×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight Operations Management 11.3 ... Installing Securing communication among Infrastructure Management components

Configuring TrueSight Infrastructure Management to enable TLS 1.2


You can upgrade the security in your enterprise environment by using TLS 1.2 to communicate with TrueSight Infrastructure Management components. After the installation of TrueSight Infrastructure Management components, you can switch from the default inter-component security configuration to TLS 1.2 configuration.

Related topics

Rolling back to SSL configuration Open link

TLS considerations for TrueSight Infrastructure Management

Configuring IT Data Analytics communication to enable TLS 1.2 Open link

Before you begin

Ensure to complete the certificate creation and import tasks for the relevant components before you configure TLS 1.2 between them. For more information about how to create and import private certificates, see Implementing private certificates in TrueSight Operations Management

To configure the TrueSight Infrastructure Management components to enable TLS 1.2

There are different communication channels established between the TrueSight Infrastructure Management components. Perform the TLS configurations per communication channel. Select the communication channel which you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.

tls_config_flow

To enable TLS 1.2, complete the procedures by navigating the following tabs, or select the procedures from documentation links in the flowchart.

  1. Navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory, and run the following command to check whether the TrueSight Presentation Server is running.

    tssh server status

    Note

    Ensure that the TrueSight Presentation Server is running before proceeding further.

  2. Log on to the TrueSight console and select Administration> Components.

    Displays the components that are registered with the Presentation Server. Ensure that no TrueSight Infrastructure Management Server is registered with the TrueSight Presentation Server. If a TrueSight Infrastructure Management Server is registered delete the same. For more information, see To delete a component Open link

  3. Set the property in the database by running the following command:

    tssh properties set tsps.cell.conntype ssl
tssh properties set pronet.jms.conntype ssl

  4. Using a text editor, open the mcell.dir file located in <Presentation Server Install Directory>\confdirectory.

  5. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
#gateway.gateway_subtype	   ts_event_gateway	         mc	             tsps_server1.bmc.com:1900
#cell                         pncell_tsim_server1        mc              tsim_server1.bmc.com:1828

  6. Set the encryption key value to *TLSas shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
gateway.gateway_subtype	     ts_event_gateway	        *TLS	          tsps_server1.bmc.com:1900
cell                         pncell_tsim_server1        *TLS              tsim_server1.bmc.com:1828

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • tsps_server1is the name of the computer where the TrueSight Presentation Server is installed.
    • tsim_server1 is the name of TrueSight Infrastructure Management Server registered with the TrueSight Presentation Server. If there are multiple Infrastructure Management Server entries in the mcell.dir file, change the encryption key to *TLS for all such entries.

  7. Save and close the file.

  8. Set the property in the database by running the following command:

    tssh properties set server.eventgateway.encryption.key *TLS

  9. Stop the Presentation Server by running the following command:

    tssh server stop

The following sections describe the configuration steps for both the local Integration Service and remote Integration Service in TLS 1.2 mode. Perform the configuration steps based on the type of Integration Service installed:

To configure the local Integration Service

  1. Stop the Infrastructure Management Server by running the following command: 

    pw system stop

  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\confdirectory.

  3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

    #pronet.apps.agent.conntype=tcp

  4. Set the conntype value to ssltcp as shown in the following code block:

    #Configuration settings to make the Infrastructure Management Server to Local Integration Service TLS 1.2 compliant
pronet.apps.agent.conntype=ssltcp

    Note

    Modify the file present in the pw\custom\confdirectory, if it is a local Integration Service.

  5. Save and close the file.

To configure the remote Integration Service

  1. Stop the Infrastructure Management Server by running the following command: 

    pw system stop

  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\confdirectory.

  3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

    #pronet.apps.agent.conntype=tcp

  4. Set the conntype value to ssltcp as shown in the following code block:

    pronet.apps.agent.conntype=ssltcp

  5. Save and close the file.

  6. Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command: 

    pw is stop

  7. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop

    3. Click Yes to close the warning message that is displayed. 
      The status for the Integration Service changes from Started to (blank).

