Enabling SSL HTTPS on core Windows CLM applications that currently use HTTP
Most core CLM applications already use SSL HTTPS mode (Hyper Text Transfer Protocol Secure) by default, for example, Platform Manager. This topic describes how to enable SSL HTTPS for the remaining Windows BMC Cloud Lifecycle Management applications that are currently in HTTP mode, for example, Mid Tier or Atrium Orchestrator. This topic provides detailed configuration steps to make the secured communication between the components.
Note
Tip
Core Cloud Lifecycle Management applications that support default SSL HTTPS during installation
The following table lists the core CLM applications that support default HTTPS during installation:
Product | Self-sign certificate? | Notes on integration path |
---|---|---|
Platform Manager | Yes | Import the Platform Manager cacerts file into the JRE of the following products:
|
Cloud Portal Web Application | Yes | Import Self-Checker certificate to display the Dashboard Data. |
CLM Self-Check Monitor | Yes | |
BMC Server Automation (BBSA) | Yes | |
BMC Network Automation (BBNA) | Yes | |
Atrium Core Web Services |
| Default HTTPS port is 7776. If you use port 7776, update information in the BMC Network Automation console. |
Mid Tier | No | |
BMC Atrium Orchestrator | No |
Before you begin
- Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes!
- When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host.
- If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL.
Note
To create a Root CA certificate using OpenSSL
Note
- Download and install 64-bit OpenSSL1.0 on its own host.
For example, download OpenSSL from the Shining Light Productions website. There are multiple OpenSSL versions available. Make sure that you install an OpenSSL version that includes the openSSL.cfg file. - Create Keys, Certificates, and CSR folders.
These categories are for placing keys, certificates files, and so on. - Open a command prompt and navigate to the OpenSSL folder.
Generate the key pair for root CA.
Store this key pair in the C:\Keys\RootCA.key file.C:\OpenSSL-Win64\bin>openssl genrsa -out C:\Keys\RootCA.key 2048 Loading 'screen' into random state - done Generating RSA private key, 2048 bit long modulus ...............++++++ ....................................................++++++ e is 65537 (0x10001)
Generate a self signed certificate for CA.
This CA certificate is used across all cloud products as a common certificate. Store the certificate in the RootCA.crt file.Enter the following command:
C:\OpenSSL-Win64\bin>openssl req -config C:\OpenSSL-Win64\bin\openSSL.cfg -new -x509 -days 365 -key C:\Keys\RootCA.key -out C:\Certificates\RootCA.crt
Create a Distinguished Name (DN)..
Make sure that you enter all required information. Many fields contain defaults. Some settings you can leave blank. If you enter a period, the field will be left blank.Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:BMC Software Organizational Unit Name (eg, section) []:IDD Common Name (e.g. server FQDN or YOUR name) []:clm-aus-011538.bmc.com Email Address []:jstamps@bmc.com
- Press Enter to create the certificate.
To import self-signed certificates for new 4.5 installations
When you are performing new installations, you must import SSL certificates for Small or Medium deployments.
Note
The following CLM products already have HTTPS/SSL enabled by default:
- Platform Manager
- Self-Check Monitor
- Cloud Portal Web Application
- BMC Network Automation
- BMC Server Automation
- BMC Capacity Optimization (if you assigned HTTPS/8443 over SSL during installation)
If you installed Platform Manager with the installer planner on HTTPS/SSL with Small or Medium deployments, you still must import the cacerts file from the Platform Manager into the JRE on the following products:
- Mid Tier
- Cloud Portal Web Application
- CLM Self-Check Monitor
- Cloud Portal and Database AR System server
Atrium Orchestrator
Note
Before you import the cacerts file, BAO Access Manager must already be configured to use HTTPS/8443 over SSL and BAO CDP must be configured to use HTTPS/9443 over SSL. For more information, see To configure BMC Atrium Orchestrator with SSL.
Copy the cacerts file on the Platform Manager to the product host.
For example, copy the cacerts file from the installed JVM on Platform Manager to the C:\TEMP folder.Note
The cacerts file installed with the Platform Manager is located by default at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.7.0_55\lib\security\cacerts for version 4.5.- Open a command window on the product host.
