Ensure to complete the certificate creation and import tasks for the relevant components before you configure TLS 1.2 between them. For more information about how to create and import private certificates, see Implementing private certificates in TrueSight Operations Management.
There are different communication channels established between the TrueSight Infrastructure Management components. Perform the TLS configurations per communication channel. Select the communication channel which you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.
To enable TLS 1.2, complete the procedures by navigating the following tabs, or select the procedures from documentation links in the flowchart.
Perform the following steps to configure the Infrastructure Management Server to the Presentation Server communication to enable TLS 1.2 mode:
Navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory, and run the following command to check whether the TrueSight Presentation Server is running.
tssh server status
Note
Ensure that the TrueSight Presentation Server is running before proceeding further.
Log on to the TrueSight console and select Administration> Components.
Displays the components that are registered with the Presentation Server. Ensure that no TrueSight Infrastructure Management Server is registered with the TrueSight Presentation Server. If a TrueSight Infrastructure Management Server is registered delete the same. For more information, see To delete a component
Set the property in the database by running the following command:
tssh properties set tsps.cell.conntype ssl tssh properties set pronet.jms.conntype ssl
Using a text editor, open the mcell.dir file located in <Presentation Server Install Directory>\conf directory.
Comment out the instances of the code lines having the encryption key value as mc
as shown in the following code block:
#Type <name> encryption key <host>/<port> #gateway.gateway_subtype ts_event_gateway mc tsps_server1.bmc.com:1900 #cell pncell_tsim_server1 mc tsim_server1.bmc.com:1828
Set the encryption key value to *TLS as shown in the following code block:
#Type <name> encryption key <host>/<port> gateway.gateway_subtype ts_event_gateway *TLS tsps_server1.bmc.com:1900 cell pncell_tsim_server1 *TLS tsim_server1.bmc.com:1828
Parameter description
The following notes describe the key parameters used in the preceding command:
Save and close the file.
Stop the Presentation Server by running the following command:
tssh server stop
Navigate to the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory location.
Open the ssl.activemq-rar.rar file and extract the amq-broker-config.xml file.
In the amq-broker-config.xml file, update the URI attribute of transportConnector
property to the port number that is configured. In the following example, 8096 is the port number that is configured in the server.
Note
In the preceding example the port number is set to 8096. If you are using a different port, then set the port number accordingly.
After the change, save the amq-broker-config.xml file and add it to the ssl.activemq-rar.rar file in the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory again.
Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:
#Syntax perl switchTLSMode.pl -<on/off> -flow <communication channel> -tsps <TrueSight Presentation Server name> #Example perl switchTLSMode.pl -on -flow event_and_data -tsps myserver.bmc.com
Parameter description
The following notes describe the key parameters used in the preceding command:
flow
is set to event_and_data, the communication between the Infrastructure Management Server and the Presentation Server is TLS 1.2 enabled.TrueSight Presentation Server name: This is the fully qualified domain name (FQDN) of the computer where the Presentation Server is installed.
Start the Presentation Server by running the following command:
tssh server start
Start the Infrastructure Management Server by running the following command:
pw system start
Ensure that all the processes of the Infrastructure Management Server are up by running the following command:
pw p l
Register the Infrastructure Management Server with the Presentation Server. For more information, see Registering the component products with the Presentation Server .
The following sections describe the configuration steps for both the local Integration Service and remote Integration Service in TLS 1.2 mode. Perform the configuration steps based on the type of Integration Service installed:
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.
Comment out the instance of the code line having the conntype value as tcp
as shown in the following code block:
#pronet.apps.agent.conntype=tcp
Set the conntype value to ssltcp
as shown in the following code block:
#Configuration settings to make the Infrastructure Management Server to Local Integration Service TLS 1.2 compliant pronet.apps.agent.conntype=ssltcp
Note
Modify the file present in the pw\custom\conf directory, if it is a local Integration Service.
Save and close the file.
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.
Comment out the instance of the code line having the conntype value as tcp
as shown in the following code block:
#pronet.apps.agent.conntype=tcp
Set the conntype value to ssltcp
as shown in the following code block:
pronet.apps.agent.conntype=ssltcp
Save and close the file.
Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command:
pw is stop
To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes from Started to (blank).
Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.
Comment out the instance of the code line having the conntype value as tcp
as shown in the following code block:
#pronet.apps.agent.conntype=tcp
Set the conntype value to ssltcp
as shown in the following code block:
pronet.apps.agent.conntype=ssltcp
Note
Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service.
Save and close the file.
Perform the following set of steps after the configuration changes are completed.
Start the Infrastructure Management Server by running the following command:
pw system start
Start the Integration Service (Unix) by running the following command:
pw is start
To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes to Started from (blank).
