• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 2.7

    Page tree

    Use this topic to enable security for the actions performed via the product interface and CLI and for communication between the Console Server and Search components.

    If you want to additionally disable the HTTP port, ensure that you navigate to the computers hosting the Console Server and Search components, and navigate to %BMC_ITDA_HOME%\tomcat\conf\. In the server.xml file, comment out the following tag and then restart the Console Server and Search components. For more information, see Starting or stopping product services.

    <Connector connectionTimeout="20000" port="9797" protocol="HTTP/1.1" redirectPort="9443"/>

    Enabling security for the Console Server

    By enabling security for the Console Server, you can secure the actions performed by using the product interface and by using the CLI.  

    Related topics

    Enabling security for the Collection Station

    Security planning

    TLS considerations for IT Data Analytics

    Security considerations

    To enable security for actions performed by using the product interface, you need to perform a set of steps as described in the following sections. These steps vary based on whether you want to use the default self-signed certificate available with IT Data Analytics or whether you want to use a custom self-signed certificate for enabling security.

    To enable security for actions performed by using the CLI, type -s in the command syntax. This applies even if you use a custom self-signed certificate. For more information about the individual CLI commands, see Managing the product from the command line interface.

    To enable security for the Console Server with default certificate

    1. Navigate to the following location to locate the olaengineCustomConfig.properties file and the searchserviceCustomConfig.properties file.

      • Windows: %BMC_ITDA_HOME%\custom\conf\server

      • Linux: $BMC_ITDA_HOME/custom/conf/server
    2. In the olaengineCustomConfig.properties file, add the following properties:
      • consoleserver.protocol=https
      • consoleserver.port=9443

    3. In the searchserviceCustomConfig.properties file, add the following properties:

      • consoleserver.protocol=https

      • searchservice.port=9443

      • protocol=https

      Note

      If you are operating in an environment with multiple Search components, ensure that you make this change on all the computers hosting the Search component.

    4. Restart the Console Server and Search components.
      For more information, see Starting or stopping product services.
    5. Log on to the product in a supported browser by replacing "http" with "https" and port 9797 with port 9443.
      For example, https://Host1:9443/console/.

    To enable security for the Console Server with custom self-signed certificate

    Before you begin enabling security for the Console Server with a custom self-signed certificate, ensure that you have generated a KeyStore in the JKS format. For more information, see Generating a KeyStore and TrustStore.

    1. Generate a custom self-signed certificate.

    2. Locate the server.xml file at one of the following locations:

      • Windows: %BMC_ITDA_HOME%\tomcat\conf

      • Linux: $BMC_ITDA_HOME/tomcat/conf

    3. In the server.xml file, add the following properties with appropriate values, depending on the KeyStore that you generated earlier (see the following example).

      • keystoreFile="keystoreFilePath"
      • keystorePass="keystorePassword"
      • keyAlias="AliasofKeystore"
      Example
      <Connector
SSLEnabled="true"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
clientAuth="false" keyAlias="truesightserver"
keystoreFile="conf/bmcitda2.jks" keystorePass="changeit"
maxThreads="150" port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" sslProtocol="TLS"/>

    4. Navigate to the following location to locate the olaengineCustomConfig.properties file and the searchserviceCustomConfig.properties file.

      • Windows: %BMC_ITDA_HOME%\custom\conf\server

      • Linux: $BMC_ITDA_HOME/custom/conf/server

    5. In the olaengineCustomConfig.properties file, add the following properties:

      • consoleserver.protocol=https

      • consoleserver.port=9443

    6. In the searchserviceCustomConfig.properties file, add the following properties:

      • consoleserver.protocol=https

      • searchservice.port=9443

      • protocol=https

      Note

      If you are operating in an environment with multiple Search components, ensure that you make this change on all the computers hosting the Search component.

    7. Import the self-signed certificate into the Console Server's Java Runtime Environment (JRE) by using the following command:

      keytool -import -trustcacerts -alias <HostName-or-IP> -keystore $BMC_ITDA_HOME/jre/lib/security/cacerts -file <Certificate-Path>
      In this command, the following variables apply:
      • <HostName-or-IP> refers to the host name or IP address of the computer on which the Console Server is located.
      • <Certificate-Path> refers to the absolute path to the self-signed certificate of the Console Server.
    8. Restart the Console Server and Search components.  
      For more information, see Starting or stopping product services.
    9. Log on to the product in a supported browser.
      Example for accessing the console: https://Host1:9443/console/.

    Enabling security for the Search components

    By enabling security for the Search components, you can secure the communication between the Console Server and Search components, as follows:

    1. Navigate to the following location on each of the Search components:

      • Windows: %BMC_ITDA_HOME%\custom\conf\server

      • Linux: $BMC_ITDA_HOME/custom/conf/server
    2. In the the searchserviceCustomConfig.properties file, add the following properties:
      • searchservice.port=9443
      • protocol=https
    3. Restart the Search components.
      For more information, see Starting or stopping product services.
    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.