• Spaces
  • People
  • Help
    • BMC Support Central BMC Communities BMC.com
    ×
    BMC TrueSight Operations Management 10.7

      Page tree
      Skip to end of metadata
      Go to start of metadata


      By default, TrueSight Infrastructure Management and its associated components use Transport Layer Security (TLS) versions earlier than TLS 1.2 to communicate with each other. You can upgrade the security in your enterprise environment by using TLS 1.2 to communicate with TrueSight Infrastructure Management components. Following installation of the TrueSight Infrastructure Management components, you can switch from the default inter-component security configuration to TLS 1.2 configuration.

      Tip

      To create a PDF that contains all of the procedures required to enable TLS 1.2 in your environment, click here.

      The PDF is created when you click the link and can take up to 30 seconds to download to your browser.

      Related topics

      Rolling back to SSL configuration

      TLS considerations for TrueSight Infrastructure Management

      Before you begin

      Ensure to complete the certificate creation and import tasks for the relevant components before you configure TLS 1.2 between them. For more information about how to create and import private certificates, see Implementing private certificates in TrueSight Operations Management

      To configure the TrueSight Infrastructure Management components to enable TLS 1.2

      There are different communication channels established between the TrueSight Infrastructure Management components. Perform the TLS configurations per communication channel. Select the communication channel which you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.

      tls_config_flow

      To enable TLS 1.2, complete the procedures by navigating the following tabs, or select the procedures from documentation links in the flowchart.

      Perform the following steps to configure the Infrastructure Management Server to the Presentation Server communication to enable TLS 1.2 mode:

      To configure the Presentation Server

      1. Navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory, and run the following command to check whether the TrueSight Presentation Server is running. 

        tssh server status

        Note

        Ensure that the TrueSight Presentation Server is running before proceeding further.

      2. Log on to the TrueSight console and select Administration> Components.

        Displays the components that are registered with the Presentation Server. Ensure that no TrueSight Infrastructure Management Server is registered with the TrueSight Presentation Server. If a TrueSight Infrastructure Management Server is registered delete the same. For more information, see To delete a component

      3. Set the property in the database by running the following command:

        tssh properties set tsps.cell.conntype ssl
tssh properties set pronet.jms.conntype ssl

      4. Using a text editor, open the mcell.dir file located in <Presentation Server Install Directory>\conf directory.

      5. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

        #Type                            <name>             encryption key         <host>/<port>
#gateway.gateway_subtype	   ts_event_gateway	         mc	             tsps_server1.bmc.com:1900
#cell                         pncell_tsim_server1        mc              tsim_server1.bmc.com:1828

      6. Set the encryption key value to *TLS as shown in the following code block:

        #Type                            <name>             encryption key         <host>/<port>
gateway.gateway_subtype	     ts_event_gateway	        *TLS	          tsps_server1.bmc.com:1900
cell                         pncell_tsim_server1        *TLS              tsim_server1.bmc.com:1828

        Parameter description

        The following notes describe the key parameters used in the preceding command:

        • tsps_server1 is the name of the computer where the TrueSight Presentation Server is installed.
        • tsim_server1 is the name of TrueSight Infrastructure Management Server registered with the TrueSight Presentation Server. If there are multiple Infrastructure Management Server entries in the mcell.dir file, change the encryption key to *TLS for all such entries.

      7. Save and close the file.

      8. Stop the Presentation Server by running the following command:

        tssh server stop

      To configure the Infrastructure Management Server

      1. Navigate to the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory location.

      2. Open the ssl.activemq-rar.rar file and extract the amq-broker-config.xml file.

      3. Take a backup of the amq-broker-config.xml file.

      4. In the amq-broker-config.xml file, update the URI attribute of transportConnector property to the new port number as shown in the following example:

        Note

        In the preceding example the port number is set to 8096. If you are using a different port, then set the port number accordingly.

      5. After the change, save the amq-broker-config.xml file and add it to the ssl.activemq-rar.rar file in the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory again.

