You can enable security for the Collection Station in the following way:
Note
If you want to secure the Collection Station scaled out on separate remote nodes, then after installing the Collection Station on each of the remote nodes, ensure that you copy the KeyStore generated on the server with the first Collection Station instance in your environment.
This topic provides the following instructions for enabling security for the Collection Station.
Configure all the Collection Agents (including standalone Collection Agents) and Collection Stations in your environment, as described in the following tabs.
Locate and open the flume.conf file in a text editor.
Set the directory path to the TrustStore (that you generated earlier) by adding the following lines:
a1.sinks.k1.ssl = true
a1.sinks.k1.truststore = <TrustStoreLocationPath>
a1.sinks.k1.truststore-password = <TrustStorePassword>
a1.sinks.k1.truststore-type = JKS
where,
<TrustStoreLocationPath>
refers to the absolute path of the TrustStore location. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes). For example, %PATROL_HOME%\bww\udc\conf.
<TrustStorePassword>
refers to the password that you provided while generating the TrustStore.
Save your changes.
Import the self-signed certificate by running the following command:
Note
The self-signed certificate imported on the Collection Agent and the Collection Station (optional) must be the same.
keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>
keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/agent/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit
In the preceding command, the following definitions apply:
<jreLocation>
refers to the following JRE location on the Collection Agent or the standalone Collection Agent. See the following location paths:
<certificateLocation>
refers to the directory path where you copied the certificate generated earlier.<aliasName>
refers to the alias by which you want to store the certificate during the import.<password>
refers to the KeyStore password. Restart the Collection Agent and the standalone Collection Agent.
For more information, see Starting or stopping product services.
Set the directory path to the KeyStore (that you generated earlier) by adding the following lines:
a1.sources.r1.ssl=true
a1.sources.r1.keystore=<KeyStoreLocationPath>
a1.sources.r1.keystore-password=<KeyStorePassword>
a1.sources.r1.keystore-type = JKS
where,
KeyStoreLocationPath
refers to the absolute path of the KeyStore location. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes). For example, C:/Program Files/BMC Software/TrueSight/ITDA.
KeyStorePassword
refers to the password that you provided while generating the KeyStore.
Save your changes.
(Optional) This step applies only if you are importing a self-signed certificate other than the one imported for securing the Configuration channel.
Import a self-signed certificate by running the following command:
Note
The self-signed certificate imported on the Collection Agent and the Collection Station must be the same.
keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>
keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit
In the preceding command, the following definitions apply:
<jreLocation>
refers to the following JRE location on the Collection Station. The value must be as follows:
C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts
<certificateLocation>
refers to the directory path where you copied the certificate generated earlier.<aliasName>
refers to the alias by which you want to store the certificate during the import.<password>
refers to the KeyStore password. Restart the Collection Station.
For more information, see Starting or stopping product services.
Configure the Collection Agents (including standalone Collection Agents) and Collection Stations in your environment, as described in the following tabs.
Add the property, stationprotocol=https
.
Save your changes.
Windows: %BMC_ITDA_AGENT_PATH%\agent\collection\custom\conf\
stationprotocol=HTTPS
station.discovery.identifier=HTTPS;<stationHost>;<stationConfigurationPort>
<stationHost>
refers to the Collection Station port to which the standalone Collection Agent must be connected. <stationConfigurationPort>
refers to the Configuration channel port, corresponding to the Collection Station host.station.discovery.identifier=HTTPS;clm-pun-01;8080
stationprotocol=https
keystoreFilePath=<KeyStoreLocationPath
>keystoreFilePassword=<KeyStorePassword
><KeyStoreLocationPath>
refers to the directory path where the KeyStore is located. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes) and with a forward slash at the beginning of the path.<KeyStorePassword>
refers to the KeyStore password that you provided while generating the KeyStore.Save your changes.
Import the self-signed certificate (generated earlier) by running the following command:
keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>
keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit
In the preceding command, the following definitions apply:
<jreLocation>
refers to the following JRE location on the Collection Station. The value must be as follows:
C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts
<certificateLocation>
refers to the directory path where you copied the certificate generated earlier.<aliasName>
refers to the alias by which you want to store the certificate during the import.<password>
refers to the KeyStore password. Restart the Collection Station.
For more information, see Starting or stopping product services.
6 Comments
Scott Bleasdell
Harihara Subramanian
Harihara Subramanian
Scott Bleasdell
Harihara Subramanian
Harihara Subramanian