  8. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\confdirectory.

  9. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

    #pronet.apps.agent.conntype=tcp

  10. Set the conntype value to ssltcp as shown in the following code block:

    pronet.apps.agent.conntype=ssltcp

    Note

    Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service.

  11. Save and close the file.

To start the servers

Perform the following set of steps after the configuration changes are completed.

To edit the Integration Service's properties

  1. Log in to the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
  2. Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
  3. Select the Edit option.
  4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
  5. Click Save.

  6. Start the Infrastructure Management Server by running the following command:

    pw system start

  7. Start the Integration Service (Unix) by running the following command:

    pw is start

  8. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  9. Double-click the Services icon to launch the Services dialog box.
  10. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart

  11. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes to Started from (blank).

    Note

    The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.

The following section guides you to configure the Integration Service to Cell communication in TLS 1.2. Choose the appropriate configuration steps based on the type (local / remote) of the Integration Service and the cell used.

To configure the local Integration Service

Info

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Stop the Infrastructure Management Server by running the following command: 

    pw system stop

  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\confdirectory.

  3. Comment out the instance of the code line having the encryptionkey value as mc as shown in the following code block:

    #pronet.apps.is.cell.encryptionkey=mc

  4. Set the encryptionkey value to *TLS as shown in the following code block:

    pronet.apps.is.cell.encryptionkey=*TLS

  5. Save and close the file.

  6. Using a text editor, open mcell.dir file located in <Infrastructure Management Server Install directory>\pw\server\etc directory.

  7. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

    #Type                            <name>              encryption key           <host>/<port>
#cell                             cell_1                  mc              cell_1.bmc.com:1828
#cell                             HA_Cell                 mc              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

  8. Set the encryption key value to *TLS as shown in the following code block:

    #Type                            <name>              encryption key           <host>/<port>
cell                             cell_1                  *TLS              cell_1.bmc.com:1828
cell                             HA_Cell                 *TLS              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

    Parameter description

    Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:

    • cell_1is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
    • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.

To configure the remote Integration Service

Info

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command: 

    pw is stop

  2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop

    3. Click Yes to close the warning message that is displayed. 
      The status for the Integration Service changes from Started to (blank).

  3. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\confdirectory.

  4. Comment out the instance of the code line having the encryptionkey value as mc as shown in the following code block:

    #pronet.apps.is.cell.encryptionkey=mc

  5. Set the encryptionkey value to *TLS the following code block:

    pronet.apps.is.cell.encryptionkey=*TLS

    Note

    Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service.

  6. Save and close the file.

  7. Using a text editor, open the mcell.dir file located in <Integration Service Install directory>\Agent\server\etc directory.

  8. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
#cell                             cell_1                 mc              cell_1.bmc.com:1828
#cell                             HA_Cell                mc              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

  9. Set the encryption key value to *TLS as shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
cell                             cell_1                 *TLS              cell_1.bmc.com:1828
cell                             HA_Cell                *TLS              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

    Parameter description

    Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:

    • cell_1is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
    • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.

  10. Save and close the file.

To configure the local Cell

Info

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Stop the cell service (Unix) by running the following command:

    mkill -n cellname

  2. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop

    3. Click Yes to close the warning message that is displayed. 
      The status for the cell service changes from Started to (blank).

  3. Using a text editor, open mcell.conf file located in <Infrastructure Management Server Install Directory>\pw\server\etc\pncell_<TSIM_MACHINE_NAME>directory.

  4. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

    #ServerTransportProtocol=tcp

  5. Set the properties as shown in the following code block:

    ServerTransportProtocol=tls
ServerCertificateFileName=mcell.crt
ServerPrivateKeyFileName=mcell.key

  6. Save and close the file.

To configure the remote Cell

Info

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Logon to the computer where the remote cell is installed.

  2. Stop the cell service (Unix) by running the following command:

    mkill -n cellname

  3. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop

    3. Click Yes to close the warning message that is displayed. 
      The status for the cell service changes from Started to (blank).