      6. Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:

        #Syntax perl switchTLSMode.pl -<on/off> -flow <communication channel> -tsps <TrueSight Presentation Server name> 

#Example
perl switchTLSMode.pl -on -flow event_and_data -tsps myserver.bmc.com

        Parameter description

        The following notes describe the key parameters used in the preceding command:

        • -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the defaulttcp/ssl mode of communication.
        • -flow: If the flow is set to event_and_data, the communication between the Infrastructure Management Server and the Presentation Server is TLS 1.2 enabled.

        • TrueSight Presentation Server name: This is the fully qualified domain name (FQDN) of the computer where the Presentation Server is installed.

        • -h: This is an optional parameter, it displays the help for the the switchTLSMode.pl command

      To start the servers

      1. Start the Presentation Server by running the following command:

        tssh server start

      2. Start the Infrastructure Management Server by running the following command:

        pw system start

      To register the Infrastructure Management Server with the Presentation Server

      1. Ensure that all the processes of the Infrastructure Management Server are up by running the following command:

        pw p l

      2. Register the Infrastructure Management Server with the Presentation Server. For more information, see Registering the component products with the Presentation Server .

      The following sections describe the configuration steps for both the local Integration Service and remote Integration Service in TLS 1.2 mode. Perform the configuration steps based on the type of Integration Service installed:

      To configure the local Integration Service

      1. Stop the Infrastructure Management Server by running the following command: 

        pw system stop

      2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

      3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

        #pronet.apps.agent.conntype=tcp

      4. Set the conntype value to ssltcp as shown in the following code block:

        #Configuration settings to make the Infrastructure Management Server to Local Integration Service TLS 1.2 compliant
pronet.apps.agent.conntype=ssltcp

        Note

        Modify the file present in the pw\custom\conf directory, if it is a local Integration Service.

      5. Save and close the file.

      To configure the remote Integration Service

      1. Stop the Infrastructure Management Server by running the following command: 

        pw system stop

      2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

      3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

        #pronet.apps.agent.conntype=tcp

      4. Set the conntype value to ssltcp as shown in the following code block:

        pronet.apps.agent.conntype=ssltcp

      5. Save and close the file.

      6. Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command: 

        pw is stop

      7. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

        1. Double-click the Services icon to launch the Services dialog box.
        2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop

        3. Click Yes to close the warning message that is displayed. 
          The status for the Integration Service changes from Started to (blank).

      8. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.

      9. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

        #pronet.apps.agent.conntype=tcp

      10. Set the conntype value to ssltcp as shown in the following code block:

        pronet.apps.agent.conntype=ssltcp

        Note

        Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service. 

      11. Save and close the file.

      Start the servers

      Perform the following set of steps after the configuration changes are completed.

      To edit the Integration Service's properties

      1. Logonto the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
      2. Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
      3. Select the Edit option.
      4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
      5. Click Save.

      6. Start the Infrastructure Management Server by running the following command:

        pw system start

      7. Start the Integration Service (Unix) by running the following command:

        pw is start

      8. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

      9. Double-click the Services icon to launch the Services dialog box.
      10. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart

      11. Click Yes to close the warning message that is displayed. 
        The status for the Integration Service changes to Started from (blank).

        Note

        The Integration Service restart is applicable only to the remote Integration Service. The local Integration Serviceis restartedautomatically along with the Infrastructure Management Server.

      The following section guides you to configure the Integration Service to Cell communication in TLS 1.2. Choose the appropriate configuration steps based on the type (local / remote) of the Integration Service and the cell used.

      To configure the local Integration Service

      Info

      CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate innon-TLS mode.

       

      1. Stop the Infrastructure Management Server by running the following command: 

         

        pw system stop

      2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

      3. Comment out the instance of the code line having the encryptionkey value as mc as shown in the following code block:

        #pronet.apps.is.cell.encryptionkey=mc

      4. Set the encryptionkey value to *TLS as shown in the following code block:

        pronet.apps.is.cell.encryptionkey=*TLS

      5. Save and close the file.

      6. Using a text editor, open mcell.dir file located in <Infrastructure Management Server Install directory>\pw\server\etc directory.