- Change directories to the JRE version 8 bin directory (for example, C:\Program Files\BMC Software\CloudPortalWebApplication\jre\bin)
Import the keystore (cacerts) certificate in the application cacerts.
Make sure that you understand which JRE your application used during installation. This example imports the keystore certificate into the cacerts of an external JRE used.keyTool -importkeystore -srckeystore "C:\TEMP\cacerts" -destkeystore "C:\Program Files\Java\jre7\lib\security\cacerts" -srcstoretype JKS -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt
However, this example imports the keystore certificate into the cacerts of the bundled JRE used by the Cloud Portal Web Application (clmui).
keytool -importkeystore -srckeystore "C:\TEMP\cacerts" -destkeystore "C:\Program Files\BMC Software\CloudPortalWebApplication\jre\lib\security\cacerts" -srcstoretype JKS -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt
To monitor Dashboard Data, import the CLM Self-Check Monitor certificate (selfcheckSslCertificate.cert) with the JRE used by the Cloud Portal Web Application (whether installed on the Platform Manager or on a separate host) during installation.
The default location of selfcheckSslCertificate.cert is C:\Program Files\BMC Software\SelfChecker\selfchecker\Certificates.Restart the application service.
For example, restart the BMC CSM Portal service.Flush the browser cache.
- Clear the Mid Tier Plugins Cache.
- Log on to the application, add and confirm the site exception, and so on.
To enable SSL HTTPS with the Mid Tier
- On the Mid Tier host, create Keys, Certificates, and CSR folders.
- Stop the Mid Tier Tomcat server.
- Open a command prompt and navigate to the JRE folder.
Create a keypair using the keytool utility.
If the Mid Tier is behind a load balancer, use CN as the load balancer name. But here it is vw-aus-clnidd03.C:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 2048 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks
At the prompts, enter the required information to create the keypair, and then press Enter.
C:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 2048 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks What is your first and last name? [Unknown]: vw-aus-clnidd03 What is the name of your organizational unit? [Unknown]: IDD What is the name of your organization? [Unknown]: BMC What is the name of your City or Locality? [Unknown]: SAN JOSE What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=vw-aus-clnidd03, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct? [no]: yes
Create the Certificate Signing Request (CSR) from Mid Tier primary to retrieve the certificate from CA (i.e. CLM).
C:\Program Files\Java\jre7\bin>keytool.exe -certreq -keyalg RSA -alias tomcat -file C:\CSR\mt.csr -keystore C:\Keys\keystore.jks Enter keystore password:
At the prompt, enter changeit as the password.
Copy the mt.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate, and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\mt.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\mt_server.crt Loading 'screen' into random state - done Signature ok subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=vw-aus-clnidd03 Getting CA Private Key
After the certificate is generated (mt_server.crt) in the Certificates folder, copy mt_server.crt and RootCA.crt to the Mid Tier primary and secondary computers into their Certificates folder.
On the Mid Tier primary and secondary computers, import the Root CA certificate:
C:\Program Files\Java\jre7\bin>keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD, O=BMC, L=SJ, ST=CA, C=US Issuer: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD, O=BMC, L=SJ, ST=CA, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore C:\Program Files\Java\jre7\bin>
At the prompt, enter changeit as the password.
- When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.
Import the mt_server.crt certificate:
C:\Program Files\Java\jre7\bin>keytool.exe -import -alias tomcat -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\mt_server.crt Enter keystore password: Certificate reply was installed in keystore
At the prompt, enter changeit as the password. Your certificate reply is installed in the keystore.
- Open the server.xml file (in Windows, the default location is C:\Program Files\Apache Software Foundation\Tomcat6.0\conf\server.xml) in a text editor and uncomment the SSL related sections.
Search for the following text and uncomment out the
Connector port
section:<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
Modify the
Connector port
information as follows:<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Keys\keystore.jks" keystorePass="<passwordMustEqualYourKeystorePassword>" />
Here you change the connector port to 9443 and add the keyStore file location and keystore password.
Note
If you do not add the correct keystore password, the Tomcat server does not start properly.Save the server.xml .
- Start the Tomcat server.
- Verify your changes to the Mid Tier or Mid Tier Load Balancer by accessing the following URL:
https://midTier:9443/arsys (where 9443 is SSL port)
https://loadBalancer:9443/arsys - Add and confirm any security restrictions in your browser.