  4. Using a text editor, open mcell.conf file located in <Remote Cell Install Directory>\Agent\server\etc\cell_name directory.

  5. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

    #ServerTransportProtocol=tcp

  6. Set the properties as shown in the following code block:

    ServerTransportProtocol=tls
ServerCertificateFileName=mcell.crt
ServerPrivateKeyFileName=mcell.key

  7. Save and close the file.

To start the servers

  1. Start the cell service (Unix) by running the following command:

    mcell -n cellname

  2. To start the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Restart

    3. Click Yes to close the warning message that is displayed. 
      The status for the cell service changes to Started from (blank).

  3. Start the Integration Service (Unix) by running the following command:

    pw is start

  4. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  5. Double-click the Services icon to launch the Services dialog box.
  6. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart

  7. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes to Started from (blank).

Note

The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.

Perform the following steps to configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2 mode:

To configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2

Perform the following steps to enable the Infrastructure Management Server to Oracle database communication to be TLS compliant:

Notes

  • If the Oracle database is configured in TLS 1.2 mode, then perform the following steps to configure the Infrastructure Management Server in TLS 1.2 mode.
  • Oracle database version 11G is TLS 1.0 compliant.
  • Oracle database version 12.1.0.2 is TLS 1.2 compliant.

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop

  2. Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:

    #Syntax 
perl switchTLSMode.pl -<on/off> -flow <communication channel> -dbport <Oracle Database port> -dbver <Oracle Database version> 
 
#Example
perl switchTLSMode.pl -on -flow oracle –dbport 1521 -dbver 11G

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the default tcp/ssl mode of communication.
    • -flow: This variable can have two options: event_and_data,oracle. If flow is set to oracle, the communication between the Infrastructure Management Server and the Oracle database is TLS 1.2 enabled.
    • -dbport:Provide the port number that is configured for the Oracle database communication.
    • -dbver: Provide the Oracle database version. There are two compatible Oracle database versions: 11G, 12C

  3. Start the Infrastructure Management Server by running the following command:

    pw system start

To upgrade the Infrastructure Management server that communicates with the Oracle database in TLS mode

To upgrade the Infrastructure Management server that communicates with the Oracle database in TLS mode, perform the following sequence of steps:

  1. Disable TLS communication between Infrastructure Management server to Oracle database. For detailed instructions, see Rolling back to SSL configuration.
  2. Upgrade the Infrastructure Management server. For detailed instructions, see Upgrading the Infrastructure Management Server.
  3. Enable TLS communication between Infrastructure Management server to Oracle database. For detailed instructions, see Configuring TrueSight Infrastructure Management to enable TLS 1.2.

By default, the PATROL Agent communicates using either Transmission Control Protocol (TCP) or Secure Sockets Layer (SSL) protocol, but you can configure PATROL Agents to enable TLS 1.2 mode. 

The following process workflow guides you to configure the PATROL Agent to Integration Service communication to be TLS compliant:

  1. Ensure that the signed certificates are generated for the Integration Service and imported into the PATROL Agent's client DB certificate store. 
    To generate signed certificates for the Integration Service, see Implementing private certificates in the Integration Service.

  2. Ensure that the PATROL Agent and the TrueSight Integration Service are running at the same security level.
    • To change the PATROL Agent's security level, see  Changing the PATROL Agent's security level Open link .
    • To change the Integration Service's security level, see  Changing the Integration Service's security level Open link .

  3. Configure the PATROL Agent to Integration Service communication to enable TLS mode.
  4. Update the PATROL Agent's registry files. 
    For details, see  Updating the PATROL Agent registry files Open link

  5. Update the Integration Service's registry files. 
    For details, see  Updating the Integration Service registry files Open link .

Perform the following steps to enable the Infrastructure Management Server to BMC Impact Integration Web Services (IIWS) communication to be TLS compliant:

To configure the Infrastructure Management Server

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop

  2. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\server\etcdirectory.