      7. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

        #Type                            <name>              encryption key           <host>/<port>
#cell                             cell_1                  mc              cell_1.bmc.com:1828
#cell                             HA_Cell                 mc              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

      8. Set the encryption key value to *TLS as shown in the following code block:

        #Type                            <name>              encryption key           <host>/<port>
cell                             cell_1                  *TLS              cell_1.bmc.com:1828
cell                             HA_Cell                 *TLS              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

        Parameter description

        Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:

        • cell_1 is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
        • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.

      To configure the remote Integration Service

      Info

      CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate innon-TLS mode.

       

      1. Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command: 

        pw is stop

      2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

        1. Double-click the Services icon to launch the Services dialog box.
        2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop

        3. Click Yes to close the warning message that is displayed. 
          The status for the Integration Service changes from Started to (blank).

      3. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.

      4. Comment out the instance of the code line having the encryptionkey value as mc as shown in the following code block:

        #pronet.apps.is.cell.encryptionkey=mc

      5. Set the encryptionkey value to *TLS the following code block:

        pronet.apps.is.cell.encryptionkey=*TLS

        Note

        Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service. 

      6. Save and close the file.

      7. Using a text editor, open the mcell.dir file located in <Integration Service Install directory>\Agent\server\etc directory.

      8. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

        #Type                            <name>             encryption key         <host>/<port>
#cell                             cell_1                 mc              cell_1.bmc.com:1828
#cell                             HA_Cell                mc              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

      9. Set the encryption key value to *TLS as shown in the following code block:

        #Type                            <name>             encryption key         <host>/<port>
cell                             cell_1                 *TLS              cell_1.bmc.com:1828
cell                             HA_Cell                *TLS              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

        Parameter description

        Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:

        • cell_1 is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
        • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.

      10. Save and close the file.

      To configure the local Cell

      Info

      CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate innon-TLS mode.

       

      1. Stop the cell service (Unix) by running the following command:

        mkill -n cellname

      2. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

        1. Double-click the Services icon to launch the Services dialog box.
        2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop

        3. Click Yes to close the warning message that is displayed. 
          The status for the cell service changes from Started to (blank).

      3. Using a text editor, open mcell.conf file located in <Infrastructure Management Server Install Directory>\pw\server\etc\pncell_<TSIM_MACHINE_NAME> directory.

      4. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

        #ServerTransportProtocol=tcp

      5. Set the properties as shown in the following code block:

        ServerTransportProtocol=tls
ServerCertificateFileName=mcell.crt
ServerPrivateKeyFileName=mcell.key

      6. Save and close the file.

      To configure the remote Cell

      Info

      CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate innon-TLS mode.

       

      1. Logon to the computer where the remote cell is installed.

      2. Stop the cell service (Unix) by running the following command:

        mkill -n cellname

      3. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

        1. Double-click the Services icon to launch the Services dialog box.
        2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop

        3. Click Yes to close the warning message that is displayed. 
          The status for the cell service changes from Started to (blank).

      4. Using a text editor, open mcell.conf file located in <Remote Cell Install Directory>\Agent\server\etc\cell_name directory.

      5. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

        #ServerTransportProtocol=tcp

      6. Set the properties as shown in the following code block:

        ServerTransportProtocol=tls
ServerCertificateFileName=mcell.crt
ServerPrivateKeyFileName=mcell.key

      7. Save and close the file.

      To start the servers

      1. Start the cell service (Unix) by running the following command:

        mcell -n cellname

      2. To start the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

        1. Double-click the Services icon to launch the Services dialog box.
        2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Restart

        3. Click Yes to close the warning message that is displayed. 
          The status for the cell service changes to Started from (blank).

      3. Start the Integration Service (Unix) by running the following command:

        pw is start

      4. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

      5. Double-click the Services icon to launch the Services dialog box.
      6. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart

      7. Click Yes to close the warning message that is displayed. 
        The status for the Integration Service changes to Started from (blank).

      Note

      The Integration Service restart is applicable only to the remote Integration Service. The local Integration Serviceis restartedautomatically along with the Infrastructure Management Server.

