Page tree
Skip to end of metadata
Go to start of metadata

By default, TEA Agents use pregenerated, self-signed certificates for authentication with App Visibility Manager. You can use your own custom certificates.

You can update certificates before installing your TEA Agents, or you can update certificates on TEA Agents that are already installed.

This topic contains the following sections:

Note

This topic does not include Changing security certificates in App Visibility components. This topic only describes the procedures for changing security certificates on TEA Agents.

Before you begin

  • Install  and  configure  App Visibility components.
  • Install  the TEA Agent.
  • Prepare the following files and place them in a folder that is accessible to your TEA Agent computer:
    • keystoreFileName.jks, where keystoreFileName is your custom keystore file name
    • truststoreFileName.jks, where truststoreFileName is your custom truststore file name

To create the custom certificate folder in the TEA Agent installer

This procedure creates the ..\Disk1\files\security\custom folder. The custom certificate is then included in your TEA Agent installation. The files are also used by the installer and the other utilities on the TEA Agent for communicating with App Visibility components.

  1. From the ..\Disk1\utility\ReplaceCertificateTool folder of your TEA Agent installer files, right-click the ReplaceCertificateTool batch file and select Run as administrator.
  2. Enter 1 to select Create Certificate folder with the encrypted passphrase.
  3. Enter the required parameters:

    Parameter

    Description

    Enter the keystore file name (full path):

    Enter the full path and file name of your keystore in its source folder. The keystore must be in .jks format.
    Enter the truststore file name (full path):Enter the full path and file name of your truststore in its source folder. The truststore must be in .jks format.
    Enter the keystore passphrase:Enter the passphrase for the keystore. The certificate replacement utility encrypts the passphrase. Do not encrypt it before entering it here. The keystore passphrase must match the key passphrase in the keystore.

    Note

    If your truststore and your keystore use different passwords, the certificate replacement tool displays a message saying JKS convert procedure failed. Exit the utility, check log for more information. If you see this message, change the truststore password to match the keystore password as follows:

    1. Run the keytool from the ..\Disk1\files\jre\bin\keytool.exe folder as follows.

      Example
      keytool -storepasswd -new <NewPwd> -keystore <truststore file name>

      NewPwd indicates the new password for your truststore, which must match the keystore password.

    2. Enter your original truststore password when prompted by the keytool to Enter keystore password.

    3. Restart the certificate replacement procedure.

    The certificate replacement utility:

    • Creates the ..\Disk1\files\security\custom folder

    • Creates .pem files for the TEA Agent

    • Encrypts the keystore passphrase

    • Creates the cert.properties file with the new .jks files, .pem files, and encrypted keystore passphrase

    • Puts the .pem files, .jks files, and cert.properties file in the custom folder

  4. (Recommended) Perform the procedure in To test the connection to your App Visibility portal

Note

To install additional TEA Agents with the same custom certificates, copy the entire ..\Disk1\files\security\custom folder to the same location in the installer you are using to install the additional TEA Agents.

If you are installing additional TEA Agents using the same installer, no action is necessary. All installations from the same installer will use the custom certificates.

To test the connection to your App Visibility portal

Perform the following test to check the connection to your App Visibility portal using the certificates in the ..\Disk1\files\security\custom folder.

  1. From the ..\Disk1\utility\ReplaceCertificateTool folder of your TEA Agent installer files, right-click the ReplaceCertificateTool batch file and select Run as administrator.
  2. Enter 2 to select Test connection to App Visibility.
  3. Enter the required parameters or press Enter to accept the default values:

    Parameter

    Description

    Enter App Visibility host name/IP:

    Enter the host name or IP address of the computer where your App Visibility portal is installed.

    Enter App Visibility port number (default 8100):

    Enter the port number that your App Visibility portal uses, or press Enter to accept the default value.

    Default: 8100

    The certificate replacement tests the connection with the App Visibility portal.

To replace security files on previously installed TEA Agents

  1. If you are running the TEA Agent as a process, stop the TEA Agent process. See Starting and stopping a synthetic TEA Agent as a process for more details.
  2. If you have not created the custom certificate folder, perform the steps in To create the custom certificate folder in the TEA Agent installer.
  3. From the ..\Disk1\utility\ReplaceCertificateTool folder of your TEA Agent installer files, right-click the ReplaceCertificateTool batch file and select Run as administrator.
  4. Enter 3 to select Apply custom certificate to TEA Agent.
  5. Enter the required parameter or press Enter to accept the default values:

    Parameter

    Description

    Enter TEA Agent working folder location (press enter for default): 

    Enter the full path to your TEA Agent working folder, or press Enter to accept the default value.

    Default: C:\Program Files (x86)\BMC Software\BMCTEAAgent\TEAAgent\WorkingFolder

    The certificate replacement utility:

    • Stops the TEA Agent service

    • Copies the .pem files and .jks files from the ..\Disk1\files\security\custom folder to your TEA Agent working folder

    • Updates the cert.properties file with your new certificates
    • Restarts the TEA Agent service

  6. If you run the TEA Agent as a process, stop the TEA Agent service (which was started automatically by the certificate replacement utility), and restart the TEA Agent process. See Starting and stopping a synthetic TEA Agent as a process for more details.

Note

To deploy your certificates to additional TEA Agents that are connected to the same App Visibility portal:

  1. Back up the contents of the ..\Conf\Cert folder of the additional TEA Agents.
  2. Stop the TEA Agent service.
  3. Copy the entire ..\Conf\Cert folder from a TEA Agent where you have run the utility to the additional TEA Agents.
  4. Restart the TEA Agent service.

To encrypt a keystore passphrase

Use this procedure to encrypt your TEA Agent passphrase if you want to build a cert.properties file manually.

  1. From the ..\Disk1\utility\ReplaceCertificateTool folder of your TEA Agent installer files, right-click the ReplaceCertificateTool batch file and select Run as administrator.
  2. Enter 4 to select Keystore passphrase encryption only.
  3. Enter the required parameter:

    Parameter

    Description

    Enter a passphrase you want to encrypt: 

    Enter a passphrase.

    The certificate replacement tool displays the encrypted passphrase. Copy the passphrase and paste it where you need it.

Related topics

Security planning for Presentation Server

Starting and stopping services

Changing security certificates in App Visibility components

Replacing security certificates in BMC PATROL for Application Management 10.5