• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    Server Automation Documentation

    Page tree

    Typically BMC Server Automation uses self-signed certificates to secure communication between clients and Application Servers. However, you might choose to provision Application Servers with a CA-issued certificate or certificate chain. This topic includes the following sections:

    To generate a self-signed certificate for an Application Server

    Performing this procedure generates a 2048-bit RSA key and a self-signed certificate for an Application Server. The certificate is valid for three years, and it is stored under the "blade" alias.

    1.  From <installDirectory>/bin, enter the following command: 
      blmkcert CN= <hostname> <jksFileName> <password>
      The command shown above has the following parameters:
      • <hostname> — Typically set to the host name where you are generating the certificate.
      • <jksFileName> — The full path to the keystore file that you are generating. This file should be stored in the /deployments directory for the Application Server that is being updated, such as <installDirectory>/br/deployments.
      • <password> — A password used to encrypt the generated keystore file.

      For example, if you are generating a self-signed certificate on a Windows server called winappserver1, you might enter a command similar to the following: 
      blmkcert CN=winappserver1 "C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments\bladelogic.keystore" ********

      Note

      If you are replacing an existing certificate, typically after the existing certificate has expired, this command overwrites the existing bladelogic.keystore file on the Application Server.

    2. If you are replacing an existing certificate, typically after the existing certificate has expired, perform the following additional steps:
      1. Stop the Application Server.

      2. Run the following commands if the file name or password are different from those used when the Application Server was installed:

        blasadmin -a set appserver certstore bladelogic.keystore
blasadmin -a set appserver certpasswd <keystorePassword>
      3. Remove the existing certificate at each of the RCP clients that are associated with the Application Server.
      4. Start the Application Server.
      5. The first time that you connect to each of these RCP clients, you are informed that a new certificate has arrived from the Application Server. Accept the new certificate.
    3. If you are using a multi-Application Server environment, copy the JKS file you generated in step 1 from this Application Server to all cooperating Application Servers. If a new password is needed, update the password for each cooperating Application Server. For information about this process, see Synchronizing keystore files of multiple Application Servers.

    Back to top

    To secure communication with CA certificates

    When you install an Application Server, the installation procedure provisions the Application Server with a self-signed certificate. However, some organizations might choose to use a CA-issued certificate or certificate chain rather than the default self-signed certificate.

    When you perform this procedure, you set up a keystore that takes the place of the bladelogic.keystore created automatically when you install the Application Server. (A keystore contains certificates and a private key. A trust store only contains certificates.)

    If the certificate you are importing includes a URL for an OCSP Responder, the client attempts to verify the revocation status of the Application Server certificate. If you do not want clients to verify a certificate's revocation status, do not provision the Application Server with a certificate that includes an OCSP URL.

    After you provision Application Servers with CA-issued certificates, you should import those certificates into client trust stores. For more information about that procedure, see To import CA-issued certificates into clients.

    Instructions for importing the certificate differ, depending on whether the certificate authority can generate the key and request or the certificate authority can only sign CSRs and does not have the ability to export a key.

    To import a certificate when the certificate authority can generate the key and request

    1. Obtain a certificate chain from a certificate authority.

    2.  Import the certificate and its corresponding private key into a keystore file on the Application Server. 
      Ideally, your certificate authority should create a certificates and private keys and output them using the JKS format. If your CA cannot create a JKS file and instead provides a PKCS12 file, you must convert your certificates and private keys into JKS. There are various tools for performing this type of conversion. For example, you can use Java's keytool utility, which is available on any machine where the Authentication Server is installed. If you are importing a certificate with the Authentication Server's version of keytool, you might enter a command like the following:

      <path to keytool>/keytool -importkeystore -srckeystore <bladelogic.p12>
    -destkeystore <bladelogic.keystore> -srcstoretype pkcs12 -deststoretype jks
    -srcalias <pkcs12Alias> -destalias blade

      In this command:

      • <path to keytool> will be inside the BMC Server Automation installation path. For example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin on Windows or /opt/bmc/bladelogic/NSH/br/java/bin on UNIX), 

      • <bladelogic.p12> is the file being imported.

      • <bladelogic.keystore> is the name of the keystore file you are creating. This file should be stored in the /deployments directory for the Application Server that is being updated, <installDirectory>/br/deployments

      • <pkcs12Alias> is the alias under which the certificate and private key are stored.

