Configuring HTTPS settings
The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:
- Generating server keys and certificate signing requests
- Uploading and signing server certificates
- Upload a CA certificate bundle to the appliance, or download them from the appliance
- Upload a Certificate Revocation List to revoke access to the appliance
- Enable and disable HTTP or HTTPS web access to the appliance
To access the HTTPS Configuration page, select HTTPS from the Security section of the Administration tab. The server key displays the private key for the appliance.
If BMC Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Discovery.
To generate a server key
On the Server Key tab of the HTTPS Configuration page, the existing key details are shown, or if no key exists, empty fields are displayed.
To generate a server key, enter relevant information in the editable fields:
A read-only description of the current server key status. For example, this might contain information on the length and modification date of the key in use.
An editable field automatically populated with the hostname of the standalone appliance. If the appliance is a cluster member, it is the cluster alias, or if an alias has not been set then the cluster name is used.
The two character country code for the country in which the appliance is located, for example GB.
State or Province
The state or province in which the appliance is located, for example Yorkshire.
The locality in which the appliance is located, for example York.
The company name, for example, BMC Software.
The department using the appliance. This field is optional.
The email contact for users of this appliance. This field is optional.
RSA key length
The RSA key length. Select one of the following from the drop down list: 1024, 2048, or 4096 bits.
The values in the Server Key tab must match those used by the certificate authority.
- When you have entered the required information, click Generate New Server Key.
The new server key is saved as
$TIDEWAY/etc/https/server.keyonto the appliance's file system. A certificate signing request is also generated; it is called
server.csrand is saved in the same location.
When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:
- Use a certificate authority—Continue with this procedure.
- Sign the certificate yourself—See Self Signing a Server Certificate.
- To download the certificate signing request, click Download CSR and use the download dialog to choose the location on your local filesystem in which to save the file.
- Send the certificate signing request file to your certificate signing authority for signing.
When the certificate signing authority has approved the request, they will generate the corresponding certificate and return it as a .crt file.
Uploading a server certificate
- When your certificate signing authority has approved the request and returned a certificate, save the certificate file on your local filesystem.
- On the HTTPS Configuration page, click the Server Certificate tab.
- Click Browse next to Certificate File and select the server certificate you saved in Step 1 of this procedure.
- Click Upload New Certificate.
The new certificate is uploaded onto the appliance.
Self signing a server certificate
If you do not use a certificate authority but still require HTTPS access to the appliance, you can use the self-signing feature.
- Ensure that you have created a server key and certificate signing request on the appliance using the procedure described in to generate a server key.
- In the HTTPS Configuration page, click Server Certificate > Self Sign.
The server key that you created is signed and saved as a new certificate called server.crt.
- Enable HTTPS access.
For more information, see Enabling or disabling HTTP and HTTPS access to the appliance.
When you access BMC Discovery using HTTPS, you will be prompted to accept the certificate once per session.
Uploading or downloading a CA certificate bundle
The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted Root Certificates or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should either tell you whether to use the supplied bundle, or provide you with one supported by your organization.
If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.
The default CA bundle is stored on the appliance in the following directory:
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a
To replace the certificate bundle with one from a certificate authority used by your organization
- On the HTTPS Configuration page, click CA Certificates.
- Click Browse next to CA Certificate Bundle File and select the server certificate you saved in Step 1 of this procedure.
- Click Upload New CA Certificate Bundle.
The new certificate bundle is uploaded.
To download the existing CA certificate bundle
- Click Download CA Certificate Bundle.
- Use the download dialog to choose the location on your local filesystem in which to save the file.
Using a Certificate Revocation List to revoke access to the appliance
You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.
To apply a CRL
- On the HTTPS Configuration page, click Certificate Revocation List.
- Click Browse next to Certificate Revocation List and select the CRL to apply.
- Click Upload CRL.
The CRL is uploaded and applied.
Enabling or disabling HTTP and HTTPS access to the appliance
Use a two-stage approach to enabling redirect to HTTPS. Configure the HTTPS and test that it is configured correctly and permits access to authenticated users. Only then should you enable redirect to HTTPS.
If HTTPS is not configured correctly, and you enable redirect to HTTPS, you could be locked out of the appliance.
By default, users can access the BMC Discovery over HTTP. You can enable HTTPS connections on this page and specify that attempts to connect over HTTP should be redirected to HTTPS.
By default, HTTP access is enabled and HTTPS access is disabled.
- On the HTTPS Configuration page, click HTTPS tab.
This screen illustrates an example of HTTPS enabled and HTTP redirected to HTTPS:
- To enable HTTPS access, from the HTTPS list, select Enabled.
- To disable HTTPS access, from the HTTPS list, select Disabled.
- To enable HTTP access, from the HTTPS list, select Enabled.
- To redirect HTTP access attempts to HTTPS, from the HTTP list, select Redirect to HTTPS.