×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Space banner

 

This documentation supports the 20.02 version of BMC Digital Workplace Advanced.

To view the latest version, select the version from the Product Version menu.
BMC Digital Workplace Advanced 20.02 ... Installing Installing BMC Digital Workplace Catalog Configuring after installation of BMC Digital Workplace Catalog

Configuring access to the BMC Digital Workplace Catalog server over SSL

To improve the security of your BMC Digital Workplace Catalog network communications, you can configure server authentication and encryption via the secure socket layer (SSL). Before you implement any security method, you should consult your organization's IT security team to select the required level of encryption to suit your business.

Related topics

Configuring after installation of BMC Digital Workplace Catalog

Troubleshooting SSL issue for BMC Digital Workplace Catalog Open link

Before you begin

For a high availability deployment, first perform the tasks described in Configuring BMC Digital Workplace Catalog for high availability.

SSL configuration options

Use one of the following methods to enable SSL encryption for BMC Digital Workplace Catalog access:

MethodDescriptionReference
Configure SSL at the load balancer

When configuring SSL at the load balancer, only the network traffic to the load balancer is encrypted. The load balancer handles all communication to and from BMC Digital Workplace without encryption. Network traffic to and from the load balancer is sent using the https protocol, and traffic from the load balancer to the application servers is sent using the unencrypted http protocol. This method assumes that all communication after the load balancer is behind a firewall, so encryption is not necessary.

Note: If this is a high availability deployment, you should offload the SSL configuration to the load balancer layer, instead of configuring SSL on individual nodes.

To configure SSL at the load balancer
Configure applications to encrypt using native SSLWhen configuring SSL natively on all application servers, you must adapt the settings on each server to allow, and even enforce, encrypted https connections throughout the entire chain.To configure applications to encrypt using native SSL

To configure SSL at the load balancer 

Configuring SSL at the load balancer requires three steps:

To create the virtual server and SSL certificate

  1. Using a load balancer such as F5, create a virtual server, and configure it to use HTTPS.
    You will set up access to BMC Digital Workplace Catalog through the virtual server.
  2. In a web browser, open the BMC Digital Workplace Catalog URL by using the HTTPS protocol.
  3. On the left side of the browser location bar, click the HTTPS alert.
  4. Click View Certificate.
  5. Click Export, and save the certificate locally.

To establish a trust relationship between BMC Digital Workplace and BMC Digital Workplace Catalog

  1. Copy the certificate to a location on the BMC Digital Workplace server.

  2. Import the certificate using the Java keytool.exe.

    For example, if you saved the certificate as c:\SBCertforMyIT.crt, enter the following command on the command line of the BMC Digital Workplace server:

    Windows command line 
    C:\Program Files\Java\jre1.8.0_91\bin>keytool.exe -importcert -alias sbcert -keystore "C:\Program Files\Java\jre1.8.0_91\lib\security\cacerts" -file c:\SBCertforMyIT.crt

    Note

    The default keystore password is changeit.


    By importing the BMC Digital Workplace Catalog certificate into the BMC Digital Workplace server, you establish trust between BMC Digital Workplace and BMC Digital Workplace Catalog over SSL.

  3. Restart the BMC Digital Workplace server.

  4. Clear browser's cache.

  5. Log in to the BMC Digital Workplace Admin console.
  6. Go to Configuration > Enhanced Catalog.

  7. In the URL field, change the BMC Digital Workplace Catalog URL to the SSL version.

    For example, replace http://dwpcatalog-example.com:8008/api/myit-sb/ with https://dwpcatalog-example.com:8443/api/myit-sb/.

    Additional checks

    • Ensure that you use FQDN where the instruction is to use FQDN (and not the host name) in installLocation/sb/rxscripts/bin/setenv.sh.
    • Ensure that you use the host name where the instruction is to use host name (and not FQDN) in  installLocation/sb/env/set_script_variables.sh.
    • Do not use localhost in the above-mentioned files.

    • Ensure that you update the following section on installLocation/jetty/etc/jetty-http.xml and include the actual keystore and trusttore.

      <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">    
<Set name="KeyStorePath">/opt/bmc/digitalworkplace/certs/keystore</Set>    
<Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>    
<Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>    
<Set name="TrustStorePath">/opt/bmc/digitalworkplace/truststore/cacerts</Set>    
<Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>    
<Set name="IncludeCipherSuites">

      Note

      The jetty-http.xml file is case sensitive. Be sure to use the correct case when editing the file.

