Page tree

Skip to end of metadata
Go to start of metadata

You can enable security for the Collection Station in the following way:

  • Enable security for the Payload Service (data flow from the Collection Agent to the Collection Station).
  • Enable security for the Configuration Channel (configuration data flow from the Collection Station to the Collection Agent).

Note

If you want to secure the Collection Station scaled out on separate remote nodes, then after installing the Collection Station on each of the remote nodes, ensure that you copy the KeyStore generated on the server with the first Collection Station instance in your environment.

This topic provides the following instructions for enabling security for the Collection Station.


Before you begin

  • Ensure that you have generated a KeyStore and a TrustStore (in the JKS format). For more information, see Generating a KeyStore and TrustStore.
  • Ensure that you have generated a self-signed certificate.

Enabling security for the Payload Service

Configure all the Collection Agents (including standalone Collection Agents) and Collection Stations in your environment, as described in the following tabs.

    To configure the Collection Agent and the standalone Collection Agent 

    1. Navigate to the following directory, as appropriate:
      • Collection Agent (configured by using PATROL for IT Data Analytics):
        • Windows: %PATROL_HOME%\bww\udc\conf 
        • Linux: $PATROL_HOME/bww/udc/conf 
      • Standalone Collection Agent:
        • Windows: %BMC_ITDA_AGENT_PATH%\agent\collection\custom\conf
        • Linux: $BMC_ITDA_AGENT_PATH/agent/collection/custom/conf
    2. Copy the server.jks file obtained while generating the TrustStore.
    3. Locate and open the flume.conf file in a text editor. 

    4. Set the directory path to the TrustStore (that you generated earlier) by adding the following lines:

      a1.sinks.k1.ssl = true
      a1.sinks.k1.truststore = <TrustStoreLocationPath>
      a1.sinks.k1.truststore-password = <TrustStorePassword>
      a1.sinks.k1.truststore-type = JKS

      where,

      <TrustStoreLocationPath> refers to the absolute path of the TrustStore location. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes). For example, %PATROL_HOME%\bww\udc\conf.

      <TrustStorePassword> refers to the password that you provided while generating the TrustStore.

    5. Save your changes.

    6. Import the self-signed certificate by running the following command:

      Note

      The self-signed certificate imported on the Collection Agent and the Collection Station (optional) must be the same.

      Command syntax

      keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>

       

      Example

      keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/agent/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit

      In the preceding command, the following definitions apply: 

      • <jreLocation> refers to the following JRE location on the Collection Agent or the standalone Collection Agent. See the following location paths:

        • Collection Agent: C:/Program Files/BMC Software/Patrol_Agent_96/Patrol3/jre/lib/security/cacerts
        • Standalone Collection Agent: C:/Program Files/BMC Software/TrueSight/ITDA/agent/jre/lib/security/cacerts
      • <certificateLocation> refers to the directory path where you copied the certificate generated earlier.
      • <aliasName> refers to the alias by which you want to store the certificate during the import.
      • <password> refers to the KeyStore password. 
        Default: changeit
    7. Restart the Collection Agent and the standalone Collection Agent. 
      For more information, see Starting or stopping product services.

    To configure the Collection Station

    1. Navigate to the following directory, as appropriate:
      • Windows: %BMC_ITDA_HOME%\station\collection\custom\conf
      • Linux: $BMC_ITDA_HOME/station/collection/custom/conf/
    2. Locate the flume.conf file and open it in a text editor.
    3. Set the directory path to the KeyStore (that you generated earlier) by adding the following lines:

      a1.sources.r1.ssl=true

      a1.sources.r1.keystore=<KeyStoreLocationPath>

      a1.sources.r1.keystore-password=<KeyStorePassword>

      a1.sources.r1.keystore-type = JKS

      where, 

      KeyStoreLocationPath refers to the absolute path of the KeyStore location. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes). For example, C:/Program Files/BMC Software/TrueSight/ITDA.