      Perform the following steps to configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2 mode:

      To configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2

      Perform the following steps to enable the Infrastructure Management Server to Oracle database communication to be TLS compliant:

      Notes

      • If the Oracle database is configured in TLS 1.2 mode, then perform the following steps to configure the Infrastructure Management Server in TLS 1.2 mode.
      • Oracle database version 11G is TLS 1.0 compliant.
      • Oracle database version 12.1.0.2 is TLS 1.2 compliant.

      1. Stop the Infrastructure Management Server by running the following command:

        pw system stop

      2. Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:

        #Syntax 
perl switchTLSMode.pl -<on/off> -flow <communication channel> -dbport <Oracle Database port> -dbver <Oracle Database version> 
 
#Example
perl switchTLSMode.pl -on -flow oracle –dbport 1521 -dbver 11G

        Parameter description

        The following notes describe the key parameters used in the preceding command:

        • -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the defaulttcp/ssl mode of communication.
        • -flow: This variable can have two options: event_and_data,oracle. Ifflow is set tooracle, the communication between the Infrastructure Management Server and the Oracle database is TLS 1.2 enabled.
        • -dbport: Provide the port number that is configured for the Oracle database communication.
        • -dbver: Provide the Oracle database version. There are two compatible Oracle database versions: 11G, 12C

      3. Start the Infrastructure Management Server by running the following command:

        pw system start

      Perform the following steps to enable the Remote Integration Service to PATROL Agent communication to be TLS 1.2 compliant:

      To configure the Integration Service to enable TLS 1.2

      The following set ofstepsguideyouto configure both the local or remote Integration Services.

      To configure the remote Integration Service and the PATROL Agent communication to enable TLS 1.2


      1. Stop the Integration Service by running the following command: 

        pw is stop

      2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

      3. Double-click the Services icon to launch the Services dialog box.
      4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop

      5. Click Yes to close the warning message that is displayed. 
        The status for the Integration Service changes from Started to (blank).

      6. Navigate to the <Remote Integration Service Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

        # Microsoft Windows operating system
$cd <Remote Integration Service install directory>\agent\patrol\common\security\config_v3.0

# Unix operating system
$cd <Remote Integration Service install directory>/agent/patrol/common/security/config_v3.0

      7. Run the following command:

        #Syntax
set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
#Example
$set_unset_tls_IS.cmd <Remote Integration Service Install Directory> SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

      To configure the local Integration Service and the PATROL Agent communication to enable TLS 1.2

      1. Stop the Infrastructure Management Server by running the following command:

        pw system stop

      2. Navigate to the <Infrastructure Management Server Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

        # Microsoft Windows operating system
$cd <Infrastructure Management Server Install Directory>\pw\patrol\common\security\config_v3.0

# Unix operating system
$cd <Infrastructure Management Server Install Directory>/pw/patrol/common/security/config_v3.0

      3. Run the following command:

        #Syntax
set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
#Example
$set_unset_tls_IS.cmd <Infrastructure Management Server Install Directory>\pw  SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

      Parameter description

      The following notes describe the key parameters used in the preceding command:

      • Use the set_unset_tls_IS.cmd script on the Microsoft Windows operating system, and the set_unset_tls_IS.sh script on the Unix operating system.

      • set_unset_tls.sh -h will display the help for the set_unset_tls_IS command.

      • There are six command line arguments for the set_unset_tls_IS script as explained in the following section:
        • $BMC_ROOT: The directory where the Integration Service is installed.
        • SET_TLS / UNSET_TLS: The second command line argument can either beSET_TLS,or UNSET_TLS. If you select SET_TLS, the Integration Service is configured in TLS mode. If you select UNSET_TLS, the Integration Service is configured in Non-TLS mode.
        • security_level: The current value of this variable represents the security level at which the Integration Service is running. Integration Service runs at a security_level 2 or higher. Ensure that you set the Integration Service's security_level same as your PATROL Agent's security_level.
        • serverDbPath: The directory where the server certificates are present. This argument is mandatory for all the security_levels of the Integration Service.
        • identity: The certificate identity. If you do not specify any valuetothis argument, the default value is set tobmcpatrol.

