This documentation supports the 19.05 version of BMC Digital Workplace Advanced.

To view an earlier version, select the version from the Product Version menu.

Configuring access to the BMC Digital Workplace Catalog server over SSL

To improve the security of your BMC Digital Workplace Catalog network communications, you can configure server authentication and encryption via the secure socket layer (SSL). Before you implement any security method, you should consult your organization's IT security team to select the required level of encryption to suit your business.

Before you begin

For a high availability deployment, first perform the tasks described in Configuring BMC Digital Workplace Catalog for high availability.

SSL configuration options

Use one of the following methods to enable SSL encryption for BMC Digital Workplace Catalog access:

MethodDescriptionReference
Configure SSL at the load balancer

When configuring SSL at the load balancer, only the network traffic to the load balancer is encrypted. The load balancer handles all communication to and from BMC Digital Workplace without encryption. Network traffic to and from the load balancer is sent using the https protocol, and traffic from the load balancer to the application servers is sent using the unencrypted http protocol. This method assumes that all communication after the load balancer is behind a firewall, so encryption is not necessary.

Note: If this is a high availability deployment, you should offload the SSL configuration to the load balancer layer, instead of configuring SSL on individual nodes.

To configure SSL at the load balancer
Configure applications to encrypt using native SSLWhen configuring SSL natively on all application servers, you must adapt the settings on each server to allow, and even enforce, encrypted https connections throughout the entire chain.To modify web servers to use native SSL

To configure SSL at the load balancer

Configuring SSL at the load balancer requires three steps:

To create the virtual server and SSL certificate

  1. Using a load balancer such as F5, create a virtual server, and configure it to use HTTPS.
    You will set up access to BMC Digital Workplace Catalog through the virtual server.
  2. In a web browser, open the BMC Digital Workplace Catalog URL by using the HTTPS protocol.
  3. On the left side of the browser location bar, click the HTTPS alert.
  4. Click View Certificate.
  5. Click Export, and save the certificate locally.

To establish a trust relationship between BMC Digital Workplace and BMC Digital Workplace Catalog

  1. Copy the certificate to a location on the BMC Digital Workplace server.
  2. Import the certificate using the Java keytool.exe.

    For example, if you saved the  BMC Digital Workplace Catalog certificate as c:\SBCertforMyIT.crt, enter the following command on the command line of the BMC Digital Workplace server:

    Windows command line
    C:\Program Files\Java\jre1.8.0_91\bin>keytool.exe -importcert -alias sbcert -keystore "C:\Program Files\Java\jre1.8.0_91\lib\security\cacerts" -file c:\SBCertforMyIT.crt

    Note

    The default keystore password is changeit.

    By importing the BMC Digital Workplace Catalog certificate into the BMC Digital Workplace server, you establish trust between BMC Digital Workplace and BMC Digital Workplace Catalog over SSL.

  3. Log in to the BMC Digital Workplace Admin console.
  4. Go to Configuration > Enhanced Catalog.
  5. In the URL field, change the BMC Digital Workplace Catalog URL to the SSL version.

    For example, replace http://dwpcatalog-example.com:8008/api/myit-sb/ with https://dwpcatalog-example.com:8008/api/myit-sb/.

To test BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log in to the BMC Digital Workplace Catalog using the HTTPS URL.

    Windows command line
    https://<dwp_server.com:8008>/myitsbe/
  2. Perform common actions to test that BMC Digital Workplace Catalog works as expected, such as create and publish a new service.

To test the BMC Digital Workplace connection to BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log in to the BMC Digital Workplace Admin console.
    The administrator account must also have the permissions to manage the BMC Digital Workplace Catalog.

  2. Go to Service Requests > Catalog > Catalog Sections.
  3. Add a new catalog section.
    Under Item categories, you should see a folder of BMC Digital Workplace Catalog items that contains the services you published.

To modify web servers to use native SSL

Perform the following steps to configure web servers to use SSL:

To import the SSL certificate into the Java keystore

Note

In both of the following examples, the alias must be named jetty.

  • If you have an existing Java keystore, import the signed primary certificate into the Java keystore:

    keytool -import -trustcacerts -alias jetty -file mydomain.crt -keystore keystore.jks 
  • If you do not have a certificate, create a new keystore by using a new password to secure the certificate:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA

To secure the keystore

  1. After the keystore has been created, provide six parameters that form a distinguished name for a certificate associated with the key:

    • CN—Common Name of the certificate owner (usually the name of the host)
    • OU—Organizational Unit of the certificate owner
    • O—Organization to which the certificate owner belongs
    • L—Locality name of the certificate owner
    • ST—State or province of the certificate owner
    • C—Country of the certificate owner

    Note

    The keystore file is created in the current directory of the command window.

