Configuring TrueSight Infrastructure Management to enable TLS 1.2
You can upgrade the security in your enterprise environment by using TLS 1.2 to communicate with TrueSight Infrastructure Management components. After the installation of TrueSight Infrastructure Management components, you can switch from the default inter-component security configuration to TLS 1.2 configuration.
Before you begin
Ensure to complete the certificate creation and import tasks for the relevant components before you configure TLS 1.2 between them. For more information about how to create and import private certificates, see Implementing private certificates in TrueSight Operations Management.
To configure the TrueSight Infrastructure Management components to enable TLS 1.2
There are different communication channels established between the TrueSight Infrastructure Management components. Perform the TLS configurations per communication channel. Select the communication channel which you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.
To enable TLS 1.2, complete the procedures by navigating the following tabs, or select the procedures from documentation links in the flowchart.
Navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory, and run the following command to check whether the TrueSight Presentation Server is running.
tssh server status
Note
Ensure that the TrueSight Presentation Server is running before proceeding further.
Log on to the TrueSight console and select Administration> Components.
Displays the components that are registered with the Presentation Server. Ensure that no TrueSight Infrastructure Management Server is registered with the TrueSight Presentation Server. If a TrueSight Infrastructure Management Server is registered delete the same. For more information, see To delete a component
Set the property in the database by running the following command:
tssh properties set tsps.cell.conntype ssl tssh properties set pronet.jms.conntype ssl
Using a text editor, open the mcell.dir file located in <Presentation Server Install Directory>\confdirectory.
Comment out the instances of the code lines having the encryption key value as
mc
as shown in the following code block:#Type <name> encryption key <host>/<port> #gateway.gateway_subtype ts_event_gateway mc tsps_server1.bmc.com:1900 #cell pncell_tsim_server1 mc tsim_server1.bmc.com:1828
Set the encryption key value to *TLSas shown in the following code block:
#Type <name> encryption key <host>/<port> gateway.gateway_subtype ts_event_gateway *TLS tsps_server1.bmc.com:1900 cell pncell_tsim_server1 *TLS tsim_server1.bmc.com:1828
Parameter description
The following notes describe the key parameters used in the preceding command:
- tsps_server1is the name of the computer where the TrueSight Presentation Server is installed.
- tsim_server1 is the name of TrueSight Infrastructure Management Server registered with the TrueSight Presentation Server. If there are multiple Infrastructure Management Server entries in the mcell.dir file, change the encryption key to *TLS for all such entries.
Save and close the file.
Set the property in the database by running the following command:
tssh properties set server.eventgateway.encryption.key *TLS
Stop the Presentation Server by running the following command:
tssh server stop
The following sections describe the configuration steps for both the local Integration Service and remote Integration Service in TLS 1.2 mode. Perform the configuration steps based on the type of Integration Service installed:
- Step 1: To configure the local Integration Service
- Step 2: To configure the remote Integration Service
- Step 3: To start the servers
To configure the local Integration Service
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\confdirectory.
Comment out the instance of the code line having the conntype value as
tcp
as shown in the following code block:#pronet.apps.agent.conntype=tcp
Set the conntype value to
ssltcp
as shown in the following code block:#Configuration settings to make the Infrastructure Management Server to Local Integration Service TLS 1.2 compliant pronet.apps.agent.conntype=ssltcp
Note
Modify the file present in the pw\custom\confdirectory, if it is a local Integration Service.
Save and close the file.
To configure the remote Integration Service
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\confdirectory.
Comment out the instance of the code line having the conntype value as
tcp
as shown in the following code block:#pronet.apps.agent.conntype=tcp
Set the conntype value to
ssltcp
as shown in the following code block:pronet.apps.agent.conntype=ssltcp
Save and close the file.
Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command:
pw is stop
To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
- Double-click the Services icon to launch the Services dialog box.
- Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes from Started to (blank).
Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\confdirectory.
Comment out the instance of the code line having the conntype value as
tcp
as shown in the following code block:#pronet.apps.agent.conntype=tcp
Set the conntype value to
ssltcp
as shown in the following code block:pronet.apps.agent.conntype=ssltcp
Note
Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service.
Save and close the file.
To start the servers
Perform the following set of steps after the configuration changes are completed.
To edit the Integration Service's properties
- Log in to the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
- Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
- Select the Edit option.
- The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
- Click Save.
Start the Infrastructure Management Server by running the following command:
pw system start
Start the Integration Service (Unix) by running the following command:
pw is start
To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
- Double-click the Services icon to launch the Services dialog box.
- Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes to Started from (blank).Note
The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.
The following section guides you to configure the Integration Service to Cell communication in TLS 1.2. Choose the appropriate configuration steps based on the type (local / remote) of the Integration Service and the cell used.
- Step 1: To configure the local Integration Service
- Step 2: To configure the remote Integration Service
- Step 3: To configure the local Cell
- Step 4: To configure the remote Cell
- Step 5: To start the servers
To configure the local Integration Service
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
- Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\confdirectory.
Comment out the instance of the code line having the encryptionkey value as
mc
as shown in the following code block:#pronet.apps.is.cell.encryptionkey=mc
Set the encryptionkey value to
*TLS
as shown in the following code block:pronet.apps.is.cell.encryptionkey=*TLS
Save and close the file.
Using a text editor, open mcell.dir file located in <Infrastructure Management Server Install directory>\pw\server\etc directory.
Comment out the instances of the code lines having the encryption key value as
mc
as shown in the following code block:#Type <name> encryption key <host>/<port> #cell cell_1 mc cell_1.bmc.com:1828 #cell HA_Cell mc primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Set the encryption key value to
*TLS
as shown in the following code block:#Type <name> encryption key <host>/<port> cell cell_1 *TLS cell_1.bmc.com:1828 cell HA_Cell *TLS primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Parameter description
Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:
- cell_1is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
- HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.
To configure the remote Integration Service
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command:
pw is stop
To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
- Double-click the Services icon to launch the Services dialog box.
- Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes from Started to (blank).
Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\confdirectory.
Comment out the instance of the code line having the encryptionkey value as
mc
as shown in the following code block:#pronet.apps.is.cell.encryptionkey=mc
Set the encryptionkey value to
*TLS
the following code block:pronet.apps.is.cell.encryptionkey=*TLS
Note
Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service.
Save and close the file.
Using a text editor, open the mcell.dir file located in <Integration Service Install directory>\Agent\server\etc directory.
Comment out the instances of the code lines having the encryption key value as
mc
as shown in the following code block:#Type <name> encryption key <host>/<port> #cell cell_1 mc cell_1.bmc.com:1828 #cell HA_Cell mc primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Set the encryption key value to
*TLS
as shown in the following code block:#Type <name> encryption key <host>/<port> cell cell_1 *TLS cell_1.bmc.com:1828 cell HA_Cell *TLS primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
Parameter description
Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:
- cell_1is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
- HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.
Save and close the file.
To configure the local Cell
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
Stop the cell service (Unix) by running the following command:
mkill -n cellname
To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
- Double-click the Services icon to launch the Services dialog box.
- Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop.
Click Yes to close the warning message that is displayed.
The status for the cell service changes from Started to (blank).
Using a text editor, open mcell.conf file located in <Infrastructure Management Server Install Directory>\pw\server\etc\pncell_<TSIM_MACHINE_NAME>directory.
Comment out the instance of the code line having ServerTransportProtocol value as
tcp
as shown in the following code block:#ServerTransportProtocol=tcp
Set the properties as shown in the following code block:
ServerTransportProtocol=tls ServerCertificateFileName=mcell.crt ServerPrivateKeyFileName=mcell.key
Save and close the file.
To configure the remote Cell
Info
CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.
Logon to the computer where the remote cell is installed.
Stop the cell service (Unix) by running the following command:
mkill -n cellname
To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
- Double-click the Services icon to launch the Services dialog box.
- Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop.
Click Yes to close the warning message that is displayed.
The status for the cell service changes from Started to (blank).
Using a text editor, open mcell.conf file located in <Remote Cell Install Directory>\Agent\server\etc\cell_name directory.
Comment out the instance of the code line having ServerTransportProtocol value as
tcp
as shown in the following code block:#ServerTransportProtocol=tcp
Set the properties as shown in the following code block:
ServerTransportProtocol=tls ServerCertificateFileName=mcell.crt ServerPrivateKeyFileName=mcell.key
Save and close the file.
To start the servers
Start the cell service (Unix) by running the following command:
mcell -n cellname
To start the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
- Double-click the Services icon to launch the Services dialog box.
- Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Restart.
Click Yes to close the warning message that is displayed.
The status for the cell service changes to Started from (blank).
Start the Integration Service (Unix) by running the following command:
pw is start
To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
- Double-click the Services icon to launch the Services dialog box.
- Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart.
Click Yes to close the warning message that is displayed.
The status for the Integration Service changes to Started from (blank).