- When you access the Mid Tier the first time, review the certificate details.
- Review the General tab and verify who the certificate is issued to and who it was issued by.
- Click the Details tab and, review the certificate path or hierarchy.
- Continue logging on to the Cloud Portal and Database AR System server.
To integrate the Mid Tier with Platform Manager
- Open the CMF:PluginConfiguration form in Search mode in the Cloud Portal and Database AR System server.
- Search for the CallBackURI record.
- Edit the CallBackURI from http to https.
- Edit the port to 9443.
- Save the record.
Copy the RootCA.crt certificate from the Mid Tier server to the Platform Manager server (for example, to a Certificates folder).
Open a command window and change directories to C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.7.0_55\bin (by default).
Back up the ..\JVM_1.7.0_55\lib\security\cacerts file and then delete the original.
Import the certificate:
keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement \JVM_1.7.0_55\lib\security\cacerts" -trustcacerts -file "C:\Certificates\RootCA.crt" Enter keystore password: Re-enter new password: ... Trust this certificate? [no]: yes Certificate was added to keystore
- At the prompt, enter changeit as the password.
- When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore. - Restart the services in the following order – first BMC CSM on Platform Manager and second the Cloud Portal and Database AR System server.
To configure Atrium Web Services SSL HTTPS
The following instructions apply only to Small or Medium deployments.
Note
- On the primary Atrium Core Web Services Registry host, create Keys, Certificates, and CSR folders.
- Stop the Atrium Tomcat server.
- Open a command prompt and navigate to the JRE folder.
Create a keypair using the keytool utility.
If the Atrium Web Services are behind a load balancer, you can use CN as the load-balancer name. But here it is vw-aus-clnidd01.C:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 2048 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks
At the prompts, enter the required information to create the keypair, and then press Enter.
keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 2048 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks What is your first and last name? [Unknown]: vw-aus-clnidd01 What is the name of your organizational unit? [Unknown]: IDD What is the name of your organization? [Unknown]: BMC What is the name of your City or Locality? [Unknown]: SAN JOSE What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=vw-aus-clnidd01, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct? [no]: yes
Create the Certificate Signing Request (CSR) from Atrium Web Services primary to retrieve the certificate from CA (that is, CLM).
C:\Program Files\Java\jre7\bin>keytool.exe -certreq -keyalg RSA -alias tomcat -file C:\CSR\aws.csr -keystore C:\Keys\keystore.jks Enter keystore password:
At the prompt, enter changeit as the password.
Copy the aws.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (aws_server.crt), and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in C:\CSR\aws.csr -CA C:\Certificates\RootCA.crt -CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\aws_server.crt Loading 'screen' into random state - done Signature ok subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=vw-aus-clnidd01 Getting CA Private Key
After the certificate is generated (aws_server.crt) in the Certificates folder, copy aws_server.crt and RootCA.crt to the AWS primary and secondary hosts into their Certificates folder.
On the AWS primary and secondary hosts, import the Root CA certificate:
C:\Program Files\Java\jre7\bin>keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=vw-aus-clmidd05.bmc.com, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore
At the prompt, enter changeit as the password.
When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.
Import the aws_server.crt certificate:
C:\Program Files\Java\jre7\bin>keytool.exe -import -alias tomcat -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\aws_server.crt Enter keystore password: Certificate reply was installed in keystore
Your certificate reply is installed in the keystore.
- Open the server.xml file (in Windows, the default location is C:\Program Files\BMC Software\Atrium Web Registry\shared\tomcat\conf\server.xml) in a text editor and uncomment the SSL related sections.
Search for the following text and uncomment out the
Connector port
section:<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
Modify the
Connector port
information as follows:<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Keys\keystore.jks" />
Here you change the connector port to 9443 and add the keyStore file location.
Save the server.xml .
- Start the AWS Tomcat server.
- Verify your changes to the AWS or AWS Load Balancer by accessing the following URL:
https://<AWS>:9443 (where 9443 is SSL port)
https://<LoadBalancer>:9443 Add and confirm any security restrictions in your browser.
- When you access AWS UDDI the first time, review the certificate details.
