The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:
To access the HTTPS Configuration page, select HTTPS from the Security section of the Administration tab. The server key displays the private key for the appliance.
If BMC Atrium Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Atrium Discovery.
On the Server Key tab of the HTTPS Configuration page, the existing key details are shown, or if no key exists, empty fields are displayed.
To generate a server key, enter relevant information in the editable fields:
Field Name |
Details |
---|---|
Status |
A read-only description of the current server key status. For example, this might contain information on the length and modification date of the key in use. |
Server Name |
An editable field automatically populated with the hostname of the standalone appliance. If the appliance is a cluster member, it is the cluster alias, or if an alias has not been set then the cluster name is used. |
Country Code |
The two character country code for the country in which the appliance is located, for example GB. |
State or Province |
The state or province in which the appliance is located, for example Yorkshire. |
Locality |
The locality in which the appliance is located, for example York. |
Company Name |
The company name, for example, BMC Software. |
Department |
The department using the appliance. This field is optional. |
Email Address |
The email contact for users of this appliance. This field is optional. |
RSA key length |
The RSA key length. Select one of the following from the drop down list: 1024, 2048, or 4096 bits. |
The values in the Server Key tab must match those used by the certificate authority.
$TIDEWAY/etc/https/server.key
onto the appliance's file system. A certificate signing request is also generated, it is called server.csr
and is saved in the same location. If you do not use a certificate authority, but still require HTTPS access to the appliance, you can use the self-signing feature.
To self sign a certificate:
The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted root certificates, or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should tell you whether to use the supplied bundle or will provide you with one supported by your organization.
If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.
The default CA bundle is stored on the appliance in the following directory:
/etc/pki/tls/certs/ca-bundle.crt
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a .crt
file.
To replace the certificate bundle with one from a certificate authority used by your organization:
To download the existing CA certificate bundle:
You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.
To apply a CRL
Use a two stage approach to enabling redirect to HTTPS. Configure the HTTPS and test that it is configured correctly and permits access to authenticated users. Only then should you enable redirect to HTTPS.
If HTTPS is not configured correctly, and you enable redirect to HTTPS, you could be locked out of the appliance.
By default users can access the BMC Atrium Discovery over HTTP. You can enable HTTPS connections on this page and specify that attempts to connect over HTTP should be redirected to HTTPS.
By default HTTP access is enabled and HTTPS access is disabled.