To test BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log in to the BMC Digital Workplace Catalog using the HTTPS URL.

    Windows command line 
    https://<dwpc_server.com:8443>/myitsbe/

  2. Perform common actions to test that BMC Digital Workplace Catalog works as expected, such as create and publish a new service.

To test the BMC Digital Workplace connection to BMC Digital Workplace Catalog over HTTPS/SSL

  1. Log in to the BMC Digital Workplace Admin console.
    The administrator account must also have the permissions to manage the BMC Digital Workplace Catalog.

  2. Go to Service Requests > Catalog > Catalog Sections.

  3. Add a new catalog section.
    Under Item categories, you should see a folder of BMC Digital Workplace Catalog items that contains the services you published.

To modify web servers to use native SSL

Perform the following steps to configure web servers to use SSL:

To import the SSL certificate into the Java keystore

Note

In both of the following examples, the alias must be named jetty.

  • If you have an existing Java keystore, import the signed primary certificate into the Java keystore:

    keytool -import -trustcacerts -alias jetty -file mydomain.crt -keystore keystore

  • If you do not have a certificate, create a new keystore by using a new password to secure the certificate:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA

To secure the keystore

  1. After the keystore has been created, provide six parameters that form a distinguished name for a certificate associated with the key:

    • CN—Common Name of the certificate owner (usually the name of the host)
    • OU—Organizational Unit of the certificate owner
    • O—Organization to which the certificate owner belongs
    • L—Locality name of the certificate owner
    • ST—State or province of the certificate owner
    • C—Country of the certificate owner

    Note

    The keystore file is created in the current directory of the command window.

  2. Obfuscate the SSL connector keystore password to enforce security.
    For more information, see "Obfuscating the password" in Configuring the REST API by using SSL certificates Open link .

  3. Update the installLocation/jetty/etc/jetty-http.xml file with the sslContextFactory configurations. Remove the comment from the following configuration blocks if they are present in the file.

    <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Call name="addCustomizer">
        <Arg>
            <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
        </Arg>
    </Call>
</New>
 
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
    <Set name="KeyStorePath">/opt/bmc/digitalworkplace/certs/keystore</Set>
    <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="TrustStorePath">/opt/bmc/digitalworkplace/truststore/cacerts</Set>
    <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="IncludeCipherSuites">
        <Array type="String">
            <Item>TLS_DHE_RSA.*</Item>
            <Item>TLS_ECDHE.*</Item>
        </Array>
    </Set>
    <Set name="ExcludeCipherSuites">
        <Array type="String">
            <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
            <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
            <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
            <Item>.*NULL.*</Item>
            <Item>.*RC4.*</Item>
            <Item>.*MD5.*</Item>
            <Item>.*DES.*</Item>
            <Item>.*DSS.*</Item>
            <Item>.*_DHE_RSA_.*</Item>
        </Array>
    </Set>
    <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
            <Item>SSL</Item>
            <Item>SSLv2</Item>
            <Item>SSLv2Hello</Item>
            <Item>SSLv3</Item>
        </Array>
    </Set>
</New>
<New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
    <Arg name="sslContextFactory">
        <Ref refid="sslContextFactory" />
    </Arg>
    <Arg name="next">http/1.1</Arg>
</New>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
    <Arg name="server"><Ref refid="Server" /></Arg>
    <Arg name="factories">
        <Array type="org.eclipse.jetty.server.ConnectionFactory">
            <Item><Ref refid="sslConnectionFactory" /></Item>
            <Item>
                <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                    <Arg name="config"><Ref refid="httpsConfig" /></Arg>
                </New>
            </Item>
        </Array>
    </Arg>
    <Set name="port">8443</Set>
</New>
<Call name="setConnectors">
    <Arg>
        <Array type="org.eclipse.jetty.server.ServerConnector">
            <Item>
                <Ref refid="sslConnector" />
            </Item>
        </Array>
    </Arg>
</Call>

  4. Validate the xml file by running the following command:

    xmllint --noout jetty-http.xml

    Any xml errors are highlighted. If the xml file is valid, no output is returned.

