• Spaces
  • People
  • Help
    • BMC Support Central BMC Community BMC.com
    ×
    BMC TrueSight Capacity Optimization 10.7

    Page tree

    Skip to end of metadata
    Go to start of metadata

    You can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between the Apache front-end web server (Apache Httpd) and the following product components:

    • Application Server
      • Web Server 
      • Data Hub
      • Primary Scheduler
      • Service Container
    • ETL Engine Server (Local and Remote)  :  Scheduler
    Related topics

    TLS considerations for TrueSight Capacity Optimization

    Securing communication between product components using TLS

    Software requirements

     

    If these components are communicating in HTTPS mode, then TLS 1.2 is enabled by default. Complete the following steps to enable server certificate validation:

    Important

    • If you have installed the Application Server components on multiple computers, repeat steps II and III on each computer.
    • If you have multiple instances of the front-end web server, repeat all steps for each instance.

    I. Procure the security certificate

    Copy the certificate <CertificateName>.crt for the front-end web server from the following location:

    <Server Installation Directory>/3rd_party/apache2/pki/tls/certs/

    For more information about creating an SSL certificate for the front-end web server, see Create an SSL certificate.  

    II. Install the security certificate 

    The Application Server and ETL Engine Server use cotruststore.ts truststore to communicate with other components. The truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory.

    Complete the following procedure on the Application Server and ETL Engine Server:

    1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

      export PATH= <Server Installation Directory>/jre/bin:$PATH

    2. Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

      keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

      Note

      Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

      The <cotruststorepassword> is the password for cotruststore.ts truststore.

    3. Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

      keytool -importcert -trustcacerts -file <path>/<CertificateName>.cert -keystore cotruststore.ts -alias <CertificateName>

      Parameter reference

      Replace all instances of <CertificateName> by the appropriate certificate name.

    4. After the message Enter keystore password, enter a password for the truststore. 

    5. After the message Trust this certificate [no], enter Yes.

    III. Configure the product components to use TLS

    Complete the following steps on all the computers that have the Application Server components and ETL Engine Server installed:

    1.  Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.

      #Example
switchTLSmode.pl -on -tspwd -flow internal

       Click here for switchTLSmode.pl command details

      #Syntax 
switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]

       

      Parameter reference
      -h or --help: Prints the help for the command.

      -on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.

      -dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)

      -tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.

      -flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.

      internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.

      auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Atrium Single Sign-On Server or LDAP server) and Application Server.

      codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.

      externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.

      all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.

    2. After the message Enter the truststore password and press Enter, enter the truststore password. 

    The communication channels between the internal product components are now TLS 1.2 enabled with server certificate validation. 

    © Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.