Note
The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.
The following section guides you to configure the Integration Service to Cell communication in TLS 1.2. Choose the appropriate configuration steps based on the type (local / remote) of the Integration Service and the cell used.
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
pw system stop
Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.
Comment out the instance of the code line having the encryptionkey value as mc
as shown in the following code block:
#pronet.apps.is.cell.encryptionkey=mc
Set the encryptionkey value to *TLS
as shown in the following code block:
pronet.apps.is.cell.encryptionkey=*TLS
Save and close the file.
Using a text editor, open mcell.dir file located in <Infrastructure Management Server Install directory>\pw\server\etc directory.
Comment out the instances of the code lines having the encryption key value as mc
as shown in the following code block:
#Type <name> encryption key <host>/<port> #cell cell_1 mc cell_1.bmc.com:1828 #cell HA_Cell mc primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Set the encryption key value to *TLS
as shown in the following code block:
#Type <name> encryption key <host>/<port> cell cell_1 *TLS cell_1.bmc.com:1828 cell HA_Cell *TLS primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Parameter description
Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command:
pw is stop
To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes from Started to (blank).
Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.
Comment out the instance of the code line having the encryptionkey value as mc
as shown in the following code block:
#pronet.apps.is.cell.encryptionkey=mc
Set the encryptionkey value to *TLS
the following code block:
pronet.apps.is.cell.encryptionkey=*TLS
Note
Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service.
Save and close the file.
Using a text editor, open the mcell.dir file located in <Integration Service Install directory>\Agent\server\etc directory.
Comment out the instances of the code lines having the encryption key value as mc
as shown in the following code block:
#Type <name> encryption key <host>/<port> #cell cell_1 mc cell_1.bmc.com:1828 #cell HA_Cell mc primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Set the encryption key value to *TLS
as shown in the following code block:
#Type <name> encryption key <host>/<port> cell cell_1 *TLS cell_1.bmc.com:1828 cell HA_Cell *TLS primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Parameter description
Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:
Save and close the file.
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
Stop the cell service (Unix) by running the following command:
mkill -n cellname
To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the cell service changes from Started to (blank).
Using a text editor, open mcell.conf file located in <Infrastructure Management Server Install Directory>\pw\server\etc\pncell_<TSIM_MACHINE_NAME> directory.
Comment out the instance of the code line having ServerTransportProtocol value as tcp
as shown in the following code block:
#ServerTransportProtocol=tcp
Set the properties as shown in the following code block:
ServerTransportProtocol=tls ServerCertificateFileName=mcell.crt ServerPrivateKeyFileName=mcell.key
Save and close the file.
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
Logon to the computer where the remote cell is installed.
Stop the cell service (Unix) by running the following command:
mkill -n cellname
To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the cell service changes from Started to (blank).
Using a text editor, open mcell.conf file located in <Remote Cell Install Directory>\Agent\server\etc\cell_name directory.
Comment out the instance of the code line having ServerTransportProtocol value as tcp
as shown in the following code block:
#ServerTransportProtocol=tcp
Set the properties as shown in the following code block:
ServerTransportProtocol=tls ServerCertificateFileName=mcell.crt ServerPrivateKeyFileName=mcell.key
Save and close the file.
Start the cell service (Unix) by running the following command:
mcell -n cellname
To start the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the cell service changes to Started from (blank).
Start the Integration Service (Unix) by running the following command:
pw is start
To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes to Started from (blank).
Note
The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.
Perform the following steps to configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2 mode:
Perform the following steps to enable the Infrastructure Management Server to Oracle database communication to be TLS compliant:
Notes
Stop the Infrastructure Management Server by running the following command:
pw system stop
Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:
#Syntax perl switchTLSMode.pl -<on/off> -flow <communication channel> -dbport <Oracle Database port> -dbver <Oracle Database version> #Example perl switchTLSMode.pl -on -flow oracle –dbport 1521 -dbver 11G
Parameter description
The following notes describe the key parameters used in the preceding command:
Start the Infrastructure Management Server by running the following command:
pw system start
Perform the following steps to enable the Remote Integration Service to PATROL Agent communication to be TLS 1.2 compliant:
The following set ofstepsguideyouto configure both the local or remote Integration Services.
Stop the Integration Service by running the following command:
pw is stop
To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes from Started to (blank).