      Note

      No matter what method you use to import the certificate, the alias you use to identify the certificate must be blade and the format of the keystore must be jks.

      When you enter the command shown above, you are prompted for a destination keystore password. This is the password used to encrypt the keystore. When you use the blasadmin utility to set up keystores for cooperating Application Servers, you must provide this password. The command shown above also prompts you for the source keystore password, which is the password originally used to create the PCKS12 file.

    To import a certificate when the certificate authority only signs CSRs (but does not export a key)

    1. Generate a new keystore file

      <path to keytool>/keytool --genkey -alias blade -keyalg RSA -keystore <keystore> 
    -storepass <password> -dname "CN=<hostname>" -keypass <password> 
    -validity <validity> -keysize <keysize> -storetype jks

      In this command:

      • <path to keytool> will be inside the BMC Server Automation installation path. For example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin on Windows or /opt/bmc/bladelogic/NSH/br/java/bin on UNIX)

      • <keystore> is the file name of the keystore to be created.
      • <password> is the password for the keystore and key (they should be the same)
      • <hostname> is the hostname that you want to appear in the certificate.
      • <validity> is the length in days that the certificate is valid for.
      • <keysize> is the size/strength of the key. 
      • The alias must be 'blade'.

    2. Generate a certificate request

      <path to keytool>/keytool -certreq -alias blade -keystore <keystore> 
    -file <csr> -storepass <password> -keypass <password>

      In this command, <csr> is the file name that will hold the Certificate Signing Request.

    3. Get the CSR signed by the CA and download the Key with the CA chain (a .p7b file).

    4. Import the .p7b file into the keystore.

      <path to keytool>/keytool -keystore <keystore> -importcert -file <signed request> 
    -storepass <password> -keypass <password> -alias blade -storetype jks

      In this command <signed request> is the filename that contains the CA-signed certificate request, including the CA chain from the previous step.

    Using the new keystore

    1. The new keystore must be updated in all deployment directories on your Application Servers (NSH/br/deployments). The keystore file is located in NSH/br/deployments/bladelogic.keystore. Any bladelogic.keystore files in individual deployments directories (for example, NSH/br/deployments/_template) are no longer used.
    2. If you are using a multi-Application Server environment, copy the JKS file that you generated in step 2 from this Application Server to all cooperating Application Servers. 
    3. If a new password is needed, update the password for each cooperating Application Server. For information about this process, see Synchronizing keystore files of multiple Application Servers.

    Back to top

    To import CA-issued certificates into clients

    If you have provisioned an Application Server to use a certificate or certificate chain obtained from a Certificate Authority (see To secure communication with CA certificates), you should import a related certificate into the client's trust store. The related certificate should be the issuing certificate for the Application Server certificate. If the Application Server is provisioned with a certificate chain, the certificate that you import into the client's trust store should be the issuing certificate for the top of the certificate chain.

    If the above procedure is not performed, you will be prompted to accept the Application Server's certificate on first connection, just as you are prompted when you use the self-signed certificate that the Application Server is configured with by default. The benefit to importing the CA chain is that the client can perform the certificate validation and not prompt you with a certificate warning, so that you are sure that you are connecting to a validated Application Server. This is similar to visiting an HTTPS website that is signed by a CA in the browser's certificate store, as opposed to going to a website with a certificate signed by a CA that is not in the browser's certificate store, in which case you must manually inspect the certificate to ensure that you are connecting to the correct entity.

    Use the blcred utility to import the certificate into the client trust store by entering the following command: 
    blcred cert -import <certificateFile> 
    In this command, certificateFile provides the path to the certificate you are adding to the trust store. This file must use the PEM or DER format. This file could be the Application Server certificate file, or it could be a CA's certificate that can be used to verify the validity of the Application Server certificate. OCSP verification on the client side only happens if the CA certificate was imported and the Application Server certificate contains an OCSP URL.

    • (Windows) The command imports the certificate to C:\Documents and Settings\user\Application Data\BladeLogic\client_keystore.pkcs12.PEM.
    • (UNIX) The command imports the certificate to userHomeDirectory/.bladelogic/client_keystore.pkcs12.PEM.
    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.