The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:
- Generating server keys and certificate signing requests
- Uploading and signing server certificates
- Upload a CA certificate bundle to the appliance, or download them from the appliance
- Enable and disable HTTP or HTTPS web access to the appliance
To access the HTTPS Configuration page, select HTTPS from the Security section of the Administration tab. The server key displays the private key for the appliance.
Generating a server key
To generate a server key, enter relevant information in the editable fields:
A read-only description of the current server key status. For example, this may contain information on the length and modification date of the key in use.
A read-only field containing the hostname of the appliance.
If the hostname has not already been configured on the appliance (for example, the hostname is displayed as localhost), you must login as the netadmin user and change the hostname. For more information, see netadmin user.
The two character country code for the country in which the appliance is located, for example GB.
State or Province
The state or province in which the appliance is located, for example Yorkshire.
The locality in which the appliance is located, for example York.
The company name, for example, BMC Software.
The department using the appliance. This field is optional.
The email contact for users of this appliance. This field is optional.
The values in the Server Key tab must match those used by the certificate authority.
- When you have entered the required information, click Generate New Server Key.
The new server key is saved as
$TIDEWAY/etc/https/server.keyonto the appliance's file system. A certificate signing request is also generated, it is called
server.csrand is saved in the same location.
When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:
- Use a certificate authority: continue with this procedure.
- Sign the certificate yourself: see Self Signing a Server Certificate.
- To download the certificate signing request, click Download CSR. Use the download dialog to choose the location on your local filesystem in which to save the file.
- Send the certificate signing request file to your certificate signing authority for signing. When the certificate signing authority has approved the request, they will generate the corresponding certificate and return it as a .crt file.
Uploading a server certificate
- When your certificate signing authority has approved the request, they will return a certificate. Save this file on your local filesystem.
- On the HTTPS Configuration page, click the Server Certificate tab.
- Click Browse next to Certificate File: and select the server certificate you saved in Step 1 of this procedure.
- Click Upload New Certificate.
The new certificate is uploaded onto the appliance.
Self signing a server certificate
If you do not use a certificate authority, but still require https access to the appliance, you can use the self-signing feature.
To self sign a certificate:
- Ensure that you have created a server key and certificate signing request on the appliance using the procedure described in Generating a Server Key.
- In the HTTPS Configuration page, click Server Certificate => Self Sign.
The server key that you created is signed and saved as a new certificate called server.crt.
- Enable HTTPS access. See Enabling or Disabling HTTP and HTTPS Access to the Appliance for more information.
When you access BMC Atrium Discovery using HTTPS, you will be prompted to accept the certificate once per eaach session.
Uploading or downloading a CA certificate bundle
The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted root certificates, or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should tell you whether to use the supplied bundle or will provide you with one supported by your organization.
If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.
The default CA bundle is stored on the appliance in the following directory:
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a
To replace the certificate bundle with one from a certificate authority used by your organization:
- On the HTTPS Configuration page, click CA Certificates.
- Click Browse next to CA Certificate Bundle File and select the server certificate you saved in Step 1 of this procedure.
- Click Upload New CA Certificate Bundle.
The new certificate bundle is uploaded.
To download the existing CA certificate bundle:
- Click Download CA Certificate Bundle.
- Use the download dialog to choose the location on your local filesystem in which to save the file.
Enabling or disabling HTTP and HTTPS access to the appliance
Use a two stage approach to enabling redirect to HTTPS. Configure the HTTPS and test that it is configured correctly and permits access to authenticated users. Only then should you enable redirect to HTTPS.
If HTTPS is not configured correctly, and you enable redirect to HTTPS, you could be locked out of the appliance.
By default users can access the BMC Atrium Discovery over HTTP. You can enable HTTPS connections on this page and specify that attempts to connect over HTTP should be redirected to HTTPS.
By default HTTP access is enabled and HTTPS access is disabled.
- On the HTTPS Configuration page, click HTTPS tab.
The following screen illustrates an example of HTTPS enabled and HTTP redirected to HTTPS:
- To enable HTTPS access, from the HTTPS list, select Enabled.
- To disable HTTPS access, from the HTTPS list, select Disabled.
- To enable HTTP access, from the HTTPS list, select Enabled.
- To redirect HTTP access attempts to HTTPS, from the HTTP list, select Redirect to HTTPS.