Secure Sockets Layer (SSL) certificates are used to encrypt sensitive information sent across the internet so that only the intended recipient can understand it. By default, BMC TrueSight Capacity Optimization is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.
It is recommended to replace the default certificate with a certificate that is trusted by a public or internal Certification Authority.
For an external front-end web server, you must create or use a standard (a certificate that is trusted by a public Certification Authority) SSL certificate to use HTTPS.
This topic contains following sections:
Encryption is important because the information you send on the internet is passed from computer to computer to get to the recipient. Any computer between the origin and the destination can utilize your username, passwords, and other sensitive information if it is not encrypted by using an SSL certificate.
In addition to providing encryption, an SSL certificate from a trusted provider also provides authentication. With authentication, you can be sure that you are sending information to the right recipient and not to an unknown user.
The default Apache server used by BMC TrueSight Capacity Optimization uses a keystore and a truststore for secure (HTTPS/Transport Layer Security) communications. The keystore and truststore files are stored in the following directory:
The initial keystore created during the installation uses a self-signed certificate. If you want to use the default self-signed certificate, you do not have to make any changes. However, the default certificate warns users about the insecure nature of the certificate by displaying a certificate warning exception, because the self-signed certificate is not from a trusted source. You can avoid getting this warning by performing one of the following actions:
In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC TrueSight Capacity Optimization after a digitally signed identity certificate is imported.
You can replace the default self-signed certificate on the default Apache front-end web server for using HTTPS. To replace the self-signed certificate:
conf.d folder of your Apache, modify the
configuration file to point to the new
$hostname.key files, correcting the following directives inside the file:
Install the following packages:
After installing these packages, generate a new key and a new SSL certificate using the command
genkey $hostname, where $hostname is the fully qualified domain name of your BMC TrueSight Capacity Optimization application server machine.
Ensure that you use SHA-256 in the Certificate Signature when you are creating the SSL certificate.
Then, follow these steps:
If you do not want to prepare a request for a Certification Authority, clear the option.
If you create a certificate that is not signed by Certification Authority, you will need to accept the security exception, and store the self-signed certificate on your browser the first time you try to connect to BMC TrueSight Capacity Optimization.
At the end of the key generation process you will have the following: