×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight Operations Management 11.3 ... Installing Securing communication among Infrastructure Management components Configuring TrueSight Infrastructure Management to enable TLS 1.2 Enabling TLS 1.2 for PATROL Agent to Integration Service communication

Configuring the PATROL Agent to Integration Service communication to enable TLS 1.2

Perform the following steps to enable the Remote Integration Service to PATROL Agent communication to be TLS 1.2 compliant:

To configure the Integration Service to enable TLS 1.2

The following set of steps guide you to configure both the local or remote Integration Services.

To configure the remote Integration Service and the PATROL Agent communication to enable TLS 1.2


  1. Stop the Integration Service by running the following command: 

    pw is stop

  2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  3. Double-click the Services icon to launch the Services dialog box.
  4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop

  5. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes from Started to (blank).

  6. Navigate to the <Remote Integration Service Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

    # Microsoft Windows operating system
$cd <Remote Integration Service install directory>\agent\patrol\common\security\config_v3.0

# Unix operating system
$cd <Remote Integration Service install directory>/agent/patrol/common/security/config_v3.0

  7. Run the following command:

    #Syntax
set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
#Example
$set_unset_tls_IS.cmd <Remote Integration Service Install Directory> SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

To configure the local Integration Service and the PATROL Agent communication to enable TLS 1.2

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop

  2. Navigate to the <Infrastructure Management Server Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

    # Microsoft Windows operating system
$cd <Infrastructure Management Server Install Directory>\pw\patrol\common\security\config_v3.0

# Unix operating system
$cd <Infrastructure Management Server Install Directory>/pw/patrol/common/security/config_v3.0

  3. Run the following command:

    #Syntax
set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
#Example
$set_unset_tls_IS.cmd <Infrastructure Management Server Install Directory>\pw  SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

Parameter description

The following notes describe the key parameters used in the preceding command:

  • Use the set_unset_tls_IS.cmd script on the Microsoft Windows operating system, and the set_unset_tls_IS.sh script on the Unix operating system.

  • set_unset_tls.sh -h will display the help for the set_unset_tls_IS command.

  • There are six command line arguments for the set_unset_tls_IS script as explained in the following section:
    • $BMC_ROOT: The directory where the Integration Service is installed.
    • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the Integration Service is configured in TLS mode. If you select UNSET_TLS, the Integration Service is configured in Non-TLS mode.
    • security_level: The current value of this variable represents the security level at which the Integration Service is running. Integration Service runs at a security_level 2 or higher. Ensure that you set the Integration Service's security_level same as your PATROL Agent's security_level.
    • serverDbPath: The directory where the server certificates are present. This argument is mandatory for all the security_levels of the Integration Service.
    • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

To configure the PATROL Agent to enable TLS 1.2

Perform the following steps to make the PATROL Agent to Integration Service communication TLS 1.2 compliant:

  1. Navigate to the config_v3.0 folder by running the following command:

    # Microsoft Windows operating system
$cd <PATROL Agent installation directory>\common\security\config_v3.0
 
# Unix operating system
$cd <PATROL Agent installation directory>/common/security/config_v3.0

  2. Run the script to enable TLS mode as shown in the following code block:

    #Syntax
set_unset_tls.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -clientDbPath <clientDbPath> -identity <identity>
#Example
$set_unset_tls.cmd "C:\Program Files (x86)\BMC Software" SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -clientDbPath "C:\Certificates\client_db" -identity bmcpatrol

    Notes

    • Use set_unset_tls.cmd script on the Microsoft Windows operating system, and set_unset_tls.sh script on the Unix operating system.

    • When you run the set_unset_tls.sh script on AIX and HP-UX operating systems to enable TLS 1.2, the system creates symbolic links for Mozilla NSS v3.20 libraries in the default system library directory /usr/lib.

    • set_unset_tls.sh -h will display the help for the set_unset_tls command.
    • There are six command line arguments for the set_unset_tls script as explained in the following section:
      • BMC_ROOT: The directory where the PATROL Agent is installed.
      • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the PATROL Agent is configured in TLS mode. If you select UNSET_TLS, the PATROL Agent is configured in Non-TLS mode.
      • security_level: PATROL Agent communicates with the Integration Service at a security_level 2 or higher. If your PATROL Agent is running at a security_level 0 or 1, then set the security_level as 2 in the preceding command. Ensure that you set the PATROL Agent's security_level same as your Integrations Service's security_level.
      • serverDbPath: The directory where the server certificates are present. This argument is mandatory if the security_level is set to 3.
      • clientDbPath: The directory where the client certificates are present. This argument is mandatory if the security_level is set to 3.
      • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

To start the servers

Perform the following set of steps after the configuration changes are completed.

To edit the Integration Service's properties

  1. Log on to the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
  2. Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
  3. Select the Edit option.
  4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
  5. Click Save.

To start the local Integration Service

  1. Start the Infrastructure Management Server by running the following command:

    pw system start

    The Integration Service is restarted along with the Infrastructure Management Server.

To start the remote Integration Service

  1. Start the remote Integration Service (Unix) by running the following command:

    pw is start

  2. To start the remote Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  3. Double-click the Services icon to launch the Services dialog box.
  4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart

  5. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes from blank to (started).

To start the PATROL Agent

  1. Start the PATROL Agent by running the following command:

    patrolagent -p 9090

Where to go from here

For more information about how to configure other communication channels to enable TLS 1.2, see Configuring TrueSight Infrastructure Management to enable TLS 1.2.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Rashmi Gokhale on Jun 24, 2018
task security post-installation tsps configuration components integration_service network_service infra_management

Comments

  1. Patrick Mischler

    Can you be more precise with this point: identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol must this be coresponding to a certifcate name in the db?

    Mar 09, 2021 05:16
  2. Rashmi Gokhale

    Hi,

    I have created a JIRA issue - https://jira.bmc.com/browse/DRTSA-565 to track this. Closing this thread here. 

    Thanks,

    Rashmi

    Mar 29, 2021 03:55
    1. Prashant Joshi

      Updated Defect DRTSA-565 with details Customers can use Wireshark or any Network sniffing tool to verify the SERVER HELLO and Client Hello to confirm TLS Communication.

      Jan 16, 2023 06:03
  3. Igor Mihevc

    This part of docimentation is really confusing and commands do not works. Can you be more cpecific and use correct example? Is it possible to run new Patrol Agent without set up TLS, because this is a mess-

    Sep 09, 2022 02:35

Log in or register to comment.

Enabling TLS 1.2 for PATROL Agent to Integration Service communication
Rolling back to SSL configuration
© Copyright 2013-2019 BMC Software, Inc. © Copyright 2013-2019 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.