The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:
To access the HTTPS Configuration page, select HTTPS from the Security section of the Administration tab.
If BMC Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Discovery.
The following topics are provided in this section:
Enter relevant information in the editable fields:
Enter the hostname of the appliance if it is standalone. If the appliance is a cluster member, enter the cluster alias, or if an alias has not been set then set its DNS entry.
The two character country code for the country in which the appliance is located, for example GB.
State or Province
The state or province in which the appliance is located, for example Yorkshire.
The locality in which the appliance is located, for example York.
The company name, for example, BMC Software.
The department using the appliance. This field is optional.
The email contact for users of this appliance. This field is optional.
RSA key length
The RSA key length. Select one of the following from the drop down list: 1024, 2048, or 4096 bits.
The values used in the Generate Key dialog must match those used by the certificate authority.
When you have entered the required information, click Apply to generate the key.
The dialog is dismissed and the new server key is saved as
$TIDEWAY/etc/https/server.key onto the appliance's file system. A certificate signing request is also generated; it is called
server.csr and is saved in the same location.
When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:
If you do not use a certificate authority but still require HTTPS access to the appliance, you can use the self-signing feature.
The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted Root Certificates or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should either tell you whether to use the supplied bundle, or provide you with one supported by your organization.
If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.
The default CA bundle is stored on the appliance in the following directory:
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a
You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.
Use a two-stage approach to enabling redirect to HTTPS. Configure the HTTPS and test that it is configured correctly and permits access to authenticated users. Only then should you enable redirect to HTTPS.
If HTTPS is not configured correctly, and you enable redirect to HTTPS, you could be locked out of the appliance.
By default, users can access the BMC Discovery over HTTP. You can enable HTTPS connections on this page and specify that attempts to connect over HTTP should be redirected to HTTPS.
By default, API access is not permitted over HTTP. Using the API via HTTP is not recommended and should only be used for testing purposes
By default, HTTP access is enabled and HTTPS access is disabled.
On the HTTPS Configuration page, click Configure.
This screen illustrates an example testing configuration with HTTPS disabled, HTTP enabled, and API access permitted over HTTP.
This screen illustrates an example more suited to production, with HTTPS enabled, HTTP redirected to HTTPS, and API access not permitted over HTTP