Typically BMC Server Automation uses self-signed certificates to secure communication between clients and Application Servers. However, you might choose to provision Application Servers with a CA-issued certificate or certificate chain. This topic includes the following sections:
Performing this procedure generates a 2048-bit RSA key and a self-signed certificate for an Application Server. The certificate is valid for three years, and it is stored under the "blade" alias.
blmkcert CN= <hostname> <jksFileName> <password>
<hostname>
— Typically set to the host name where you are generating the certificate.<jksFileName>
— The full path to the keystore file that you are generating. This file should be stored in the /deployments directory for the Application Server that is being updated, such as <installDirectory>/br/deployments.<password>
— A password used to encrypt the generated keystore file.For example, if you are generating a self-signed certificate on a Windows server called winappserver1, you might enter a command similar to the following: blmkcert CN=winappserver1 "C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments\bladelogic.keystore" ********
Note
If you are replacing an existing certificate, typically after the existing certificate has expired, this command overwrites the existing bladelogic.keystore file on the Application Server.
Run the following commands if the file name or password are different from those used when the Application Server was installed:
blasadmin -a set appserver certstore bladelogic.keystore blasadmin -a set appserver certpasswd <keystorePassword>
When you install an Application Server, the installation procedure provisions the Application Server with a self-signed certificate. However, some organizations might choose to use a CA-issued certificate or certificate chain rather than the default self-signed certificate.
When you perform this procedure, you set up a keystore that takes the place of the bladelogic.keystore created automatically when you install the Application Server. (A keystore contains certificates and a private key. A trust store only contains certificates.)
If the certificate you are importing includes a URL for an OCSP Responder, the client attempts to verify the revocation status of the Application Server certificate. If you do not want clients to verify a certificate's revocation status, do not provision the Application Server with a certificate that includes an OCSP URL.
After you provision Application Servers with CA-issued certificates, you should import those certificates into client trust stores. For more information about that procedure, see To import CA-issued certificates into clients.
Instructions for importing the certificate differ, depending on whether the certificate authority can generate the key and request or the certificate authority can only sign CSRs and does not have the ability to export a key.
Import the certificate and its corresponding private key into a keystore file on the Application Server.
Ideally, your certificate authority should create a certificates and private keys and output them using the JKS format. If your CA cannot create a JKS file and instead provides a PKCS12 file, you must convert your certificates and private keys into JKS. There are various tools for performing this type of conversion. For example, you can use Java's keytool utility, which is available on any machine where the Authentication Server is installed. If you are importing a certificate with the Authentication Server's version of keytool, you might enter a command like the following:
<path to keytool>/keytool -importkeystore -srckeystore <bladelogic.p12> -destkeystore <bladelogic.keystore> -srcstoretype pkcs12 -deststoretype jks -srcalias <pkcs12Alias> -destalias blade
In this command:
<path to keytool> will be inside the BMC Server Automation installation path. For example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin on Windows or /opt/bmc/bladelogic/NSH/br/java/bin on UNIX),
<bladelogic.p12>
is the file being imported.
<bladelogic.keystore>
is the name of the keystore file you are creating. This file should be stored in the /deployments directory for the Application Server that is being updated, <installDirectory>/br/deployments.
<pkcs12Alias>
is the alias under which the certificate and private key are stored.
Note
No matter what method you use to import the certificate, the alias you use to identify the certificate must be blade
and the format of the keystore must be jks
.
When you enter the command shown above, you are prompted for a destination keystore password. This is the password used to encrypt the keystore. When you use the blasadmin
utility to set up keystores for cooperating Application Servers, you must provide this password. The command shown above also prompts you for the source keystore password, which is the password originally used to create the PCKS12 file.
Generate a new keystore file
<path to keytool>/keytool --genkey -alias blade -keyalg RSA -keystore <keystore> -storepass <password> -dname "CN=<hostname>" -keypass <password> -validity <validity> -keysize <keysize> -storetype jks
In this command:
<path to keytool> will be inside the BMC Server Automation installation path. For example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin on Windows or /opt/bmc/bladelogic/NSH/br/java/bin on UNIX)
Generate a certificate request
<path to keytool>/keytool -certreq -alias blade -keystore <keystore> -file <csr> -storepass <password> -keypass <password>
In this command, <csr> is the file name that will hold the Certificate Signing Request.
Import the .p7b file into the keystore.
<path to keytool>/keytool -keystore <keystore> -importcert -file <signed request> -storepass <password> -keypass <password> -alias blade -storetype jks
In this command <signed request> is the filename that contains the CA-signed certificate request, including the CA chain from the previous step.
If you have provisioned an Application Server to use a certificate or certificate chain obtained from a Certificate Authority (see To secure communication with CA certificates), you should import a related certificate into the client's trust store. The related certificate should be the issuing certificate for the Application Server certificate. If the Application Server is provisioned with a certificate chain, the certificate that you import into the client's trust store should be the issuing certificate for the top of the certificate chain.
If the above procedure is not performed, you will be prompted to accept the Application Server's certificate on first connection, just as you are prompted when you use the self-signed certificate that the Application Server is configured with by default. The benefit to importing the CA chain is that the client can perform the certificate validation and not prompt you with a certificate warning, so that you are sure that you are connecting to a validated Application Server. This is similar to visiting an HTTPS website that is signed by a CA in the browser's certificate store, as opposed to going to a website with a certificate signed by a CA that is not in the browser's certificate store, in which case you must manually inspect the certificate to ensure that you are connecting to the correct entity.
Use the blcred
utility to import the certificate into the client trust store by entering the following command: blcred cert -import <certificateFile>
In this command, certificateFile
provides the path to the certificate you are adding to the trust store. This file must use the PEM or DER format. This file could be the Application Server certificate file, or it could be a CA's certificate that can be used to verify the validity of the Application Server certificate. OCSP verification on the client side only happens if the CA certificate was imported and the Application Server certificate contains an OCSP URL.