Note
The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.
Perform the following steps to configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2 mode:
To configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2
Perform the following steps to enable the Infrastructure Management Server to Oracle database communication to be TLS compliant:
Notes
- If the Oracle database is configured in TLS 1.2 mode, then perform the following steps to configure the Infrastructure Management Server in TLS 1.2 mode.
- Oracle database version 11G is TLS 1.0 compliant.
- Oracle database version 12.1.0.2 is TLS 1.2 compliant.
Stop the Infrastructure Management Server by running the following command:
pw system stop
Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:
#Syntax perl switchTLSMode.pl -<on/off> -flow <communication channel> -dbport <Oracle Database port> -dbver <Oracle Database version> #Example perl switchTLSMode.pl -on -flow oracle –dbport 1521 -dbver 11G
Parameter description
The following notes describe the key parameters used in the preceding command:
- -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the default tcp/ssl mode of communication.
- -flow: This variable can have two options: event_and_data,oracle. If flow is set to oracle, the communication between the Infrastructure Management Server and the Oracle database is TLS 1.2 enabled.
- -dbport:Provide the port number that is configured for the Oracle database communication.
- -dbver: Provide the Oracle database version. There are two compatible Oracle database versions: 11G, 12C
Start the Infrastructure Management Server by running the following command:
pw system start
To upgrade the Infrastructure Management server that communicates with the Oracle database in TLS mode
To upgrade the Infrastructure Management server that communicates with the Oracle database in TLS mode, perform the following sequence of steps:
- Disable TLS communication between Infrastructure Management server to Oracle database. For detailed instructions, see Rolling back to SSL configuration.
- Upgrade the Infrastructure Management server. For detailed instructions, see Upgrading the Infrastructure Management Server.
- Enable TLS communication between Infrastructure Management server to Oracle database. For detailed instructions, see Configuring TrueSight Infrastructure Management to enable TLS 1.2.
By default, the PATROL Agent communicates using either Transmission Control Protocol (TCP) or Secure Sockets Layer (SSL) protocol, but you can configure PATROL Agents to enable TLS 1.2 mode.
The following process workflow guides you to configure the PATROL Agent to Integration Service communication to be TLS compliant:
- Ensure that the signed certificates are generated for the Integration Service and imported into the PATROL Agent's client DB certificate store.
To generate signed certificates for the Integration Service, see Implementing private certificates in the Integration Service. - Ensure that the PATROL Agent and the TrueSight Integration Service are running at the same security level.
- To change the PATROL Agent's security level, see Changing the PATROL Agent's security level .
- To change the Integration Service's security level, see Changing the Integration Service's security level .
- Configure the PATROL Agent to Integration Service communication to enable TLS mode.
- Run the set_unset_tls command in the PATROL Agent
- Run the set_unset_tls_is command in the Integration Service
For details, see Configuring the PATROL Agent to Integration Service communication to enable TLS 1.2.
- Update the PATROL Agent's registry files.
For details, see Updating the PATROL Agent registry files . - Update the Integration Service's registry files.
For details, see Updating the Integration Service registry files .
Perform the following steps to enable the Infrastructure Management Server to BMC Impact Integration Web Services (IIWS) communication to be TLS compliant:
- Step 1: To configure the Infrastructure Management Server
- Step 2: To configure the BMC Impact Integration Web Services server
- Step 3: To start the servers
To configure the Infrastructure Management Server
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\server\etcdirectory.
Comment out the instance of the code line having encryption key value as mcas shown in the following code block:
#gateway.imcomm IIWSGatewayServer mc IIWSGatewayServer.bmc.com:1859
Set the encryption key value to
*TLS
as shown in the following code block:gateway.imcomm IIWSGatewayServer *TLS IIWSGatewayServer.bmc.com:1859
Note
IIWSGatewayServer is the name of the host computer where the BMC Impact Integration Web Services is installed.
Save and close the file.
To configure the BMC Impact Integration Web Services server
Navigate to the <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc directory by running the following command:
# Microsoft Windows operating system $cd <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc # Unix operating system $cd <Impact Web Services installation directory>/tomcat/webapps/imws/WEB-INF/etc
- Using a text editor, open the mcell.dir file.
Comment out the instances of the code lines having encryption key value as mc as shown in the following code block:
#type Name encryption key <Host>:1828 #gateway.imcomm IIWSGatewayServer mc localhost:1859 #cell pncell_tsim_server mc tsim_server.bmc.com:1828
Set the encryption key value to *TLS as shown in the following code block:
#syntax #type Name encryption key <Host>:1828 gateway.imcomm IIWSGatewayServer *TLS localhost:1859 cell pncell_tsim_server *TLS tsim_server.bmc.com:1828
Parameter description
The following notes describe the key parameters used in the preceding command:
- Replace the localhost by the computer name where the IIWS server is installed.
- tsim_server is the name of the host computer where the Infrastructure Management Server is installed.
To start the servers
Start the Infrastructure Management Server by running the following command:
pw system start
Restart the IIWS server by running the following commands:
From the desktop or Start menu, navigate to Services.
To stop the server, select the BMC Impact Integration Web Services service, and right-click to open the menu. The service name is BMCIWS, and the display name is Impact Integration Web Service.
To stop the application server, select Stop.
Perform the following steps to enable the Infrastructure Management server main cell to Reporting engine communication to be TLS compliant:
- Step 1: To configure the Infrastructure Management server cell component
- Step 2: To configure the Reporting Engine component
Note
If the Reporting Engine is in TLS mode, it cannot communicate with any of the remote cells or Infrastructure Management server cells operating in Non-TLS mode.
Infrastructure Management server cells in TLS mode | Infrastructure Management server cells in Non-TLS mode | Remote cellsin TLS mode | Remote cells in Non-TLS mode | |
---|---|---|---|---|
Reporting Engine in TLS mode |
To configure the Infrastructure Management server cell component
Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.
Check for the instance of the code line having encryption key value as shown in the following code block:
gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>
#Example
gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783
Modify the existing value of encryption key to
*TLS
as shown in the following example:gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783
Save and close the file.
Reload the mcell.dir file by entering the following command from a command line:
#Syntax
mcontrol -n cellName reload dir
#Example
mcontrol -n pncell_vm-w23-rds1016 reload dir
Note
pncell_vm-w23-rds1016
is the name of the cell.
To configure the Report Engine component
Navigate to the reportsCLI directory by running the following command:
# Microsoft Windows operating system
CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI
# Unix operating system
$cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI
Initiate the configuration settings by running the following command:
#Syntax
tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]
#Example
tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin
When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.
Parameter description
The following notes describe the key parameters used in the preceding command:
- cacerts: Name of the keystore and truststore file of the Report Engine.
- <truststore password>: Password for the keystore/truststore. changeit is the default password for the cacerts keystore. If you have changed this password, use the current password.
<BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.
Enable the TLS configuration by running the following command:
tls_config enable -component cell
Perform the following steps to configure the Infrastructure Management server to Publishing Server communication to enable TLS 1.2 mode:
To configure the Infrastructure Management server
Perform the following steps to enable the Infrastructure Management server to Publishing Server communication to be TLS compliant:
Stop the Infrastructure Management Server by running the following command:
pw system stop
Using a text editor, open the pronet.conf located in the <Infrastructure Management Server Install Directory>\pw\custom\confdirectory.
Add the following properties in pronet.conf as shown in the following code block:
pronet.jms.passwd.file=pronto/conf/.ks_pass pronet.apps.ipc.ssl.context.pserver.truststore.filename=messagebroker.ts pronet.apps.ipc.ssl.context.pserver.keystore.filename=pnserver.ks pronet.apps.ipc.ssl.context.pserver.enabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256 pronet.apps.ipc.ssl.context.pserver.keystore.passwdfile=pronto/conf/.ks_pass
Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\pw\server\etcdirectory.
Comment out any existing instances of the code lines having encryption key value as mc as shown in the following code block:
#Type <name> encryption key <host>/<port> #cell pncell_hostname mc pncell_hostname.bmc.com:1828 #gateway.imcomm gw_ps_pncell_hostname mc hostname.bmc.com:1839
Add the code lines to set the encryption key value to
*TLS
as shown in the following code block:#Type <name> encryption key <host>/<port> cell pncell_hostname *TLS pncell_hostname.bmc.com:1828 gateway.imcomm gw_ps_pncell_hostname *TLS hostname.bmc.com:1839
Save and close the file.
- Using a text editor, open the smmgr.conf located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.
Comment out any existing instance of the code line having ServerTransportProtocol value as
tcp
as shown in the following code block:#ServerTransportProtocol=tcp
Add the code lines to set the ServerTransportProtocol value to
tls
, and server certificate file name and key values as shown in the following code block:ServerTransportProtocol=tls ServerCertificateFileName=mcell.crt ServerPrivateKeyFileName=mcell.key
Note
mcell.crt and mcell.key are the names of the cell key and the certificate. If the cell certificate and key names in your Infrastructure Management server are different then use the relevant names in the preceding settings. For more information about how to create cell key and certificate, see Implementing private certificates in the TrueSight Infrastructure Management.
