Adding a trusted certificate
MultiExcerpt named OnPremisesOnlyBanner was not found -- Please check the page name and MultiExcerpt name used in the MultiExcerpt-Include macro
You may choose to use a certificate issued by a certificate authority or any trusted source instead of using the default self-signed certificate that TrueSight Automation Console provides. This topic provides the procedure to replace existing SSL certificate with certificate that you may have obtained from a trusted source.
To add a trusted certificate
Before adding a trusted certificate to your Automation Console environment, you need to generate a CSR and a private key.
To generate a private key, run the following command:
# openssl genrsa -out <private key file name> <2048|4096> For example: # openssl genrsa -out www.hostname.com.key.pem 2048
To create a certificate signing request (CSR), run the following command:
# openssl req \ -key <private key file name> \ -new -sha256 -out <certificate file name> For example: # openssl req \ -key www.hostname.com.key.pem \ -new -sha256 -out www.hostname.com.csr.pem Enter pass phrase for www.hostname.com.key.pem: <password> You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:US State or Province Name []:California Locality Name []:San Jose Organization Name []:BMC Software Organizational Unit Name []:Security and Operations Common Name []:www.bmc.com Email Address []:notify@bmc.com
A
<filename>.csr.pem
file that contains the CSR is generated.- Send the CSR file to a CA for signing using one of the following methods. The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
- Have the CSR be signed by a commercial CA. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate.
OR - Use your own CA and get the CSR signed by this CA.
- Have the CSR be signed by a commercial CA. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate.
If using a commercial CA, download the certificates in a .pem format.
For example, www.hostname.com.cert.pem file.If using your private or company specific CA, download the certificates in a .pem format and then do these steps:
Download the public certificate of the root or any intermediary certificates who has signed the certificate.
This is needed as the default Java runtime does not have access to the certificates.Run the following command to create a certificate chain by concatenating the root, intermediary, and the signed certificate:
cat <any root certificate> <any intermediate certificate> <downloaded signed certificate> > <www.hostname.com.cert.pem>
On a host where the TrueSight Automation Console application is installed, run the following commands to back up the existing certificate files:
cp <install_dir>/application/common/certs/tsvmSslCertificate.crt <install_dir>/application/common/certs/tsvmSslCertificate.crt.original cp <install_dir>/application/common/certs/tsvmSslCertificate.key <install_dir>/application/common/certs/tsvmSslCertificate.key.original
Rename and copy the certificate files that you generated from a CA to the names specified here:
www.hostname.com.cert.pem --> tsvmSslCertificate.crt
www.hostname.com.key.pem --> tsvmSslCertificate.key
cp <trusted ca cert file name> <install_dir>/application/common/certs/tsvmSslCertificate.crt Example: cp <www.hostname.com.cert.pem> <install_dir>/application/common/certs/tsvmSslCertificate.crt cp <trusted ca key file name> <install_dir>/application/common/certs/tsvmSslCertificate.key Example: cp <www.hostname.com.key.pem> <install_dir>/application/common/certs/tsvmSslCertificate.key
Restart the application.
/opt/bmc/stackmanager restart --deployment application
You can now log on to TrueSight Automation Console using the trusted certificates.
Where to go next?
Now that you have configured trusted certificates, administrators can start setting up the application for your patch and vulnerability management needs. You can start using the features based on your role and requirements. See Using.
Comments
Log in or register to comment.