Navigate to the <Remote Integration Service Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:
# Microsoft Windows operating system $cd <Remote Integration Service install directory>\agent\patrol\common\security\config_v3.0 # Unix operating system $cd <Remote Integration Service install directory>/agent/patrol/common/security/config_v3.0
Run the following command:
#Syntax set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity> #Example $set_unset_tls_IS.cmd <Remote Integration Service Install Directory> SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol
Stop the Infrastructure Management Server by running the following command:
pw system stop
Navigate to the <Infrastructure Management Server Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:
# Microsoft Windows operating system $cd <Infrastructure Management Server Install Directory>\pw\patrol\common\security\config_v3.0 # Unix operating system $cd <Infrastructure Management Server Install Directory>/pw/patrol/common/security/config_v3.0
Run the following command:
#Syntax set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity> #Example $set_unset_tls_IS.cmd <Infrastructure Management Server Install Directory>\pw SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol
Parameter description
The following notes describe the key parameters used in the preceding command:
set_unset_tls.sh -h will display the help for the set_unset_tls_IS command.
Perform the following steps to make the PATROL Agent to Integration Service communication TLS 1.2 compliant:
Navigate to the config_v3.0 folder by running the following command:
# Microsoft Windows operating system $cd <PATROL Agent installation directory>\common\security\config_v3.0 # Unix operating system $cd <PATROL Agent installation directory>/common/security/config_v3.0
Verify your PATROL Agent's installation directory. If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software, perform the following sequence of steps:
Perform this step only if the installation directory is not same as the default installation directory
The following set of instructions are applicable:
For all the PATROL Agents running on any of the security levels 2,3, or 4.
Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location, and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:
#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:
#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:
#Original entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
#Modified entry
"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
Run the script to enable TLS mode as shown in the following code block:
#Syntax set_unset_tls.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -clientDbPath <clientDbPath> -identity <identity> #Example $set_unset_tls.cmd "C:\Program Files (x86)\BMC Software" SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -clientDbPath "C:\Certificates\client_db" -identity bmcpatrol
Notes
When you run the set_unset_tls.sh script on AIX and HP-UX operating systems to enable TLS 1.2, the system creates symbolic links for Mozilla NSS v3.20 libraries in the default system library directory /usr/lib.
set_unset_tls.sh -h
will display the help for the set_unset_tls command.
Perform the following set of steps after the configuration changes are completed.
Start the Infrastructure Management Server by running the following command:
pw system start
The Integration Service is restarted along with the Infrastructure Management Server.
Start the remote Integration Service (Unix) by running the following command:
pw is start
To start the remote Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes from blank to (started).
Start the PATROL Agent by running the following command:
patrolagent -p 9090
Perform the following steps to enable the Infrastructure Management Server to BMC Impact Integration Web Services (IIWS) communication to be TLS compliant:
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\server\etc directory.
Comment out the instance of the code line having encryption key value as mc as shown in the following code block:
#gateway.imcomm IIWSGatewayServer mc IIWSGatewayServer.bmc.com:1859
Set the encryption key value to *TLS
as shown in the following code block:
gateway.imcomm IIWSGatewayServer *TLS IIWSGatewayServer.bmc.com:1859
Note
IIWSGatewayServer is the name of the host computer where the BMC Impact Integration Web Services is installed.
Save and close the file.
Navigate to the <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc directory by running the following command:
# Microsoft Windows operating system $cd <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc # Unix operating system $cd <Impact Web Services installation directory>/tomcat/webapps/imws/WEB-INF/etc
Comment out the instances of the code lines having encryption key value as mc as shown in the following code block:
#type Name encryption key <Host>:1828 #gateway.imcomm IIWSGatewayServer mc localhost:1859 #cell pncell_tsim_server mc tsim_server.bmc.com:1828
Set the encryption key value to *TLS as shown in the following code block:
#syntax #type Name encryption key <Host>:1828 gateway.imcomm IIWSGatewayServer *TLS localhost:1859 cell pncell_tsim_server *TLS tsim_server.bmc.com:1828
Parameter description
The following notes describe the key parameters used in the preceding command:
Start the Infrastructure Management Server by running the following command:
pw system start
Restart the IIWS server by running the following commands:
From the desktop or Start menu, navigate to Services.
To stop the server, select the BMC Impact Integration Web Services service, and right-click to open the menu. The service name is BMCIWS, and the display name is Impact Integration Web Service.
To stop the application server, select Stop.
Perform the following steps to enable the Infrastructure Management server main cell to Reporting engine communication to be TLS compliant:
Note
If the Reporting Engine is in TLS mode, it cannot communicate with any of the remote cells or Infrastructure Management server cells operating in Non-TLS mode.
Infrastructure Management server cells in TLS mode | Infrastructure Management server cells in Non-TLS mode | Remote cellsin TLS mode | Remote cells in Non-TLS mode | |
---|---|---|---|---|
Reporting Engine in TLS mode |
Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.
Check for the instance of the code line having encryption key value as shown in the following code block:
gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>
#Example
gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783
Modify the existing value of encryption key to *TLS
as shown in the following example:
gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783
Save and close the file.
