Limited support This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments. Click here to view the documentation for the current version.

Configuring access to the BMC Digital Workplace Catalog server over SSL


To improve the security of your BMC Digital Workplace Catalog network communications, you can configure server authentication and encryption via the secure socket layer (SSL). Before you implement any security method, you should consult your organization's IT security team to select the required level of encryption to suit your business.

Before you begin

For a high availability deployment, first perform the tasks described in Configuring-BMC-Digital-Workplace-Catalog-for-high-availability.

SSL configuration options

Use one of the following methods to enable SSL encryption for BMC Digital Workplace Catalog access:

Method

Description

Reference

Configure SSL at the load balancer

When configuring SSL at the load balancer, only the network traffic to the load balancer is encrypted. The load balancer handles all communication to and fromBMC Digital Workplace without encryption. Network traffic to and from the load balancer are sent using the https protocol, and traffic from the load balancer the application servers is sent using the unencrypted http protocol. This method assumes that all communication after the load balancer is behind a firewall, so encryption is not necessary.

Note: If this is a high availability deployment, you should offload the SSL configuration to the load balancer layer, instead of configuring SSL on individual nodes.

Configure applications to encrypt using native SSL

When configuring SSL natively on all application servers, you must adapt the settings on each server to allow, and even enforce, encrypted https connections throughout the entire chain.

To configure SSL at the load balancer

Configuring SSL at the load balancer requires the following steps:

To create the virtual server and SSL certificate

  1. Using a load balancer such as F5, create a virtual server, and configure it to use HTTPS.
    You will set up access to the BMC Digital Workplace Catalog through the virtual server.
  2. In a web browser, open the BMC Digital Workplace Catalog URL using the HTTPS protocol.
  3. In the left side of the browser location bar, click the HTTPS alert.
    dwpcatalog_ssl_certificate_dialog.png
  4. Click View Certificate.
    dwpcatalog_ssl_view_cert.png
  5. Click Export.
  6. Save the certificate locally.

To establish a trust relationship between BMC Digital Workplace and BMC Digital Workplace Catalog

  1. Copy the certificate to a location on the BMC Digital Workplace server.
  2. Import the certificate using the Java keytool.exe.

    For example, if you saved the certificate as c:\SBCertforMyIT.crt, enter the following on the command line of the BMC Digital Workplace server:

    Windows command line
    C:\Program Files\Java\jre1.8.0_91\bin>keytool.exe -importcert -alias sbcert -keystore "C:\Program Files\Java\jre1.8.0_91\lib\security\cacerts" -file c:\SBCertforMyIT.crt

    Note: The default keystore password is changeit.

    By importing the BMC Digital Workplace Catalog certificate into the BMC Digital Workplace server, you establish trust between BMC Digital Workplace and BMC Digital Workplace Catalog over SSL.

  3. Log in to the BMC Digital Workplace Admin.
  4. Go to More > Configuration > Enhanced Catalog.
  5. Change to the SSL version of the BMC Digital Workplace Catalog URL.

    For example, replace http://dwpcatalog-example.com:8008/api/myit-sb/ with https://dwpcatalog-example.com:8008/api/myit-sb/

To test BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log in to the BMC Digital Workplace Catalog using the HTTPS URL.

    Windows command line
    https://<dwp_server.com:8008>/myitsbe/
  2. Perform common actions to test that BMC Digital Workplace Catalog works as expected, such as create and publish a new service.

To test the BMC Digital Workplace connection to BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log into the BMC Digital Workplace Admin. The administrator account must also have the permissions to manage the BMC Digital Workplace Catalog.
  2. Go to Service Requests > Catalog > Catalog Sections.
  3. Add a new catalog section.
  4. Under Item categories, you should be able to see a folder of BMC Digital Workplace Catalog items that contains the services you published.

To modify web servers to use native SSL

To modify web servers to use native SSL, perform the following steps:

To import the SSL certificate into the Java keystore

Note

In both of the following examples, the alias must be named jetty.

  • If you have an existing Java keystore, import the signed primary certificate into the Java keystore:

    keytool -import -trustcacerts -alias jetty -file mydomain.crt -keystore keystore
  • If you do not have a certificate, create a new keystore by using a new password to secure the certificate:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA

To secure the keystore

  1. After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key:

    • CN—Common Name of the certificate owner (usually the name of the host)
    • OU—Organizational Unit of the certificate owner
    • O—Organization to which the certificate owner belongs
    • L—Locality name of the certificate owner
    • ST—State or province of the certificate owner
    • C—Country of the certificate owner

    Note: The keystore file is created in the current directory of the command window.

  2. Obfuscate the SSL connector keystore password to enforce security.
    For more information, see Obfuscating the password.

  3. Update the <installLocation>/jetty/etc/jetty-http.xml file with the sslContextFactory configurations. Remove the comment from the following configuration blocks if they are present in the file.

