×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight Capacity Optimization 20.02 Administering

Installing a CA-signed certificate into the embedded web server

When you install TrueSight Capacity Optimization, an Apache web server is automatically installed, and a private key with a self-signed certificate is generated during installation. The Apache Web Server is a part of all Application Server installations.

To prevent certificate-related warnings while accessing the TrueSight Capacity Optimization from a browser, install a certificate that is signed by a Certification Authority (CA) and trusted by the browser into the web server. The certificate can be signed by an enterprise CA or a third-party CA.

After you install the CA-signed certificate, a trusted TLS communication is established between the browser and the web server.

Before you begin

Ensure that you have the CA-signed certificates and the private key. These files must be saved to the server directory where all the certificate and key files are available.

If you receive the domain-specific certificate (for example, myserver.crt) and intermediate certificate chain (for example, intermediate.crt) from a CA, concatenate the intermediate.crt  to myserver.crt. For example, use the following command on a Linux system for concatenating certificates:

cat intermediate.crt  >> myserver.crt

For more information about concatenating certificates, see the SSLCertificateFile directive at the  Apache Open link website.

$BCO_HOME represents the TrueSight Capacity Optimization Installation Directory.

If you are updating a new certificate that is signed by a different intermediate and root certificate within the TrueSight Capacity Optimization web console, complete these steps:

  1. Import the updated intermediate and root certificate into cotruststore.ts.
  2. Copy the truststore to any of the machines that are configured to enable TLS server certificate validation.

For more information, see Securing communication between product components.

To install the signed certificate

  1. Log in to the host where the Application Server is installed.

  2. In the $BCO_HOME/secure directory, create the 'httpd/keys' and 'conf' subdirectories:

    cd $BCO_HOME/secure
mkdir -p httpd/keys
mkdir -p httpd/conf
  3. Copy the new certificate and key files to this directory: $BCO_HOME/secure/httpd/keys
  4. To configure the TrueSight Capacity Optimization embedded Apache web server to read the certificates in the $BCO_HOME/secure/httpd/keys directory:
    1. Create the following directory: $BCO_HOME/secure/httpd/conf
    2. Create a file named custom_ssl.conf in the directory: $BCO_HOME/secure/httpd/conf

    3. In the custom_ssl.conf file, specify the location of the site-signed certificate file and key:

      For example, 

      SSLCertificateFile ../../secure/httpd/keys/certificate.cer
      SSLCertificateKeyFile ../../secure/httpd/keys/certkey.key
      where, certificate.cer indicates the name of the certificate file and certkey.key indicates the name of the key file

      The file location path is relative to the Apache web server working directory so '../../secure/httpd/keys' is the $BCO_HOME/secure/httpd/keys directory.

    When you upgrade TrueSight Capacity Optimization, these customized settings are retained.

    The extension of the certificate file can be .cer or .crt. Set the correct extension of the file that is defined at SSLCertificateFile.

  5. Run the following command to restart the Apache web server. 

    ./cpit restart httpd

    The changes allows the Apache httpd server to read the custom_ssl.conf file, which contains the SSLCertificateFile and SSLCertificateKeyFile properties that point to your site-signed SSL certificate and key. 

The new URL to connect to TrueSight Capacity Optimization will be https://<host_name>.<domain.com>:<port>/console.

To validate a trusted connection

To verify that a trusted connection is established with the web server, complete the following steps:

  1. Close all browser windows.

  2. Open a new browser window, and type the URL to access the TrueSight Capacity Optimization console.
    If the certificate is correctly applied, the secure symbol is displayed besides the https:// URL as shown in the following image:



    If the browser still shows a warning about an insecure connection, verify that the trusted root certificate from CA is available in the certificate store or the keystore of your browser.

Related topic

Securing communication between product components

Was this page helpful? Yes No Submitting... Thank you
Last modified by Bipin Inamdar on Nov 11, 2022
certificate_authority certificate certficate_based_authentication

Comments

Log in or register to comment.

Enabling TLS server certificate validation between BMC Helix Continuous Optimization Agents and the Gateway Server
Creating a request for a CA-signed certificate
© Copyright 2014 - 2020 BMC Software, Inc. © Copyright 2014 - 2020 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.