      To configure the PATROL Agent to enable TLS 1.2

      Perform the following steps to make the PATROL Agent to Integration Service communication TLS 1.2 compliant:

      1. Navigate to the config_v3.0 folder by running the following command:

        # Microsoft Windows operating system
$cd <PATROL Agent installation directory>\common\security\config_v3.0
 
# Unix operating system
$cd <PATROL Agent installation directory>/common/security/config_v3.0

      2. Verify your PATROL Agent's installation directory. If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software, perform the following sequence of steps:

        Perform this step only if the installation directory is not same as the default installation directory

         The following set of instructions are applicable:

        • If you want to run set_unset_tls script on the PATROL Agents running on Microsoft Windows operating system to configure TLS 1.2

        • For all the PATROL Agents running on any of the security levels 2,3, or 4.

         

        1. Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location, and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

          #Original entry

          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

          #Modified entry

          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

        2. Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

          #Original entry

          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

          #Modified entry

          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

        3. Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

          #Original entry

          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

          #Modified entry

          "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

      3. Run the script to enable TLS mode as shown in the following code block:

        #Syntax
set_unset_tls.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -clientDbPath <clientDbPath> -identity <identity>
#Example
$set_unset_tls.cmd "C:\Program Files (x86)\BMC Software" SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -clientDbPath "C:\Certificates\client_db" -identity bmcpatrol

        Notes

        • Use set_unset_tls.cmd script on the Microsoft Windows operating system, and set_unset_tls.sh script on the Unix operating system.

        • When you run the set_unset_tls.sh script on AIX and HP-UX operating systems to enable TLS 1.2, the system creates symbolic links for Mozilla NSS v3.20 libraries in the default system library directory /usr/lib.

        • set_unset_tls.sh -h will display the help for the set_unset_tls command.
        • There are six command line arguments for the set_unset_tls script as explained in the following section:
          • BMC_ROOT: The directory where the PATROL Agent is installed.
          • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the PATROL Agent is configured in TLS mode. If you select UNSET_TLS, the PATROL Agent is configured in Non-TLS mode.
          • security_level: PATROL Agent communicates with the Integration Service at a security_level 2 or higher. If your PATROL Agent is running at a security_level 0 or 1, then set the security_level as 2 in the preceding command. Ensure that you set the PATROL Agent's security_level same as your Integrations Service's security_level.
          • serverDbPath: The directory where the server certificates are present. This argument is mandatory if the security_level is set to 3.
          • clientDbPath: The directory where the client certificates are present. This argument is mandatory if the security_level is set to 3.
          • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

      To start the servers

      Perform the following set of steps after the configuration changes are completed.

      To edit the Integration Service's properties

      1. Logonto the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
      2. Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
      3. Select the Edit option.
      4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
      5. Click Save.

      To start the local Integration Service

      1. Start the Infrastructure Management Server by running the following command:

        pw system start

        The Integration Service is restarted along with the Infrastructure Management Server.

      To start the remote Integration Service

      1. Start the remote Integration Service (Unix) by running the following command:

        pw is start

      2. To start the remote Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

      3. Double-click the Services icon to launch the Services dialog box.
      4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart

      5. Click Yes to close the warning message that is displayed. 
        The status for the Integration Service changes from blank to (started).

      To start the PATROL Agent

      1. Start the PATROL Agent by running the following command:

        patrolagent -p 9090

      Perform the following steps to enable the Infrastructure Management Server to BMC Impact Integration Web Services (IIWS) communication to be TLS compliant:

      To configure the Infrastructure Management Server

      1. Stop the Infrastructure Management Server by running the following command:

        pw system stop

      2. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\server\etc directory.

      3. Comment out the instance of the code line having encryption key value as mc as shown in the following code block:

        #gateway.imcomm    IIWSGatewayServer    mc    IIWSGatewayServer.bmc.com:1859

      4. Set the encryption key value to *TLS as shown in the following code block:

        gateway.imcomm    IIWSGatewayServer    *TLS    IIWSGatewayServer.bmc.com:1859

        Note

         IIWSGatewayServer is the name of the host computer where the BMC Impact Integration Web Services is installed.

