Country of the certificate owner
    Note: The keystore file is created in the current directory of the command window.
  2. Obfuscate the SSL connector keystore password to enforce security.
    For more information, see Obfuscating the password .
  3. Update the <installLocation>/jetty/etc/jetty-http.xml file with the sslContextFactory configurations. Remove the comment from the following configuration blocks if they are present in the file.

    <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Call name="addCustomizer">
            <Arg>
                <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
            </Arg>
        </Call>
    </New>
     
    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath">/opt/bmc/digitalworkplace/certs/keystore</Set>
        <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="TrustStorePath">/opt/bmc/digitalworkplace/truststore/cacerts</Set>
        <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="IncludeCipherSuites">
            <Array type="String">
                <Item>TLS_DHE_RSA.*</Item>
                <Item>TLS_ECDHE.*</Item>
            </Array>
        </Set>
        <Set name="ExcludeCipherSuites">
            <Array type="String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>.*NULL.*</Item>
                <Item>.*RC4.*</Item>
                <Item>.*MD5.*</Item>
                <Item>.*DES.*</Item>
                <Item>.*DSS.*</Item>
                <Item>.*_DHE_RSA_.*</Item>
            </Array>
        </Set>
        <Set name="ExcludeProtocols">
            <Array type="java.lang.String">
                <Item>SSL</Item>
                <Item>SSLv2</Item>
                <Item>SSLv2Hello</Item>
                <Item>SSLv3</Item>
            </Array>
        </Set>
    </New>
    <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
        <Arg name="sslContextFactory">
            <Ref refid="sslContextFactory" />
        </Arg>
        <Arg name="next">http/1.1</Arg>
    </New>
    <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="factories">
            <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item><Ref refid="sslConnectionFactory" /></Item>
                <Item>
                    <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                        <Arg name="config"><Ref refid="httpsConfig" /></Arg>
                    </New>
                </Item>
            </Array>
        </Arg>
        <Set name="port">8443</Set>
    </New>
    <Call name="setConnectors">
        <Arg>
            <Array type="org.eclipse.jetty.server.ServerConnector">
                <Item>
                    <Ref refid="sslConnector" />
                </Item>
            </Array>
        </Arg>
    </Call>
  4. Validate the xml file by running the following command:

    xmllint --noout jetty-http.xml 

    If there are xml errors, they will be highlighted. If the xml file is valid, no output will be returned.

To configure native SSL on the BMC Digital Workplace Catalog server

  1. On the BMC Digital Workplace Catalog server, open <installLocation>/sb/env/set_script_variables.sh
  2. Change the following parameters to reflect the https url and port.
    Replace the <DWP-server> references with your server specific entries:

    export UISERVICE_URL=https://<DWP-server-name>:8443/api/myit-sb/ui
    export RX_SERVER=https://<DWP-server-fqdn.com>:8443
  3. Add the following parameters

    export CONNECTOR_BASE_URL=https://<DWP-server-name>:8443
    export CONNECTOR_TRUST_ALL_SSL_CERTIFICATES=true
  4. Open <installLocation>/sb/rxscripts/bin/setenv.sh
  5. Change the parameters in the following block:

    export rx_host=localhost
    export rx_url_scheme=http
    export rx_port=8008
    export rx_trace="--trace-ascii ./trace.log"

    to the following:

    export rx_host=clm-aus-013781.bmc.com
    # enter the actual server name here    
    
    export rx_url_scheme=https
    export rx_port=8443
    export rx_trace="-k --trace-ascii ./trace.log"
    # unset rx_trace 

    Note

    The unset rx_trace parameter must be commented out.

  6. Restart the BMC Digital Workplace Catalog server as in Starting and stopping the BMC Digital Workplace Catalog server.

Troubleshooting SSL issues

If after making changes to move to SSL, there are issues with the SLL configuration, there will be the following error on startup:

"Your login failed. Please check your username and password."

To troubleshoot SSL issues

  1. Add the following line to /bin/arserverd.conf:

    #jvm.option 
    
    jvm.option.XX=-Djavax.net.debug=ssl
    #XX is the "+1" value to an existing jvm.option with the biggest number. and place it after that line.
  2. Restart the BMC Digital Workplace Catalogserver.