  3. Comment out the instance of the code line having encryption key value as mcas shown in the following code block:

    #gateway.imcomm    IIWSGatewayServer    mc    IIWSGatewayServer.bmc.com:1859

  4. Set the encryption key value to *TLS as shown in the following code block:

    gateway.imcomm    IIWSGatewayServer    *TLS    IIWSGatewayServer.bmc.com:1859

    Note

    IIWSGatewayServer is the name of the host computer where the BMC Impact Integration Web Services is installed.

  5. Save and close the file.

To configure the BMC Impact Integration Web Services server

  1. Navigate to the  <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc directory by running the following command:

    # Microsoft Windows operating system 
$cd <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc

# Unix operating system 
$cd <Impact Web Services installation directory>/tomcat/webapps/imws/WEB-INF/etc
  2. Using a text editor, open the mcell.dir file.

  3. Comment out the instances of the code lines having encryption key value as mc as shown in the following code block:

    #type                                     Name                            encryption key                       <Host>:1828
#gateway.imcomm                         IIWSGatewayServer                       mc                           localhost:1859
#cell                                   pncell_tsim_server                      mc                           tsim_server.bmc.com:1828

  4. Set the encryption key value to *TLS as shown in the following code block:

    #syntax
#type                                     Name                            encryption key                       <Host>:1828
gateway.imcomm                         IIWSGatewayServer                       *TLS                           localhost:1859
cell                                   pncell_tsim_server                      *TLS                           tsim_server.bmc.com:1828

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • Replace the localhost by the computer name where the IIWS server is installed.
    • tsim_server is the name of the host computer where the Infrastructure Management Server is installed.

To start the servers

  1. Start the Infrastructure Management Server by running the following command:

    pw system start

  2. Restart the IIWS server by running the following commands:

    1. From the desktop or Start menu, navigate to Services.

    2. To stop the server, select the BMC Impact Integration Web Services service, and right-click to open the menu. The service name is BMCIWS, and the display name is Impact Integration Web Service.

    3. To stop the application server, select Stop.

Perform the following steps to enable the Infrastructure Management server main cell to Reporting engine communication to be TLS compliant:

Note

If the Reporting Engine is in TLS mode, it cannot communicate with any of the remote cells or Infrastructure Management server cells operating in Non-TLS mode.

Infrastructure Management server cells in TLS mode Infrastructure Management server cells in Non-TLS mode Remote cellsin TLS mode Remote cells in Non-TLS mode
Reporting Engine in TLS mode (tick) (error) (tick) (error)

To configure the Infrastructure Management server cell component

  1. Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.

  2. Check for the instance of the code line having encryption key value as shown in the following code block:

    gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>

    #Example

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783

  3. Modify the existing value of encryption key to *TLS as shown in the following example:

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783

  4. Save and close the file.

  5. Reload the mcell.dir file by entering the following command from a command line:

    #Syntax

    mcontrol -n cellName reload dir

    #Example

    mcontrol -n pncell_vm-w23-rds1016 reload dir

    Note

    pncell_vm-w23-rds1016 is the name of the cell.


To configure the Report Engine component

  1. Navigate to the reportsCLI directory by running the following command:

    # Microsoft Windows operating system

    CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

    # Unix operating system

    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

  2. Initiate the configuration settings by running the following command:

    #Syntax

    tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]

    #Example

    tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin

    When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • cacerts: Name of the keystore and truststore file of the Report Engine.
    • <truststore password>: Password for the keystore/truststore. changeit is the default password for the cacerts keystore. If you have changed this password, use the current password.

    • <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.

  3. Enable the TLS configuration by running the following command:

    tls_config enable -component cell

Perform the following steps to configure the Infrastructure Management server to Publishing Server communication to enable TLS 1.2 mode:

To configure the Infrastructure Management server

Perform the following steps to enable the Infrastructure Management server to Publishing Server communication to be TLS compliant:

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop

  2. Using a text editor, open the pronet.conf located in the <Infrastructure Management Server Install Directory>\pw\custom\confdirectory.