  5. On the Linux terminal, update the following properties in the ar.conf file from (depending on which port Jetty is configured for):

    • Jetty-Port: 8008

    • Jetty-Protocol: HTTP
      To:

    • Jetty-Port: 443

    • Jetty-Protocol: HTTPS

To configure native SSL on the BMC Digital Workplace Catalog server

  1. On the BMC Digital Workplace Catalog server, open the installLocation/sb/env/set_script_variables.sh script.

  2. Change the following parameters to reflect the https, url, and port.
    Replace the <DWPC-server> references with your server specific entries:

    export UISERVICE_URL=https://<DWPC-server-name>:8443/api/myit-sb/ui
export RX_SERVER=https://<DWPC-server-fqdn.com>:8443

  3. Add the following parameters:

    export CONNECTOR_BASE_URL=https://<DWPC-server-name>:8443
export CONNECTOR_TRUST_ALL_SSL_CERTIFICATES=true
  4. Open the installLocation/sb/rxscripts/bin/setenv.sh script.

  5. Change the parameters in the following block from:

    export rx_host=localhost
export rx_url_scheme=http
export rx_port=8008

    to:

    # enter the actual server name 
export rx_host=clm-aus.bmc.com
export rx_url_scheme=https
export rx_port=8443

    Note

    Comment out the unset rx_trace parameter.

  6. Open the installLocation/bin/monitor.properties script.

  7. Change the parameters in the following block from: 

    https false
arServerRestPort 8008

    to 

    https true
arServerRestPort 8443

    Note

    Remove any spaces that follow the lines with the parameters.

  8. Navigate to installLocation/sb and run ./post_install.sh enable_insecure_sessions to allow native SSL to work on the BMC Digital Workplace Catalog server.

  9. Restart the BMC Digital Workplace Catalog server as described in Starting and stopping the BMC Digital Workplace Catalog server.
  10. To finalize the configuration, perform the following actions on the BMC Remedy ITSM side:
    1. In the SB:RemoteApprovalConfiguration form, update the Remote Port field with the BMC Helix Digital Workplace Catalog HTTPS port.
    2. (If BMC Smart IT is integrated with BMC Helix Digital Workplace Catalog) Under Centralized Configuration, from the Component Name menu, select com.bmc.itsm.sbe. Then update sbeUrl and put HTTPS and BMC Helix Digital Workplace Catalog SSL port.
    3. Import the BMC Helix Digital Workplace Catalog .crt to Smart IT, Midtier, and RSSO to the Java CAcerts file.

Troubleshooting SSL issues

If you find issues with the SLL configuration after you changes to move to SSL, the following error will appear on startup:

"Your login failed. Please check your username and password."

To troubleshoot SSL issues

  1. Add the following line to /bin/arserverd.conf:

    #jvm.option 

jvm.option.XX=-Djavax.net.debug=ssl
#XX is the "+1" value to an existing jvm.option with the biggest number. and place it after that line.

  2. Restart the BMC Digital Workplace Catalog server.

  3. Review the arerror.log file for any SLL issues.

To fix user synchronization issues

If you encounter any user sync errors in the arerror.log file, perform the following steps:

  1. Open the /artools/user_group_sync.sh script.

  2. Replace the following line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/"-Dtenant_admin_user="$sb_user"-Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled"

    With this line:

    /usr/java/default/bin/java -cp dependency/*:com.bmc.myservice.tools-1.0.00-SNAPSHOT.jar -Dsb_base_url="$sb_web_proto://$sb_server:$sb_web_port/" -Dtenant_admin_user="$sb_user" -Dtenant_admin_password=$sb_password -Dgroup_format="$group_format" -Dinput_file=People.arx -Duser_input_file=User.arx -Dskip_disabled="$skip_disabled" -Djavax.net.ssl.trustStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=/opt/bmc/digitalworkplace/cert/keystore.jks -Djavax.net.ssl.keyStorePassword=password com.bmc.myservice.tools.etl.Main

  3. Save the changes.

Where to go from here

Complete the remaining procedures in Configuring after installation of BMC Digital Workplace Catalog that are required for your deployment scenario.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Olha Horbachuk on Jun 17, 2022
configuration_administrator platform ssl installation

Comments

  1. Shekhar Raj

    What is KeyManagerPassword parameter in jetty-http.xml file? Where is it provided while generating keystore of csr?

    Aug 06, 2020 01:50
    1. Olha Horbachuk

      Thanks for commenting, Shekhar Raj. The password that matters for the keystore is KeyStorePassword. The platform configuration replicates the same password in KeyManagerPassword by default.

      Regards,

      Olha Horbachuk

      Aug 07, 2020 02:08

Log in or register to comment.

Configuring BMC Digital Workplace Catalog for high availability
Configuring SMTP for BMC Digital Workplace Catalog
© Copyright 2013 - 2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.