  2. Obfuscate the SSL connector keystore password to enforce security.
    For more information, see "Obfuscating the password" in Configuring the REST API by using SSL certificates .

  3. Update the installLocation/jetty/etc/jetty-http.xml file with the sslContextFactory configurations. Remove the comment from the following configuration blocks if they are present in the file.

    <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Call name="addCustomizer">
            <Arg>
                <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
            </Arg>
        </Call>
    </New>
     
    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath">/opt/bmc/digitalworkplace/certs/keystore</Set>
        <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="TrustStorePath">/opt/bmc/digitalworkplace/truststore/cacerts</Set>
        <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="IncludeCipherSuites">
            <Array type="String">
                <Item>TLS_DHE_RSA.*</Item>
                <Item>TLS_ECDHE.*</Item>
            </Array>
        </Set>
        <Set name="ExcludeCipherSuites">
            <Array type="String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>.*NULL.*</Item>
                <Item>.*RC4.*</Item>
                <Item>.*MD5.*</Item>
                <Item>.*DES.*</Item>
                <Item>.*DSS.*</Item>
                <Item>.*_DHE_RSA_.*</Item>
            </Array>
        </Set>
        <Set name="ExcludeProtocols">
            <Array type="java.lang.String">
                <Item>SSL</Item>
                <Item>SSLv2</Item>
                <Item>SSLv2Hello</Item>
                <Item>SSLv3</Item>
            </Array>
        </Set>
    </New>
    <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
        <Arg name="sslContextFactory">
            <Ref refid="sslContextFactory" />
        </Arg>
        <Arg name="next">http/1.1</Arg>
    </New>
    <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="factories">
            <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item><Ref refid="sslConnectionFactory" /></Item>
                <Item>
                    <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                        <Arg name="config"><Ref refid="httpsConfig" /></Arg>
                    </New>
                </Item>
            </Array>
        </Arg>
        <Set name="port">8443</Set>
    </New>
    <Call name="setConnectors">
        <Arg>
            <Array type="org.eclipse.jetty.server.ServerConnector">
                <Item>
                    <Ref refid="sslConnector" />
                </Item>
            </Array>
        </Arg>
    </Call>
  4. Validate the xml file by running the following command:

    xmllint --noout jetty-http.xml 

    Any xml errors are highlighted. If the xml file is valid, no output is returned.

To configure native SSL on the BMC Digital Workplace Catalog server

  1. On the BMC Digital Workplace Catalog server, open the installLocation/sb/env/set_script_variables.sh script.
  2. Change the following parameters to reflect the https, url, and port.
    Replace the <DWP-server> references with your server specific entries:

    export UISERVICE_URL=https://<DWP-server-name>:8443/api/myit-sb/ui
    export RX_SERVER=https://<DWP-server-fqdn.com>:8443
  3. Add the following parameters:

    export CONNECTOR_BASE_URL=https://<DWP-server-name>:8443
    export CONNECTOR_TRUST_ALL_SSL_CERTIFICATES=true
  4. Open the installLocation/sb/rxscripts/bin/setenv.sh script.
  5. Change the parameters in the following block from:

    export rx_host=localhost
    export rx_url_scheme=http
    export rx_port=8008

    to:

    # enter the actual server name 
    export rx_host=clm-aus-013667.bmc.com
    export rx_url_scheme=https
    export rx_port=8443

    Note

    Comment out the unset rx_trace parameter.

  6. Navigate to installLocation/sb and run ./post_install.sh enable_insecure_sessions to allow native SSL to work on the BMC Digital Workplace Catalog server.

  7. Restart the BMC Digital Workplace Catalog server as described in Starting and stopping the BMC Digital Workplace Catalog server.

Troubleshooting SSL issues

If you find issues with the SLL configuration after you changes to move to SSL, the following error will appear on startup:

"Your login failed. Please check your username and password."

To troubleshoot SSL issues

  1. Add the following line to /bin/arserverd.conf:

    #jvm.option 
    
    jvm.option.XX=-Djavax.net.debug=ssl
    #XX is the "+1" value to an existing jvm.option with the biggest number. and place it after that line.
  2. Restart the BMC Digital Workplace Catalog server.

  3. Review the arerror.log file for any SLL issues.

To fix user synchronization issues

If you encounter any user sync errors in the arerror.log file, perform the following steps:

  1. Open the /artools/user_group_sync.sh script.
  2. Replace the following line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/"-Dtenant_admin_user="$sb_user"-Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled"

    With this line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/" -Dtenant_admin_user="$sb_user" -Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled" -Djavax.net.ssl.trustStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.keyStorePassword=password com.bmc.myservice.tools.etl.Main
  3. Save the changes.

Where to go from here

Complete the remaining procedures in Configuring after installation of BMC Digital Workplace Catalog that are required for your deployment scenario.

Was this page helpful? Yes No Submitting... Thank you

Comments