  3. Review the arerror.log for any SLL issues.

To fix user synchronization issues

If you encounter any user sync errors in the arerror.log, perform the following steps:

  1. Open to edit the following script:/artools/user_group_sync.sh 
  2. Replace the following line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/"-Dtenant_admin_user="$sb_user"-Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled"

    With the following line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/" -Dtenant_admin_user="$sb_user" -Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled" -Djavax.net.ssl.trustStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.keyStorePassword=password com.bmc.myservice.tools.etl.Main
  3. Save the changes.

Where to go from here

Complete the remaining procedures in Configuring after installation of BMC Digital Workplace Catalog that are required for your deployment scenario.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Foued Ben hadj ali

    Hi, Is SSL offloading supported in case MyIT is integrated with RSSO ? Thanks

    Nov 05, 2018 03:05
    1. Olga Kutetska

      Hello!

      The subject matter expert confirmed that SSL oflloading is supported.

      Nov 06, 2018 03:05
  2. Olga Kutetska

    Hello!

    I have readdressed this question to a subject matter expert who can help answering this question. I will keep you updated.

    Nov 05, 2018 08:47
  3. Stefan Telley

    Be carefull is you have to use Port 443 as SSL Port. As per default this Port is only available for the root User on Linux Environments!!!

    You can install authbind to make the Port available for non-root Users. But after that you have to start the Catalog with this command:

    /usr/bin/authbind --deep /opt/bmc/digitalworkplace/dwpcontroller start -u dwpadmin -p

    Sure there are other possibilities, but this works well for us on RedHat and CentOS.

    Apr 02, 2019 02:55
  4. Stefan Telley

    Hi … what you mean with "even enforce, encrypted https connections throughout the entire chain"?? Is it meaning, that if you enable SSL, then you can only communicate with SSL ? I mean if you enable the second part in Jetty-http.xml file, then http Port 8008 is not available anymore!!

    Means … either you communicate with all the Components which sit on the Jetty Server with SSL or NOT... Mixing is not possible.... What about Gibraltar? I know in this Version Gibraltar is not active… but what about if SSL is enable? Could we just ignore Gibraltar?

    Apr 15, 2019 06:48
    1. Ravee Panjwani

      Thanks for your comment, Stefan.

      You assumption on the first point is correct, if you enable SSL then you can only communicate with SSL.

      And yes, please ignore Gibraltar. We have an internal defect (DRMY1-15237) to remove the same.

      Thanks,
      Ravee

      Apr 17, 2019 06:39
  5. Hellyson Lima

    Hello... I didn't understand why "jetty-http.xml" set "KeyStorePath" and "TrustStorePath" as the digitalworkplace path. The "TrustStorePath" should not point to the cacerts folder of java while the KeyStorePath point to the jks file?

    Jun 25, 2019 02:07
    1. Lisa Greene

      I checked with our Dev and QA folks, and the reason sample xml script uses the installer path is because the keystore file resides in that directory (/opt/bmc/digitalworkplace/certs/keystore). Ideally where ever the keystore file is located, it should point to that directory. Additionally, the keystore path and truststore path should point to the same keystore file.

      Jun 27, 2019 05:32
      1. Hellyson Lima

        I'm still a little bit confused. In the step to import the certificate, there is the procedure to create the keystore, when I ran the command in my environment, created the file "keystore", without extension ".jks". I ran this command in a specific server folder (/opt/bmc/digitalworkplace/custom). After creating it, I imported the certificate into the same folder, but it generated another file "keystore", but with extension ".jks". In this case, what you would put in the "KeyStorePath" tag in jetty-http.xml: Option 1: /opt/bmc/digitalworkplace/custom/keystore Option 2: /opt/bmc/digitalworkplace/custom/keystore.jks Option 3: /opt/bmc/digitalworkplace/custom

        Another point, and about "TrustStorePath", it was not clear what I need to do. Is it to create another keystore and import the same certificate?

        Jul 16, 2019 07:47
        1. Lisa Greene

          Hello Hellyson,

          I'm checking with my subject-matter experts. I'll respond as soon as I have an answer. Thanks for your patience!

          Lisa

          Jul 16, 2019 02:01
        1. Lisa Greene

          Hello Hellyson. 

          Only one of the commands needs to be run, depending on whether you have an existing keystore. Running both commands might have confused things.

          The reason the command created a .jks file during the certificate import is because the command includes keystore.jks. Since the keystore.jks is updated with the certificate, use the keystore.jks in jetty-http.xml.

          To try to avoid this confusion, I removed .jks from the first command, so it is now as follows:

          keytool -import -trustcacerts -alias jetty -file mydomain.crt -keystore keystore

          I hope this helps.

          Lisa

          Jul 18, 2019 11:47