  3. Add the following properties in pronet.conf as shown in the following code block:

    pronet.jms.passwd.file=pronto/conf/.ks_pass
pronet.apps.ipc.ssl.context.pserver.truststore.filename=messagebroker.ts
pronet.apps.ipc.ssl.context.pserver.keystore.filename=pnserver.ks
pronet.apps.ipc.ssl.context.pserver.enabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
pronet.apps.ipc.ssl.context.pserver.keystore.passwdfile=pronto/conf/.ks_pass

  4. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\pw\server\etcdirectory.

  5. Comment out any existing instances of the code lines having encryption key value as mc as shown in the following code block:

    #Type                            <name>             encryption key                <host>/<port>
#cell	                      pncell_hostname	         mc	                pncell_hostname.bmc.com:1828
#gateway.imcomm              gw_ps_pncell_hostname       mc                    hostname.bmc.com:1839

  6. Add the code lines to set the encryption key value to *TLS as shown in the following code block:

    #Type                            <name>             encryption key               <host>/<port>
 cell	                      pncell_hostname	        *TLS	            pncell_hostname.bmc.com:1828
gateway.imcomm              gw_ps_pncell_hostname       *TLS                    hostname.bmc.com:1839

  7. Save and close the file.

  8. Using a text editor, open the smmgr.conf located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.

  9. Comment out any existing instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

    #ServerTransportProtocol=tcp

  10. Add the code lines to set the ServerTransportProtocol value to tls, and server certificate file name and key values as shown in the following code block:

    ServerTransportProtocol=tls
ServerCertificateFileName=mcell.crt
ServerPrivateKeyFileName=mcell.key

    Note

    mcell.crt and mcell.key are the names of the cell key and the certificate. If the cell certificate and key names in your Infrastructure Management server are different then use the relevant names in the preceding settings. For more information about how to create cell key and certificate, see Implementing private certificates in the TrueSight Infrastructure Management.

  11. Save and close the file.

  12. Start the Infrastructure Management Server by running the following command:

    pw system start

Where to go from here

Securing communication among Infrastructure Management components

Was this page helpful? Yes No Submitting... Thank you
Last modified by Rashmi Gokhale on May 03, 2021
task security post-installation tsps configuration components integration_service network_service infra_management

Comments

  1. Clint Hardman

    I have ran into issues with what looks to be step 4 of the TSIM steps. I initially went through and changed the jms broker port to 8096 from 8093 and after runningi the switchTLSmode perl script my TSIM wouldn't start. I am wondering if this step even needs to be done and included in the documentation as changing that port appeared to be what caused my TSIM to break and not be able to start again. If you are going to include this step the notes/explanations need to be more clear in regards to what changing that port really means. Also running that script will stop and start the TSIM and the next steps in the process say to start the TSPS back up and then start the TSIM which the script already tries to do.

    Dec 04, 2019 04:19
    1. Louis Duke

      It should be noted, that as part of that 'attempt' to restart the TSIM that occurs in step 6 of the TSIM work, the script attempts a maximum 60 times to get things up and running between the TSIM and the TSPS (which is turned off at the time) with a ~ 1 minute wait between attempts.

      Needless to say this step can take quite some time to complete on it's own.

      Jan 27, 2020 12:39
      1. Rashmi Gokhale

        Hi,

        I discussed this with the SME, and as per SME inputs, the port number should be set to a value that is configured in the server. For example, if the server is configured with port number 8093, then set transportConnector to 8093. If it is configured with some other value, then set the transportConnector property accordingly.

        I have modified the text in step 4 and published the document.

        Thanks,

        Rashmi


        Jul 08, 2020 04:17
        1. Anthony Valuikas

          I'm also having the issue there. I kept my configured port which is 8093 but TSIM will not start. Still trying to find the correct process as I can't get TSIM to start. Been through the steps 3 times now.

          Jan 07, 2021 10:08
          1. Rashmi Gokhale

            To address this, after checking with SMEs and PE, we have modified this instruction and published it in one space. It will be published in all spaces after it is reviewed and approved.