- Review who the certificate is issued to (for example, vw-aus-clnidd01) and who the certificate was issued by (for example, bmc.com).
- Review the certificate path or hierarchy.
To integrate Atrium Web Services running on HTTPS with BMC Network Automation
The following instructions apply only to Small or Medium deployments.
Note
Log on to the Mid Tier to access the Cloud Portal and Database AR System server.
You can use https://<MidTier>:9443/arsys to access the Cloud Portal and Database AR System server.Note
If you are running a dual AR System server environment, modify the default web path for the Enterprise-AR and Cloud-AR servers.- Open the Server Information form for the Cloud Portal and Database AR System server.
- Click the Advanced tab, and modify the URL in the Default Web Path field with the updated https and port (for example, 9443).
For example, you might enter https://vw-san-clmidd:9443/arsys/. - Restart the Cloud Portal and Database AR System server.
- Log on to BMC Network Automation.
For example, go to https://bnaServer:11443/bca-networks - Click the Admin tab, and navigate to System Admin > System Parameters.
- In the Enable CMDB Integration section, modify the Web Service Endpoint URL field with the updated https and port 9443 URL (for example, https://bnaServer:9443/cmdbws/server/cmdbws.wsdl).
- Click Save.
The BMC Network Automation console verifies your changes. - When you finish, verify that physical location is accessed by BMC Network Automation during POD creation through the Atrium Web Services.
If you have successfully integrated Atrium Web service and BNA SSL communication, go to BMC Network Automation and try to create a POD. The physical location created in the AR System server should be visible in the list during POD creation.
To configure BMC Atrium Orchestrator with SSL HTTPS
A HA environment typically has the following components installed.
- Host A Primary: AMREPO (Access Manager and Repository) and CDP installed
- Host B Secondary: AMREPO and HACDP installed
- Host C: SQL DB for AMREPO
In non-HA environments, BMC Atrium Orchestrator Access Manager and Repository are installed on a single server. For example, see To install Atrium Orchestrator AMREPO in Installing Small Deployment Windows for version 4.5.
- On the main AO hosts (for example, Host A and B), create Keys, Certificates, and CSR folders.
Stop the Access Manager and Repository service and the Configuration Distribution Peer (CDP) service.
- Open a command prompt and navigate to the AMREPO JRE folder (for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin).
On primary Host A, create a keypair using the keytool utility.
If Atrium Orchestrator is behind a load balancer, use CN as the load balancer name.
At the prompts, enter the required information to create the keypair, and then press Enter.keytool.exe -genkey -alias AO -keyalg RSA -keysize 2048 -keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks What is your first and last name? [Unknown]: vw-aus-clmidd04.bmc.com What is the name of your organizational unit? [Unknown]: IDD What is the name of your organization? [Unknown]: BMC Software What is the name of your City or Locality? [Unknown]: SAN JOSE What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=vw-aus-clmidd04.bmc.com, OU=IDD, O=BMC, L=SAN JOSE, ST=California, C=US correct? [no]: yes
Create the Certificate Signing Request (ao.csr) from AO primary to retrieve the certificate from CA (i.e. CLM).
At the prompt, enter changeit as the password.
keytool.exe -certreq -keyalg RSA -alias AO -file C:\CSR\ao.csr -keystore C:\Keys\keystore.jks Enter keystore password:
Copy the ao.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate, and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in "C:\CSR\ao.csr" -CA "C:\Certificates\RootCA.crt" -CAkey "C:\Keys\RootCA.key" -set_serial 999 -out "C:\Certificates\ao.crt" Loading 'screen' into random state - done Signature ok subject=/C=US/ST=California/L=SAN JOSE/O=BMC Software/OU=IDD/CN=vw-aus-clmidd04.bmc.com Getting CA Private Key
After the certificate is generated (ao.crt) in the Certificates folder, copy ao.crt and RootCA.crt and paste them to the AO primary and AO secondary into their Certificates folder.
To configure AMREPO to work with SSL HTTPS
On the AO primary and AO secondary hosts, import the Root CA certificate.
At the prompt, enter changeit as the password. When you see the Trust this certificate prompt, enter yes. Your certificate is added to the keystore.keytool.exe -import -alias root -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=vw-aus-clmidd05.bmc.com, OU=IDD, O=BMC Software, L=San Jose, ST=California, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore
Import the ao.crt certificate into the AO JVM security folder.
