• Spaces
  • People
  • Help
    • BMC Support Central BMC Community BMC.com
    ×
    BMC TrueSight Capacity Optimization 10.7

    Page tree

    Skip to end of metadata
    Go to start of metadata

    The communication between the internal Capacity Optimization database (Oracle or PostgreSQL) and the TrueSight Capacity Optimization components is non-secure, by defaultComplete the procedure in this topic before installing TrueSight Capacity Optimization to upgrade the communication channel security to use TLS 1.2 with server certificate validation.

    The internal database (Oracle or PostgreSQL) communicates with the following product components:

    • Application Server
    • Local ETL Engine Server

    Before you begin

    Ensure that you use the supported database version. For more information, see Software requirements.

    Related topics

    TLS considerations for TrueSight Capacity Optimization

    Securing communication between product components using TLS

    Before you begin

    • Ensure that you use the Oracle database and client versions that support TLS 1.2. For more information, see Software requirements.
    • Ensure that the Oracle database is configured in TLS 1.2 mode.
    • Ensure that a TLS 1.2 compliant ojdbc7.jar file exists in the <Oracle client home>/jdbc/lib directory. If not, copy the file from the Oracle Website.

    I. Procure the Oracle server security certificate and configure the Oracle wallet

    1. Procure a Certificate Authority (CA) signed Oracle server certificate from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, oracle.crt.

    2. Procure and configure the Oracle wallet for the Oracle client.  

    3. Ensure that the Oracle client communicates with the server securely on TCPS port.

    II. Import the security certificate

    The Application Server and local ETL Engine Server use the cotruststore.ts truststore to communicate with the Oracle database. This truststore is bundled along with the Server installation, and is located in directory where you extracted the install files. For example, BCO/Disk1. 

    Complete the following steps on both the Application Server and the local ETL Engine Server to import the security certificate into their truststore files:

    1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the directory where you extracted the install files. For example, BCO/jre/bin. Add this directory path to the PATH environment variable by running the following command:

       

      export PATH= BCO/jre/bin:$PATH

    2. Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

      keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

      Note

      Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

      The <cotruststorepassword> is the password for cotruststore.ts truststore.

    3. Navigate to the directory where you extracted the install files (For example, BCO/Disk1) and import the procured certificates by running the following command:

      keytool -importcert -trustcacerts -file <path>/oracle.crt -keystore cotruststore.ts -alias CODB -storepass changeit

      Parameter description

      oracle.crt is the name of the procured Oracle certificate. If the name of this certificate is different, use the relevant file name in the keytool command.

      - Ensure that CODB is used as the alias name.

      changeit is the default password of the truststore cotruststore.ts as it exists in directory where you extracted the install files. For example, BCO/Disk1.

    The Oracle server security certificate is now installed. You must now run the installer to enable TLS.

    I. Procure and copy the PostgreSQL server security certificate

    1. Procure the Certificate Authority (CA) signed certificate for the PostgreSQL database from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, postgres.crt.

    2. Save the procured certificate file in the  directory where you extracted the install files. For example, BCO/Disk1.

    II. Import the security certificate

    The Application Server and local ETL Engine Server use the cotruststore.ts truststore to communicate with the PostgreSQL database. This truststore is bundled along with the Server installation, and is located in the directory where you extracted the install files. For example, BCO/Disk1.

    Complete the following steps on both the Application Server and the local ETL Engine Server to import the security certificate into their truststore files:

    1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the directory where you extracted the install files. For example, /BCO/jre/bin. Add this directory path to the PATH environment variable by running the following command:

      export PATH= BCO/jre/bin:$PATH

    2. Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

      keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

      Note

      Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

      The <cotruststorepassword> is the password for cotruststore.ts truststore.

    3. Navigate to the directory where you extracted the install files (For example, BCO/Disk1) and import the procured certificates by running the following command:

      keytool -importcert -trustcacerts -file <path>/postgres.crt -keystore cotruststore.ts -alias CODB -storepass changeit

      postgres.crt is the name of the PostgreSQL certificate. If the name of the procured certificate is different, use the relevant file name in the keytool command.

      - Ensure that you use CODB as the alias name.

      changeit is the default password of the truststore cotruststore.ts that exists in the directory where you extracted the install files. For example, BCO/Disk1.

    The PostgreSQL server security certificate is now installed. You must now run the installer to enable TLS.

    Where to go from here

    Installing Application Server components

    © Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.