Save and close the file.
Start the Infrastructure Management Server by running the following command:
pw system start
Where to go from here
Securing communication among Infrastructure Management components
Comments
I have ran into issues with what looks to be step 4 of the TSIM steps. I initially went through and changed the jms broker port to 8096 from 8093 and after runningi the switchTLSmode perl script my TSIM wouldn't start. I am wondering if this step even needs to be done and included in the documentation as changing that port appeared to be what caused my TSIM to break and not be able to start again. If you are going to include this step the notes/explanations need to be more clear in regards to what changing that port really means. Also running that script will stop and start the TSIM and the next steps in the process say to start the TSPS back up and then start the TSIM which the script already tries to do.
It should be noted, that as part of that 'attempt' to restart the TSIM that occurs in step 6 of the TSIM work, the script attempts a maximum 60 times to get things up and running between the TSIM and the TSPS (which is turned off at the time) with a ~ 1 minute wait between attempts.
Needless to say this step can take quite some time to complete on it's own.
Hi,
I discussed this with the SME, and as per SME inputs, the port number should be set to a value that is configured in the server. For example, if the server is configured with port number 8093, then set transportConnector to 8093. If it is configured with some other value, then set the transportConnector property accordingly.
I have modified the text in step 4 and published the document.
Thanks,
Rashmi
I'm also having the issue there. I kept my configured port which is 8093 but TSIM will not start. Still trying to find the correct process as I can't get TSIM to start. Been through the steps 3 times now.
To address this, after checking with SMEs and PE, we have modified this instruction and published it in one space. It will be published in all spaces after it is reviewed and approved.
I also want to point out that there is no mention of the TLS 1.2 Securing documentation for ITDA. There at least needs to be a mention of it and point the user to where that documentation is located.
Hi,
I will add the details and update you.
Thanks,
Rashmi
Hi,
I have added the ITDA TLS topic link in the Related topics section and published the topic.
Thanks,
Rashmi
Hi,
I have two queries.
Query 1: The first line of the page says 'By default, TrueSight Infrastructure Management and its associated components use Transport Layer Security (TLS) versions earlier than TLS 1.2 to communicate with each other.' - Can you please let me know which version of TLS to be specific? TLS 1.0 or TLS 1.1?
Query 2: We are using F5 Load Balancers for Remedy SSO, TSPS and TSIM HA functionality. TLS 1.2 has been already enabled at the Load Balancer Layer from Network Perspective. Our environment is working fine after this without issues. However, do we still have to complete all the above sections to enable TLS 1.2 between all the Truesight components?
Hi Shahezad Mirkar Prashant Joshi ,
Can you please provide your inputs to the above queries?
Thanks,
Rashmi
Hi Karthik,
Thanks,
Rashmi
Our Network Team has enabled TLS 1.2 behind the LoadBalancer and we didn't enable TLS 1.2 on any of the Truesight components. With this scenario, our Truesight setup works fine without any issues. So, is it necessary to still enable TLS 1.2 on all the components or leave this setup with the above mentioned scenario?
Hi Karthik,
Closing this thread here as this is being discussed in the email. I have copied you in the email.
Thanks,
Rashmi
Under TSIM Configuration - Step 4 and 5 are actually bit unclear in version 11.3.03, as some of the information mentioned in not like that in Linux Environment. Due to this, I am unable to bring up TSIM. Need help here with some other Article or link where I can have proper step documented.
Regards, Anuparn Padalia
Hi Anuparn,
Can you provide more details for this?
Do you mean the steps 4 &5 that are mentioning about amq-broker-config.xml file?
Thanks,
Rashmi
Yes, that is correct. If you can re-validate step 4 & 5 on Linux (Could be RHEL), as it seems some areas will be different for Linux rather how it is in WinOS.
Regards, Anuparn Padalia
Following the change to the amq-broker-config.xml file should the TSIM server pronet.conf entry called pronet.jboss.jms.port be changed to 8096 from its default value of 8093?
Also, if the "automatically add firewall rules" option was selected as TSIM install time on Windows it will be necessary to also add the 8096 port to the firewall rulebase.
Hi Shahezad Mirkar ,
Can you please respond to this comment?
Log in or register to comment.