At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\AO-Platform\AMREPO\ jvm\jre\lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=vw-aus-clmidd05.bmc.com, OU=IDD, O=BMC Software, L=San Jose, ST=California, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore
Import the ao.crt certificate into keystore.jks (for example, C:\Keys\keystore.jks):
keytool.exe -import -alias AO -keystore C:\Keys\keystore.jks -trustcacerts -file C:\Certificates\ao.crt Enter keystore password: Certificate reply was installed in keystore
Open the Access Manager server.xml file (in Windows, for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\tomcat\conf\server.xml) in a text editor and uncomment the SSL related sections.
Search for the following text and uncomment out the
Connector port
section:<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
Modify the
Connector port
information as follows.
Uncomment the following section and change the protocol from HTTP/1.1 to org.apache.coyote.http11.Http11Protocol, and add the keystoreFile path for keystore.jks.
Make sure that you save the file.Note
This section also includes the ciphers that fix the weak ephemeral Diffie-Hellman key error that you see with Google Chrome browsers.<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521, TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA" keystoreFile="C:\Keys\keystore.jks" />
Update the Login page entry in the context.xml file (for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\tomcat\conf\context.xml) as follows:
<Environment name="com.bmc.security.am.LOGIN_PAGE" override="true" type="java.lang.String" value="https://clm-hou-007778:8443/baoam/login.jsf"/>
- Start the AMREPO server and verify the Access Manager URL.
For example:
https://AMPrimaryHost:8443/baoam - Add and confirm any security restrictions in your browser.
For example, the certificate should display Issued by: bmc.com and Issued to: vw-aus-clmidd04.
- Verify the Repository Manager URL and certificates.
For example:
https://AMPrimaryHost:8443/baorepo - Make the same changes to the secondary AMREPO server.
- Copy the keystore file.
- Update the server.xml and context.xml files.
- Import the Root CA certificate.
- Start the secondary Access Manager server.
- Verify the URL.
To configure primary and secondary CDP to work with SSL HTTPS
Note
For CDP, use the same RootCA.crt and keystore.jks files you previously generated. In addition, use the keystore.jks file from the C:\Keys\keystore.jks path.
Modify the server.xml file (for example, C:\Program Files\BMC Software\AO-Platform\CDP\tomcat\conf\server.xml) as follows.
Uncomment the following section and update the required port (for example, 9443), change the protocol from HTTP/1.1 to org.apache.coyote.http11.Http11Protocol, and add the keystoreFile path for keystore.Note
This section also includes the ciphers that fix the weak ephemeral Diffie-Hellman key error that you see with Google Chrome browsers.<Connector port="9443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521, TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA" keystoreFile="C:\Keys\keystore.jks" />
Modify the context.xml file (for example, C:\Program Files\BMC Software\AO\AM\CDP\tomcat\conf\context.xml) in a text editor.
Update the following entry with https.<Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" value="https://vw-aus-clmidd04:8443/baorepo/http"/>
Change directories to the primary CDP JRE/bin folder, for example, C:\Program Files\BMC Software\AO-Platform\CDP\jvm\jre\bin.
Import the ROOTCA.crt certificate into the primary CDP JVM security folder.
At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\AO-Platform\CDP\ jvm\jre\lib\security\cacerts" -trustcacerts -file C:\certificates\RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD, O=BMC, L=SJ, ST=CA, C=US Issuer: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD, O=BMC, L=SJ, ST=CA, C=US ... Trust this certificate? [no]: yes Certificate was added to keystore
- Import the ROOTCA.crt certificate into the secondary CDP JVM security folder.
On the secondary CDP host, modify the context.xml file (for example, C:\Program Files\BMC Software\AO\AM\CDP\tomcat\conf\context.xml) in a text editor.
Update the following entries with corrected port and https.Parameter name="com.bmc.ao.HACDP_CONFIGURATION" override="true" value="https://admin:admin123@vw-hou-sln-qa18:9443/ baocdp/ws/install?grid=GRID1&peer=HACDP"/> <Environment name="grid-name" override="true" type="java.lang.String" value="GRID1"/> <Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://vw-hou-sln-qa18:9443/ baocdp/ws/console"/>
- Start the CDP server on both nodes and verify the URL.
