This documentation supports the 20.02 (12.0) version of BMC Discovery.

To view an earlier version of the product, select the version from the Product version menu.

Configuring HTTPS settings

The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:

  • Generating server keys and certificate signing requests
  • Uploading and signing server certificates
  • Uploading a CA certificate bundle to the appliance, or downloading them from the appliance
  • Uploading a Certificate Revocation List to revoke access to the appliance

If BMC Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Discovery.  

Note

Starting with version 20.02 BMC Discovery enables HTTPS, by default. This is applicable whether you perform a new installation of version 20.02 or upgrade from version 11.x to 20.02. Further, your existing Windows proxies, if any, continue to function without the need for any additional HTTPS-specific configuration.

To generate a server key

  1. From the main menu, click the Administration icon .
    The Administration page is displayed.
  2. From the Security section, click HTTPS.
    The HTTPS Configuration page is displayed.



  3. Click Generate New Key.
    The Generate Key dialog is displayed.



  4. Enter relevant information in the editable fields:

    Field Name

    Details

    Server Name

    Enter the hostname of the appliance if it is standalone. If the appliance is a cluster member, enter the cluster alias, or if an alias has not been set then set its DNS entry.

    Country Code

    The two character country code for the country in which the appliance is located, for example GB.

    State or Province

    The state or province in which the appliance is located, for example Yorkshire.

    Locality

    The locality in which the appliance is located, for example York.

    Company Name

    The company name, for example, BMC Software.

    Department

    (Optional) The department using the appliance. This field is optional.

    Email Address

    (Optional) The email contact for users of this appliance.

    CSR SANs(Optional) The Subject Alternative Name (SAN) for your Certificate Signing Request (CSR) if you want to specific additional host names for a single SSL certificate.

    RSA key length

    The RSA key length, in bits, that you want to set for the key. Select one from the list: 1024, 2048, or 4096 bits.

    Note

    The values used in the Generate Key dialog must match those used by the certificate authority.

  5. When you have entered the required information, click Apply to generate the key.
    The dialog is dismissed and the new server key is saved as $TIDEWAY/etc/https/server.key onto the appliance's file system. A certificate signing request is also generated; it is called server.csr and is saved in the same location.
    When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:

  6. To download the Certificate Signing Request (CSR), click Download CSR to save the file to your local file system.
  7. Send the certificate signing request file to your certificate signing authority for signing.
    When the certificate signing authority has approved the request, they will generate the corresponding certificate and return it as a .crt file.

To upload a server certificate

  1. When your certificate signing authority has approved the request and returned a certificate, save the certificate file on your local file system.
  2. On the HTTPS Configuration page, click Upload in the Server Certificate row.
  3. Click Choose File next to Certificate File and select the server certificate you saved in Step 1 of this procedure.
  4. Click Apply.
    The new certificate is uploaded onto the appliance.

To self-sign a server certificate

If you do not use a certificate authority but still require HTTPS access to the appliance, you can use the self-signing feature.

  1. Ensure that you have created a server key and certificate signing request on the appliance using the procedure described in to generate a server key.
  2. On the HTTPS Configuration page, click Self Sign in the Server Certificate row.
    The server key that you created is signed and saved as a new certificate called server.crt.

To upload or download a CA certificate bundle

The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted Root Certificates or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should either tell you whether to use the supplied bundle, or provide you with one supported by your organization.

Note

If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.

The default CA bundle is stored on the appliance in the following directory:
/etc/pki/tls/certs/ca-bundle.crt
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a .crt file.

To replace the certificate bundle with one from a certificate authority used by your organization

  1. On the HTTPS Configuration page, click Upload in the CA Certificates row.
  2. Click Choose File next to CA Certificates File and select the certificate bundle returned by the certificate signing authority.
  3. Click Apply.
    The new certificate bundle is uploaded.

To download the existing CA certificate bundle

  • On the HTTPS Configuration page, click Download in the CA Certificates row.
    The CA certificate bundle is downloaded to you local file system.

To use a Certificate Revocation List to revoke access to the appliance

You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.

  1. On the HTTPS Configuration page, click Upload in the Certificate Revocation List row.
  2. Click Choose File next to CRL and select the CRL to apply.
  3. Click Apply.
    The CRL is uploaded and applied.


Was this page helpful? Yes No Submitting... Thank you

Comments