Reload the mcell.dir file by entering the following command from a command line:
#Syntax
mcontrol -n cellName reload dir
#Example
mcontrol -n pncell_vm-w23-rds1016 reload dir
Note
pncell_vm-w23-rds1016
is the name of the cell.
Navigate to the reportsCLI directory by running the following command:
# Microsoft Windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI
# Unix operating system
$cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI
Initiate the configuration settings by running the following command:
#Syntax
tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]
#Example
tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin
When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.
Parameter description
The following notes describe the key parameters used in the preceding command:
<BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.
Enable the TLS configuration by running the following command:
tls_config enable -component cell
Perform the following steps to configure the Infrastructure Management server to Publishing Server communication to enable TLS 1.2 mode:
Perform the following steps to enable the Infrastructure Management server to Publishing Server communication to be TLS compliant:
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open the pronet.conf located in the <Infrastructure Management Server Install Directory>\pw\custom\conf directory.
Add the following properties in pronet.conf as shown in the following code block:
pronet.jms.passwd.file=pronto/conf/.ks_pass pronet.apps.ipc.ssl.context.pserver.truststore.filename=messagebroker.ts pronet.apps.ipc.ssl.context.pserver.keystore.filename=pnserver.ks pronet.apps.ipc.ssl.context.pserver.enabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256 pronet.apps.ipc.ssl.context.pserver.keystore.passwdfile=pronto/conf/.ks_pass
Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.
Comment out any existing instances of the code lines having encryption key value as mc as shown in the following code block:
#Type <name> encryption key <host>/<port> #cell pncell_hostname mc pncell_hostname.bmc.com:1828 #gateway.imcomm gw_ps_pncell_hostname mc hostname.bmc.com:1839
Add the code lines to set the encryption key value to *TLS
as shown in the following code block:
#Type <name> encryption key <host>/<port> cell pncell_hostname *TLS pncell_hostname.bmc.com:1828 gateway.imcomm gw_ps_pncell_hostname *TLS hostname.bmc.com:1839
Save and close the file.
Comment out any existing instance of the code line having ServerTransportProtocol value as tcp
as shown in the following code block:
#ServerTransportProtocol=tcp
Add the code lines to set the ServerTransportProtocol value to tls
, and server certificate file name and key values as shown in the following code block:
ServerTransportProtocol=tls ServerCertificateFileName=mcell.crt ServerPrivateKeyFileName=mcell.key
Note
mcell.crt and mcell.key are the names of the cell key and the certificate. If the cell certificate and key names in your Infrastructure Management server are different then use the relevant names in the preceding settings. For more information about how to create cell key and certificate, see Implementing private certificates in the TrueSight Infrastructure Management.
Save and close the file.
In the jboss-service.xml file, update the JNDIName attribute of amqbootstrap property as shown in the following example:
#Existing JNDIName setting
<attribute name="JNDIName">ConnectionFactory</attribute>
#New JNDIName setting
<attribute name="JNDIName">java:jboss/exported/ConnectionFactory</attribute>
After the change, save the jboss-service.xml file and add it to the ssl.amqbootstrap.sar file in the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory again.
Start the Infrastructure Management Server by running the following command:
pw system start
Securing communication among Infrastructure Management components
6 Comments
Garland Smith
I don't see anything that discusses how to configure Event Management cell to cell communication to use TLS 1.2. Is any configuration needed. Does cell to cell communication accommodate TLS 1.2?
Thank you,
Garland Smith
Rashmi Gokhale
Hi,
Thankyou for your feedback.
Checking with an SME, will update the document as per SME's input.
Thanks,
Rashmi
Rashmi Gokhale
Hi Parul Jain,
Can you please clarify about the cell to cell TLS communication?
Thanks,
Rashmi
Rashmi Gokhale
Hi,
Sorry for the delay.
Yes, cell to cell communication is possible in TLS 1.2 mode. If the cell is configured in TLS 1.2, it can communicate in TLS 1.2 mode.
Thanks,
Rashmi
Garland Smith
The point of the request was to document the methodology to configure the cells to use TLS 1.2 on the same page where everything else is documented. I have not been able to find anything that talks about how to configure cells to use TLS 1.2. Logically, this should be included on the same page with everything else.
Thank you,
Garland Smith
Rashmi Gokhale
Hi,
Thankyou for the feedback.
I will discuss with SME and see if a new section can be created for Cell - Cell communication to configure TLS.
I checked with SME and confirmed that for the cell to cell TLS communication, the configuration steps are same as that mentioned in IS-Cell communication (Sections: To configure the local cell, To configure the remote cell).
Thanks,
Rashmi