      5. Save and close the file.

      To configure the BMC Impact Integration Web Services server

      1. Navigate to the  <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc directory by running the following command:

        # Microsoft Windows operating system 
$cd <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc

# Unix operating system 
$cd <Impact Web Services installation directory>/tomcat/webapps/imws/WEB-INF/etc
      2. Using a text editor, open the mcell.dir file.

      3. Comment out the instances of the code lines having encryption key value as mc as shown in the following code block:

        #type                                     Name                            encryption key                       <Host>:1828
#gateway.imcomm                         IIWSGatewayServer                       mc                           localhost:1859
#cell                                   pncell_tsim_server                      mc                           tsim_server.bmc.com:1828

      4. Set the encryption key value to *TLS as shown in the following code block:

        #syntax
#type                                     Name                            encryption key                       <Host>:1828
gateway.imcomm                         IIWSGatewayServer                       *TLS                           localhost:1859
cell                                   pncell_tsim_server                      *TLS                           tsim_server.bmc.com:1828

        Parameter description

        The following notes describe the key parameters used in the preceding command:

        • Replace the localhostbythe computer name where the IIWS server is installed.
        • tsim_server is the name of the host computer where the Infrastructure Management Server is installed.

      To start the servers

      1. Start the Infrastructure Management Server by running the following command:

        pw system start

      2. Restart the IIWS server by running the following commands:

        1. From the desktop or Start menu, navigate to Services.

        2. To stop the server, select the BMC Impact Integration Web Services service, and right-click to open the menu. The service name is BMCIWS, and the display name is Impact Integration Web Service.

        3. To stop the application server, select Stop.

      Perform the following steps to enable the Infrastructure Management server main cell to Reporting engine communication to be TLS compliant:

      Note

      If the Reporting Engine is in TLS mode, it cannot communicate with any of the remote cells or Infrastructure Management server cells operating in Non-TLS mode.

        Infrastructure Management server cells in TLS mode Infrastructure Management server cells in Non-TLS mode Remote cellsin TLS mode Remote cells in Non-TLS mode
      Reporting Engine in TLS mode (tick) (error) (tick) (error)

       

      To configure the Infrastructure Management server cell component

      1. Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.

      2. Check for the instance of the code line having encryption key value as shown in the following code block:

        gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>

        #Example

        gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783

      3. Modify the existing value of encryption key to *TLS as shown in the following example:

        gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783

      4. Save and close the file.

      5. Reload the mcell.dir file by entering the following command from a command line:

        #Syntax

        mcontrol -n cellName reload dir

        #Example

        mcontrol -n pncell_vm-w23-rds1016 reload dir

        Note

        pncell_vm-w23-rds1016 is the name of the cell.


      To configure the Report Engine component

      1. Navigate to the reportsCLI directory by running the following command:

        # Microsoft Windows operating system

        CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

        # Unix operating system

        $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

      2. Initiate the configuration settings by running the following command:

        #Syntax

        tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]

        #Example

        tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin

        When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

        Parameter description

         The following notes describe the key parameters used in the preceding command:

        • cacerts: Name of the keystore and truststore file of the Report Engine.
        • <truststore password>: Password for the keystore/truststore. changeit is the default password for the cacerts keystore. If you have changed this password, use the current password.

        • <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.

      3. Enable the TLS configuration by running the following command:

        tls_config enable -component cell

       

      Perform the following steps to configure the Infrastructure Management server to Publishing Server communication to enable TLS 1.2 mode:

      To configure the Infrastructure Management server

      Perform the following steps to enable the Infrastructure Management server to Publishing Server communication to be TLS compliant:

      1. Stop the Infrastructure Management Server by running the following command:

        pw system stop

      2. Using a text editor, open the pronet.conf located in the <Infrastructure Management Server Install Directory>\pw\custom\conf directory.