For example:
https://<CDPHost>:9443/baocdp
- Add and confirm any security restrictions in your browser.
The certificate should display Issued by: bmc.com and Issued to: vw-aus-clmidd04. Access the BMC Server Automation application server from Atrium Orchestrator hosts,
When you access the BMC Server Automation application server from Atrium Orchestrator hosts, it should display the following certificate details.
To configure BMC Server Automation and Atrium Orchestrator with SSL HTTPS
You already generated the keystore.jks file in C:\Keys\keystore.jks and the RootCA.crt file in C:\Certificates on both hosts.
Import the RootCA.crt certificate into the Bladelogic java security file on both nodes as follows:
keytool.exe -import -alias root -keystore "C:\Program Files\BMC Software\BladeLogic\NSH\jre\ lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt
- Log into the BMC Server Automation server from both hosts with defaultProfile and verify the certificate obtained.
To configure Atrium Orchestrator and Platform Manager with SSL HTTPS
On the Platform Manager server, update the provider.json file for AO details like https and ports number wherever required.
For example:[{ "cloudClass" : "com.bmc.cloud.model.beans.Provider", "accessValues" : [ { "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue", "accessAttribute" : { "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute", "datatype" : "STRING", "guid" : "52461ff1-2ec4-11e0-91fa-0800200c9a66", "isOptional" : false, "isPassword" : false, "modifiableWithoutRestart" : false, "name" : "AO_SERVER_URL" }, "attributeValue" : "https://clm-hou-007778:9443/baocdp/orca", "guid" : "78274c00-9d52-4b7a-bd07-7e7bfa413855", "name" : "AO_SERVER_URL" }
- Restart Platform Manager.
To configure Atrium Orchestrator and ITSM with SSL HTTPS
- On the Cloud Portal and Database server, open the CMF PluginConfiguration form and update Atrium Orchestrator details like FIELD_AO_PROTOCOL, the FIELD_AO_PORT, and so on.
Restart the AR System server.
To modify Platform Manager to use HTTPS with multiple ITSM servers
The following steps apply if you are running multiple IT Service Management servers.
- In Cloud Portal and Database ITSM, open the CMF:PluginConfiguration form and change the Root URL from http to https and update the SSL port to 9443.
- In both ITSM hosts, import the RootCA certificate.
- Copy the RootCA.crt certificate to both hosts in its own folder (for example, C:\Certificates).
Import the certificate by entering following command.
C:\Program Files\Java\jre7\bin>keytool -import -alias root -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt Enter keystore password: Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=C A, C=US Issuer: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST= CA, C=US Serial number: 802aae2101b14487 Valid from: Thu Apr 10 13:52:46 PDT 2014 until: Fri Apr 10 13:52:46 PDT 2015 Certificate fingerprints: MD5: 15:4C:BE:02:B4:1D:6D:05:12:78:62:14:41:A5:AD:DA SHA1: DE:B4:DF:5D:4E:58:B2:0B:EB:37:D7:57:F9:71:13:6B:CE:A5:05:B9 SHA256: A5:AC:79:D0:E3:21:BA:88:E7:78:77:CD:E8:18:88:14:96:CC:64:64:FD: D6:12:76:CE:BF:70:BB:28:82:30:D9 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 33 28 60 0A C6 83 16 47 D9 E2 4A D7 6B F9 DC 76 3(`....G..J.k..v 0010: 0D 6C 58 51 .lXQ ] ] #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 33 28 60 0A C6 83 16 47 D9 E2 4A D7 6B F9 DC 76 3(`....G..J.k..v 0010: 0D 6C 58 51 .lXQ ] ] #3: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] Trust this certificate? [no]: yes Certificate was added to keystore
You do not need to import RootCA into the C:\ProgramFile\Java\Jre\bin path.
Restart the Platform Manager and AR System servers.
- Verify your changes by putting the RESTClient on the ITSM host and connecting to the Platform Manager host with SSL URL and the trustcacerts path of Cloud Java (as above).
Related topic
Using CLM applications with third-party Certification Authority certificates
Comments
Log in or register to comment.