    <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
       <Call name="addCustomizer">
           <Arg>
               <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
           </Arg>
       </Call>
    </New>

    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
       <Set name="KeyStorePath">/opt/bmc/digitalworkplace/certs/keystore</Set>
       <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
       <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
       <Set name="TrustStorePath">/opt/bmc/digitalworkplace/truststore/cacerts</Set>
       <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
       <Set name="IncludeCipherSuites">
           <Array type="String">
               <Item>TLS_DHE_RSA.*</Item>
               <Item>TLS_ECDHE.*</Item>
           </Array>
       </Set>
       <Set name="ExcludeCipherSuites">
           <Array type="String">
               <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
               <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
               <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
               <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
               <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
               <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
               <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
               <Item>.*NULL.*</Item>
               <Item>.*RC4.*</Item>
               <Item>.*MD5.*</Item>
               <Item>.*DES.*</Item>
               <Item>.*DSS.*</Item>
               <Item>.*_DHE_RSA_.*</Item>
           </Array>
       </Set>
       <Set name="ExcludeProtocols">
           <Array type="java.lang.String">
               <Item>SSL</Item>
               <Item>SSLv2</Item>
               <Item>SSLv2Hello</Item>
               <Item>SSLv3</Item>
           </Array>
       </Set>
    </New>
    <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
       <Arg name="sslContextFactory">
           <Ref refid="sslContextFactory" />
       </Arg>
       <Arg name="next">http/1.1</Arg>
    </New>
    <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
       <Arg name="server"><Ref refid="Server" /></Arg>
       <Arg name="factories">
           <Array type="org.eclipse.jetty.server.ConnectionFactory">
               <Item><Ref refid="sslConnectionFactory" /></Item>
               <Item>
                   <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                       <Arg name="config"><Ref refid="httpsConfig" /></Arg>
                   </New>
               </Item>
           </Array>
       </Arg>
       <Set name="port">8443</Set>
    </New>
    <Call name="setConnectors">
       <Arg>
           <Array type="org.eclipse.jetty.server.ServerConnector">
               <Item>
                   <Ref refid="sslConnector" />
               </Item>
           </Array>
       </Arg>
    </Call>
  4. Validate the xml file by running the following command:

    xmllint --noout jetty-http.xml

    If there are xml errors, they will be highlighted. If the xml file is valid, no output will be returned.

To configure native SSL on the BMC Digital Workplace Catalog server

  1. On the BMC Digital Workplace Catalog server, open <installLocation>/sb/env/set_script_variables.sh
  2. Change the following parameters to reflect the https url and port.
    Replace the <DWP-server> references with your server specific entries:

    export UISERVICE_URL=https://<DWP-server-name>:8443/api/myit-sb/ui
    export RX_SERVER=https://<DWP-server-fqdn.com>:8443
  3. Add the following parameters

    export CONNECTOR_BASE_URL=https://<DWP-server-name>:8443
    export CONNECTOR_TRUST_ALL_SSL_CERTIFICATES=true
  4. Open <installLocation>/sb/rxscripts/bin/setenv.sh
  5. Change the parameters in the following block:

    export rx_host=localhost
    export rx_url_scheme=http
    export rx_port=8008
    export rx_trace="--trace-ascii ./trace.log"

    to the following:

    export rx_host=clm-aus-013781.bmc.com
    # enter the actual server name here    

    export rx_url_scheme=https
    export rx_port=8443
    export rx_trace="-k --trace-ascii ./trace.log"
    # unset rx_trace 

    Note

    The unset rx_trace parameter must be commented out.

  6. Restart the BMC Digital Workplace Catalog server as in Starting-and-stopping-the-BMC-Digital-Workplace-Catalog-server.

Troubleshooting SSL issues

If after making changes to move to SSL, there are issues with the SLL configuration, there will be the following error on startup:

"Your login failed. Please check your username and password."

To troubleshoot SSL issues

  1. Add the following line to /bin/arserverd.conf:

    #jvm.option

    jvm.option.XX=-Djavax.net.debug=ssl
    #XX is the "+1" value to an existing jvm.option with the biggest number. and place it after that line.
  2. Restart the BMC Digital Workplace Catalogserver.
  3. Review the arerror.log for any SLL issues.

To fix user synchronization issues

If you encounter any user sync errors in the arerror.log, perform the following steps:

  1. Open to edit the following script:/artools/user_group_sync.sh 
  2. Replace the following line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/"-Dtenant_admin_user="$sb_user"-Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled"

    With the following line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/" -Dtenant_admin_user="$sb_user" -Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled" -Djavax.net.ssl.trustStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.keyStorePassword=password com.bmc.myservice.tools.etl.Main
  3. Save the changes.

Where to go from here

Complete the remaining procedures in Configuring-after-installation-of-BMC-Digital-Workplace-Catalog that are required for your deployment scenario.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*