Page tree
Skip to end of metadata
Go to start of metadata

Secure Sockets Layer (SSL) certificates are used to encrypt sensitive information sent across the internet so that only the intended recipient can understand it. By default, BMC TrueSight Capacity Optimization is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.

It is recommended to replace the default certificate with a certificate that is trusted by a public or internal Certification Authority.

For an external front-end web server, you must create or use a standard (a certificate that is trusted by a public Certification Authority) SSL certificate to use HTTPS.

This topic contains following sections:

Overview of SSL certificates

 Encryption is important because the information you send on the internet is passed from computer to computer to get to the recipient. Any computer between the origin and the destination can utilize your username, passwords, and other sensitive information if it is not encrypted by using an SSL certificate. 

In addition to providing encryption, an SSL certificate from a trusted provider also provides authentication. With authentication, you can be sure that you are sending information to the right recipient and not to an unknown user.

The default Apache server used by BMC TrueSight Capacity Optimization uses a keystore and a truststore for secure (HTTPS/Transport Layer Security) communications. The keystore and truststore files are stored in the following directory: 

/3rd_party/apache2/pki/tls/

The initial keystore created during the installation uses a self-signed certificate. If you want to use the default self-signed certificate, you do not have to make any changes. However, the default certificate warns users about the insecure nature of the certificate by displaying a certificate warning exception, because the self-signed certificate is not from a trusted source. You can avoid getting this warning by performing one of the following actions:

  • Permanently importing the self-signed certificate into the user's truststore
  • Obtaining and importing a signed identity certificate from a trusted CA. The CA vouches for the authenticity of the server's identity when the user visits BMC TrueSight Capacity Optimization for authentication.

In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC TrueSight Capacity Optimization after a digitally signed identity certificate is imported.

Managing SSL certificate on the default Apache front-end web server

You can replace the default self-signed certificate on the default Apache front-end web server for using HTTPS. To replace the self-signed certificate:

  1. Create an SSL certificate.
    OR
    Use a standard certificate.
  2. Replace the default certificate with the new certificate in the following directories:
    • For certificate file named $hostname.cert in /3rd_party/apache2/pki/tls/certs
    • For private key file named $hostname.key in /3rd_party/apache2/pki/tls/private

Manage SSL certificate on an external Apache front-end web server

Before you begin

Ensure that:

To manage SSL certificate on an external Apache front-end web server

 

  1. Create an SSL certificate.
    OR
    Use a standard certificate.
  2. In the conf.d folder of your Apache, modify the SSL.conf configuration file to point to the new $hostname.cert and $hostname.key files, correcting the following directives inside the file:

    SSLCertificateFile /etc/pki/tls/certs/$hostname.cert
    
    SSLCertificateKeyFile /etc/pki/tls/private/$hostname.key
    
  3. Restart Apache. 

Creating an SSL certificate

Install the following packages: 

  • crypto-utils
  • mod_SSL 

After installing these packages, generate a new key and a new SSL certificate using the command genkey $hostname, where $hostname is the fully qualified domain name of your BMC TrueSight Capacity Optimization application server machine.


Note

Ensure that you use SHA-256 in the Certificate Signature when you are creating the SSL certificate.

 

Then, follow these steps: 

  1. If you do not want to prepare a request for a Certification Authority, clear the option.

    If you create a certificate that is not signed by Certification Authority, you will need to accept the security exception, and store the self-signed certificate on your browser the first time you try to connect to BMC TrueSight Capacity Optimization.

  2. Fill in the certificate fields with your data (Name, Firm, Country...)
  3. If you do not want to manually insert a password every time you restart the Apache Httpd server, (For example, if you are in an automatic High Availability environment), clear the Encrypt key option. 

 

At the end of the key generation process you will have the following: 

  • certificate file named $hostname.cert in /etc/pki/tls/certs/
  • key file named $hostname.key in /etc/pki/tls/private/