×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Discovery 23.1 ... Administering Managing users and security Secure deployment

Configuring HTTPS settings

The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:

  • Generating server keys and certificate signing requests
  • Uploading and signing server certificates
  • Uploading a CA certificate bundle to the appliance, or downloading them from the appliance
  • Uploading a Certificate Revocation List to revoke access to the appliance

  • Selecting the cipher suite to use for HTTPs communication

Related topics

Secure deployment

Replacing a default Certificate Authority bundle

If BMC Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Discovery.  

Note

Starting with version 20.02 BMC Discovery enables HTTPS, by default. This is applicable whether you perform a new installation of version 20.02 or upgrade from version 11.x to 20.02. Further, your existing Windows proxies, if any, continue to function without the need for any additional HTTPS-specific configuration.

To generate a server key

  1. From the main menu, click the Administration icon .
    The Administration page is displayed.
  2. From the Security section, click HTTPS.
    The HTTPS Configuration page is displayed.



  3. Click Generate New Key.
    The Generate Key dialog is displayed.



  4. Enter relevant information in the editable fields:

    Field Name

    Details

    Server Name

    Enter the hostname of the appliance if it is standalone. If the appliance is a cluster member, enter the cluster alias, or if an alias has not been set then set its DNS entry.

    Country Code

    The two character country code for the country in which the appliance is located, for example GB.

    State or Province

    The state or province in which the appliance is located, for example Yorkshire.

    Locality

    The locality in which the appliance is located, for example York.

    Company Name

    The company name, for example, BMC Software.

    Department

    (Optional) The department using the appliance. This field is optional.

    Email Address

    (Optional) The email contact for users of this appliance.

    CSR SANs

    (Optional) The Subject Alternative Name (SAN) for your Certificate Signing Request (CSR) if you want to specific additional host names for a single SSL certificate.

    You can add multiple SANs using a space or comma separated list of hostnames. In the case of a cluster, you should enter the hostname of the coordinator, and all cluster members.

    RSA key length

    The RSA key length, in bits, that you want to set for the key. Select one of the available options.

    Note

    The values used in the Generate Key dialog must match those used by the certificate authority.

  5. When you have entered the required information, click Apply to generate the key.
    The dialog is dismissed and the new server key is saved as $TIDEWAY/etc/https/server.key onto the appliance's file system. A certificate signing request is also generated; it is called server.csr and is saved in the same location.
    When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:

  6. To download the Certificate Signing Request (CSR), click Download CSR to save the file to your local file system.
  7. Send the certificate signing request file to your certificate signing authority for signing.
    When the certificate signing authority has approved the request, they will generate the corresponding certificate and return it as a .crt file.

To upload a server certificate

  1. When your certificate signing authority has approved the request and returned a certificate, save the certificate file on your local file system.
  2. On the HTTPS Configuration page, click Upload in the Server Certificate row.
  3. Click Choose File next to Certificate File and select the server certificate you saved in Step 1 of this procedure.
  4. Click Apply.
    The new certificate is uploaded onto the appliance.

To self-sign a server certificate

If you do not use a certificate authority but still require HTTPS access to the appliance, you can use the self-signing feature.

  1. Ensure that you have created a server key and certificate signing request on the appliance using the procedure described in to generate a server key.
  2. On the HTTPS Configuration page, click Self Sign in the Server Certificate row.
    The server key that you created is signed and saved as a new certificate called server.crt.

To upload or download a CA certificate bundle

The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted Root Certificates or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should either tell you whether to use the supplied bundle, or provide you with one supported by your organization.

Note

If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.

The default CA bundle is stored on the appliance in the following directory:
/etc/pki/tls/certs/ca-bundle.crt
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a .crt file.

To replace the certificate bundle with one from a certificate authority used by your organization

  1. On the HTTPS Configuration page, click Upload in the CA Certificates row.
  2. Click Choose File next to CA Certificates File and select the certificate bundle returned by the certificate signing authority.
  3. Click Apply.
    The new certificate bundle is uploaded.

To download the existing CA certificate bundle

  • On the HTTPS Configuration page, click Download in the CA Certificates row.
    The CA certificate bundle is downloaded to you local file system.

To use a Certificate Revocation List to revoke access to the appliance

You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.

  1. On the HTTPS Configuration page, click Upload in the Certificate Revocation List row.
  2. Click Choose File next to CRL and select the CRL to apply.
  3. Click Apply.
    The CRL is uploaded and applied.

To select the cipher suite to use for HTTPs communication

You can choose between the cipher suites used for HTTPs communication. The suites available are:

  • Default—the default cipher suite:

    Enabled ciphers

    ECDHE-RSA-AES128-GCM-SHA256

    ECDHE-ECDSA-AES128-GCM-SHA256

    ECDHE-RSA-AES256-GCM-SHA384

    ECDHE-ECDSA-AES256-GCM-SHA384

    DHE-RSA-AES128-GCM-SHA256

    DHE-RSA-AES256-GCM-SHA384

    ECDHE-RSA-AES128-SHA256

    ECDHE-ECDSA-AES128-SHA256

    ECDHE-RSA-AES128-SHA

    ECDHE-ECDSA-AES128-SHA

    ECDHE-RSA-AES256-SHA384

    ECDHE-ECDSA-AES256-SHA384

    ECDHE-RSA-AES256-SHA

    ECDHE-ECDSA-AES256-SHA

    DHE-RSA-AES128-SHA256

    DHE-RSA-AES128-SHA

    DHE-RSA-AES256-SHA256

    DHE-RSA-AES256-SHA

    AES128-GCM-SHA256

    AES256-GCM-SHA384

    AES128-SHA256

    AES256-SHA256

    AES128-SHA

    AES256-SHA

    Ciphers explicitly excluded from use

    !aNULL

    !EXPORT

    !DES

    !3DES

    !RC4

    !MD5

    !PSK!aECDH!DSS

    !CAMELLIA



  • Intermediate—a cipher suite that removes weaker encryption types to abide by the TLS 1.1 specification:

    Enabled ciphers

    ECDHE-ECDSA-AES128-GCM-SHA256

    ECDHE-RSA-AES128-GCM-SHA256

    ECDHE-ECDSA-AES256-GCM-SHA384

    ECDHE-RSA-AES256-GCM-SHA384

    ECDHE-ECDSA-CHACHA20-POLY1305

    ECDHE-RSA-CHACHA20-POLY1305

    DHE-RSA-AES128-GCM-SHA256

    DHE-RSA-AES256-GCM-SHA384

    Ciphers explicitly excluded from use

    !aNULL

    !EXPORT

    !DES

    !3DES

    !RC4

    !MD5

    !PSK

    !aECDH

    !DSS

    !CAMELLIA



To select the cipher suite to use

  1. On the HTTPS Configuration page, select the cipher suite that you want to use.
  2. Click Apply.



Was this page helpful? Yes No Submitting... Thank you
Last modified by Duncan Tweed on Nov 22, 2023
bp_security bmc_contributor best_practice https_setting generate_server_key self_sign_certificate ca_certificate_bundle

Comments

Log in or register to comment.

Secure deployment
Replacing a default Certificate Authority bundle
© Copyright 2004 - 2023 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.