      KeyStorePassword refers to the password that you provided while generating the KeyStore.

    4. Save your changes.

    5. (Optional) This step applies only if you are importing a self-signed certificate other than the one imported for securing the Configuration channel.
      Import a self-signed certificate by running the following command:

      Note

      The self-signed certificate imported on the Collection Agent and the Collection Station must be the same.

      Command syntax

      keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>

      Example

      keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit

       

      In the preceding command, the following definitions apply:

      • <jreLocation> refers to the following JRE location on the Collection Station. The value must be as follows:

        C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts

      • <certificateLocation> refers to the directory path where you copied the certificate generated earlier.
      • <aliasName> refers to the alias by which you want to store the certificate during the import.
      • <password> refers to the KeyStore password. 
        Default: changeit
    6. Restart the Collection Station. 
      For more information, see Starting or stopping product services.

    Enabling security for the Configuration Channel

    Configure the Collection Agents (including standalone Collection Agents) and Collection Stations in your environment, as described in the following tabs.

      To configure the Collection Agent

      1. Navigate to the following directory, as appropriate:
        • Windows: %PATROL_HOME%\bww\udc\conf 
        • Linux: $PATROL_HOME/bww/udc/conf 
      2. Locate the agent.properties file and open it in a text editor.
      3. Add the property, stationprotocol=https.

      4. Save your changes.

      5. Restart the Collection Agent. 
        For more information, see Starting or stopping product services.

      To configure the standalone Collection Agent

      1. Navigate to the following directory, as appropriate: 
        • Windows: %BMC_ITDA_AGENT_PATH%\agent\collection\custom\conf\

        • Linux: $BMC_ITDA_AGENT_PATH/agent/collection/custom/conf/
      2. Locate the agent.properties file and open it in a text editor.
      3. Add the following properties (if not already present) and change the value to 'HTTPS': 
        • stationprotocol=HTTPS
        • station.discovery.identifier=HTTPS;<stationHost>;<stationConfigurationPort>
          In the preceding property value, the following definitions apply:
          • <stationHost> refers to the Collection Station port to which the standalone Collection Agent must be connected. 
          • <stationConfigurationPort> refers to the Configuration channel port, corresponding to the Collection Station host.
          Example:station.discovery.identifier=HTTPS;clm-pun-01;8080
      4. Save your changes.
      5. Restart the standalone Collection Agent. 
        For more information, see Starting or stopping product services.

      To configure the Collection Station

      1. Navigate to the following directory, as appropriate:
        • Windows: %BMC_ITDA_HOME%\station\collection\custom\conf\
        • Linux: $BMC_ITDA_HOME/station/collection/custom/conf/
      2. Locate the agent.properties file and open it in a text editor.
      3. Add the following properties:
        • stationprotocol=https
        • keystoreFilePath=<KeyStoreLocationPath>
        • keystoreFilePassword=<KeyStorePassword>
          In the preceding properties, the following values apply:
          • <KeyStoreLocationPath> refers to the directory path where the KeyStore is located. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes) and with a forward slash at the beginning of the path.
          • <KeyStorePassword> refers to the KeyStore password that you provided while generating the KeyStore.
      4. Save your changes.

      5. Import the self-signed certificate (generated earlier) by running the following command:

        Command syntax

        keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>

         

        Example

        keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit

        In the preceding command, the following definitions apply:

        • <jreLocation> refers to the following JRE location on the Collection Station. The value must be as follows:

          C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts

        • <certificateLocation> refers to the directory path where you copied the certificate generated earlier.
        • <aliasName> refers to the alias by which you want to store the certificate during the import.
        • <password>refers to the KeyStore password. 
          Default: changeit
      6. Restart the Collection Station. 
        For more information, see Starting or stopping product services.

      6 Comments

      1.  

        1.  

          1.  

      2.  

        1.  

          1.