      3. Add the following properties in pronet.conf as shown in the following code block:

        pronet.jms.passwd.file=pronto/conf/.ks_pass
pronet.apps.ipc.ssl.context.pserver.truststore.filename=messagebroker.ts
pronet.apps.ipc.ssl.context.pserver.keystore.filename=pnserver.ks
pronet.apps.ipc.ssl.context.pserver.enabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
pronet.apps.ipc.ssl.context.pserver.keystore.passwdfile=pronto/conf/.ks_pass

      4. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.

      5. Comment out any existing instances of the code lines having encryption key value as mc as shown in the following code block:

        #Type                            <name>             encryption key                <host>/<port>
#cell	                      pncell_hostname	         mc	                pncell_hostname.bmc.com:1828
#gateway.imcomm              gw_ps_pncell_hostname       mc                    hostname.bmc.com:1839

      6. Add the code lines to set the encryption key value to *TLS as shown in the following code block:

         #Type                            <name>             encryption key               <host>/<port>
 cell	                      pncell_hostname	        *TLS	            pncell_hostname.bmc.com:1828
gateway.imcomm              gw_ps_pncell_hostname       *TLS                    hostname.bmc.com:1839

      7. Save and close the file.

      8. Using a text editor, open the smmgr.conf located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.

      9. Comment out any existing instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

        #ServerTransportProtocol=tcp

      10. Add the code lines to set the ServerTransportProtocol value to tls, and server certificate file name and key values as shown in the following code block:

        ServerTransportProtocol=tls
ServerCertificateFileName=mcell.crt
ServerPrivateKeyFileName=mcell.key

        Note

        mcell.crt and mcell.key are the names of the cell key and the certificate. If the cell certificate and key names in your Infrastructure Management server are different then use the relevant names in the preceding settings. For more information about how to create cell key and certificate, see Implementing private certificates in the TrueSight Infrastructure Management.

      11. Save and close the file.

      12. Navigate to the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory location.
      13. Open the ssl.amqbootstrap.sar file and extract the jboss-service.xml file.
      14. Take a back up of the jboss-service.xml file.

      15. In the jboss-service.xml file, update the JNDIName attribute of amqbootstrap property as shown in the following example: 

        #Existing JNDIName setting

        <attribute name="JNDIName">ConnectionFactory</attribute>


        #New JNDIName setting  

        <attribute name="JNDIName">java:jboss/exported/ConnectionFactory</attribute>

      16. After the change, save the jboss-service.xml file and add it to the ssl.amqbootstrap.sar file in the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory again.

      17. Start the Infrastructure Management Server by running the following command:

        pw system start

      Where to go from here

      Securing communication among Infrastructure Management components

      • No labels

      6 Comments

      1. Garland Smith

        I don't see anything that discusses how to configure Event Management cell to cell communication to use TLS 1.2.  Is any configuration needed.  Does cell to cell communication accommodate TLS 1.2?

        Thank you,
        Garland Smith

        1. Rashmi Gokhale

          Hi,

          Thankyou for your feedback.

          Checking with an SME, will update the document as per SME's input.

          Thanks,

          Rashmi

          1. Rashmi Gokhale

            Hi Parul Jain,

            Can you please clarify about the cell to cell TLS communication?

            Thanks,

            Rashmi

            1. Rashmi Gokhale

              Hi,

              Sorry for the delay.

              Yes, cell to cell communication is possible in TLS 1.2 mode. If the cell is configured in TLS 1.2, it can communicate in TLS 1.2 mode.

              Thanks,

              Rashmi


      2. Garland Smith

        The point of the request was to document the methodology to configure the cells to use TLS 1.2 on the same page where everything else is documented.  I have not been able to find anything that talks about how to configure cells to use TLS 1.2.  Logically, this should be included on the same page with everything else.


        Thank you,

        Garland Smith

        1. Rashmi Gokhale

          Hi,

          Thankyou for the feedback.

          I will discuss with SME and see if a new section can be created for Cell - Cell communication to configure TLS.

          I checked with SME and confirmed that for the cell to cell TLS communication, the configuration steps are same as that mentioned in IS-Cell communication (Sections: To configure the local cell, To configure the remote cell). 

          Thanks,

          Rashmi

      © Copyright 2005-2019 BMC Software, Inc.