            Jan 18, 2021 12:25
  2. Clint Hardman

    I also want to point out that there is no mention of the TLS 1.2 Securing documentation for ITDA. There at least needs to be a mention of it and point the user to where that documentation is located.

    Jan 29, 2020 12:24
    1. Rashmi Gokhale

      Hi,

      I will add the details and update you.

      Thanks,

      Rashmi

      Jan 30, 2020 01:16
      1. Rashmi Gokhale

        Hi,

        I have added the ITDA TLS topic link in the Related topics section and published the topic.

        Thanks,

        Rashmi

        Jun 11, 2020 12:44
  3. Karthik Vijayan

    Hi,

    I have two queries.

    Query 1: The first line of the page says 'By default, TrueSight Infrastructure Management and its associated components use Transport Layer Security (TLS) versions earlier than TLS 1.2 to communicate with each other.' - Can you please let me know which version of TLS to be specific? TLS 1.0 or TLS 1.1?

    Query 2: We are using F5 Load Balancers for Remedy SSO, TSPS and TSIM HA functionality. TLS 1.2 has been already enabled at the Load Balancer Layer from Network Perspective. Our environment is working fine after this without issues. However, do we still have to complete all the above sections to enable TLS 1.2 between all the Truesight components?

    Feb 13, 2020 07:05
    1. Rashmi Gokhale

      Hi Shahezad Mirkar Prashant Joshi ,


      Can you please provide your inputs to the above queries?


      Thanks,

      Rashmi


      Feb 17, 2020 01:18
      1. Rashmi Gokhale

        Hi Karthik,

        1. As per the SME inputs, SSL v3. was used before TLS 1.2.
        2. For the second part of the query, I have sent an email to the SME and have copied you in the email.

        Thanks,

        Rashmi

        Oct 07, 2020 06:58
      1. Karthik Vijayan

        Our Network Team has enabled TLS 1.2 behind the LoadBalancer and we didn't enable TLS 1.2 on any of the Truesight components. With this scenario, our Truesight setup works fine without any issues. So, is it necessary to still enable TLS 1.2 on all the components or leave this setup with the above mentioned scenario?

        Oct 23, 2020 09:31
        1. Rashmi Gokhale

          Hi Karthik,

          Closing this thread here as this is being discussed in the email. I have copied you in the email.

          Thanks,

          Rashmi

          Nov 24, 2020 12:23
  4. Anuparn Padalia

    Under TSIM Configuration - Step 4 and 5 are actually bit unclear in version 11.3.03, as some of the information mentioned in not like that in Linux Environment. Due to this, I am unable to bring up TSIM. Need help here with some other Article or link where I can have proper step documented.

    Regards, Anuparn Padalia

    Mar 01, 2020 03:30
    1. Rashmi Gokhale

      Hi Anuparn,

      Can you provide more details for this?

      Do you mean the steps 4 &5 that are mentioning about amq-broker-config.xml file?


      Thanks,

      Rashmi


      Mar 04, 2020 12:59
  5. Anuparn Padalia

    Yes, that is correct. If you can re-validate step 4 & 5 on Linux (Could be RHEL), as it seems some areas will be different for Linux rather how it is in WinOS.

    Regards, Anuparn Padalia

    Mar 08, 2020 01:09
  6. John Conroy

    Following the change to the amq-broker-config.xml file should the TSIM server pronet.conf entry called pronet.jboss.jms.port be changed to 8096 from its default value of 8093?

    Also, if the "automatically add firewall rules" option was selected as TSIM install time on Windows it will be necessary to also add the 8096 port to the firewall rulebase.

    Mar 11, 2020 11:51
    1. Shreya Gurukiran

      Hi Shahezad Mirkar ,


      Can you please respond to this comment?

      Apr 21, 2020 02:18

Log in or register to comment.

Securing communication among Infrastructure Management components
Configuring Integration Service to cell communication to enable TLS 1.2
© Copyright 2013-2019 BMC Software, Inc. © Copyright 2013-2019 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.