• Spaces
  • People
  • Help
    • BMC Support Central BMC Community BMC.com
    ×
    BMC TrueSight Capacity Optimization 10.7

    Page tree

    Skip to end of metadata
    Go to start of metadata

    The internal PostgreSQL database communicates with the following components of TrueSight Capacity Optimization:

    • Application Server
    • Local ETL Engine Server

    Before you begin

    Ensure that you use the supported database version. For more information, see Software requirements.

    Related topics

    TLS considerations for TrueSight Capacity Optimization

    Securing communication between product components using TLS

    To enable TLS 1.2 with server certificate validation, complete the following steps:

    Important

    If you have installed the Application Server components on multiple computers, repeat steps II and III on each computer.

    I. Procure and copy the PostgreSQL server security certificate

    1. Procure the Certificate Authority (CA) signed certificate for the PostgreSQL database from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, postgres.crt.

    2. Save the procured certificate file in the following locations:

      ComponentLocation
      Application Server<Application Server Installation Directory>/secure
      Local ETL Engine Server<Local ETL Engine Server Installation Directory>/secure

    II. Install the security certificate 

    The Application Server and local ETL Engine Server use the cotruststore.ts truststore to communicate with the PostgreSQL database. This truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory.

    Complete the following steps on both the Application Server and the local ETL Engine Server to import the security certificate into their truststore files:

    1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

       

      export PATH= <Server Installation Directory>/jre/bin:$PATH

    2. Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

      keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

      Note

      Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

      The <cotruststorepassword> is the password for cotruststore.ts truststore.

    3. Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

      keytool -importcert -trustcacerts -file <path>/postgres.crt -keystore cotruststore.ts -alias CODB

      Parameter reference

      - postgres.crt is the name of the PostgreSQL certificate. If the name of the procured certificate is different, use the relevant file name in the keytool command.

      - Ensure that you use CODB as the alias name.

       

       

    4. After the message Enter keystore password , enter a password for the truststore. 

    5. After the message Trust this certificate [no], enter Yes.

      The certificate is imported in the truststore.

    III. Configure the components to enable TLS

    Complete the following configuration steps on both the Application Server and the local ETL Engine Server:

    1. Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.
    #Example
switchTLSmode.pl -on –dbport 2484 -tspwd -flow codb

     Click here for switchTLSmode.pl command details

    #Syntax 
switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]

     

    Parameter reference
    -h or --help: Prints the help for the command.

    -on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.

    -dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)

    -tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.

    -flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.

    internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.

    auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Atrium Single Sign-On Server or LDAP server) and Application Server.

    codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.

    externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.

    all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.

    2. After the message: Enter the truststore password and press Enter, enter the truststore password. 


    The communication between the internal PostgreSQL database and the Application Server, and between the internal PostgreSQL database and local ETL Engine Server are now TLS 1.2 enabled with server certificate validation.

    © Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.