Implementing private certificates in TrueSight Smart Reporting

On Windows, if you are using the Chrome browser to access TrueSight Smart Reporting, you must create and import private certificates. Do the following:

1. Create a signed certificate for TrueSight Smart Reporting.

2. Import a signed certificate in the newly created keystore.

3. Apply the new keystore to TrueSight Smart Reporting.
4. Verify the connection to TrueSight Smart Reporting from the browser.

If you cannot import a CA-signed certificate and want to use a self-signed certificate, access TrueSight Smart Reporting on any browser other than Chrome, for example, Mozilla or Internet Explorer.

The following sections explain these procedures in detail.

To create a signed certificate for TrueSight Smart Reporting

1. Log in to the computer where TrueSight Smart Reporting is installed.
2. Go to the directory where the tsr.keystore file is located:
   <TrueSight Smart Reporting Installation Directory>\TrueSightSmartReporting\appserver\conf
3. Take a backup of the tsr.keystore file outside the installation directory.

4. The keytool utility that is used to generate, and import the certificates is present in the <JRE_HOME>\bin directory. Add this directory path to the PATH environment variable by running the following command:
   

   set PATH=<JRE_HOME>\bin;%PATH%

5. Create a copy of the tsr.keystore file in the same directory and rename it as tsr_updated.keystore.


6. List all the keys in the tsr_updated.keystore file by running the following command:
   

   keytool -list -keystore tsr_updated.keystore -storepass changeit

   Note: Default password for the keystore

   changeit is the default password for the tsr_updated.keystore file.

7. Delete the existing certificate aliases: smartreporting from the tsr_updated.keystore by running the following command:
   

   keytool -delete -alias smartreporting -keystore tsr_updated.keystore -storepass changeit

8. Run the list command again to verify that the aliases are deleted:
   

   keytool -list -keystore tsr_updated.keystore -storepass changeit

9. Generate a new key pair within the tsr_updated.keystore keystore by running the following command:
   

   keytool -genkey -alias smartreporting -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore tsr_updated.keystore -storepass changeit -storetype JKS -providername SUN

   This command prompts you to enter the details such as name, organization details as shown in the following code block. Type the details appropriately.

   Answer the questions:
What is your first and last name?
[Unknown]: <FQDN of Primary TSR FQDN>
What is the name of your organizational unit?
[Unknown]: <organizational unit>
What is the name of your organization?
[Unknown]: <company>
What is the name of your City or Locality?
[Unknown]: <city>
What is the name of your State or Province?
[Unknown]: <state>
What is the two-letter country code for this unit?
[Unknown]: <country code>
Is CN=<FQDN of TSPS>, OU=<organizational unit>, O=<company>, L=<city>, ST=<state>, C=<country code> correct?
[no]: yes
Enter key password for <>
(RETURN if same as keystore password): <ENTER>
   

10. Generate the certificate signing request (CSR) by running the following command:

    Syntax

    keytool -v -certreq -alias <alias name> -keystore <keystore name> -storepass <keystore password> -storetype JKS -dname "CN=<TSSR_Server.FQDN>,OU=<Organizational Unit name>,O=<Organization Name>,L=<City>,ST=<State>,C=<2LetterContryCode> -ext "san=dns:<TSSR_Server.FQDN>" -file <CSR file name>

    Example

    keytool -v -certreq -alias smartreporting -keystore tsr_updated.keystore -storepass changeit -storetype JKS -dname "CN=<TSSR_Server.FQDN>,OU=Customer Engineering,O=BMC Software Inc,L=Houston,ST=Texas,C=US" -ext "san=dns:<TSSR_Server.FQDN>" -file tsr.csr

11. Send the CSR to the certificate authority (CA) of your organization for signing. Ensure that you:
    • Request the CA to use base64 encoding and send the signed file in the .csr format.
    • Request the CA to provide the CA certificate and the intermediate certificates, if any.
      
      
12. Take the backup of tsr.csr file in the same directory where you have taken a backup of the tsr.keystore file.
    
    
13. The CA sends the newly generated certificates in the .p7b file format. Perform the following steps from 14-21 to extract the certificate files from the .p7b file. Ideally, the set of CA signed certificates contain a root CA certificate, an intermediate CA certificate, and the certificate generated for the tsr.csr request.
    
    

14. Double-click the .p7b file and navigate to the Certificates folder as shown in the following figure:
    
    
    In this image:

    • BMC-CA is the root CA certificate.

    • BMC Issuing CA Phx is the intermediate CA certificate.

    • xyz.bmc.com is the private certificate for which the tsr.csr was created.

15. Double-click BMC-CA.

16. In the Certificate dialog box, click Details and then click Copy to File.
    
    

17. In the Certificate Export Wizard, click Next.

18. Select Base-64 encoded X.509 (.CER) format and click Next.
    

19. Browse to the location where you want to export the certificate.

20. Specify the CA.cer name for the certificate in the File name field as shown below, and click Next.
    
    

21. Click Finish. 

22. Repeat all steps for the remaining two certificates.
    The certificate file names might change depending on the CA  signing authority.

After extracting all the certificates, the following certificates are available:

• CA.cer: Root CA signed certificate
• intermediateCA.cer: Intermediate certificate
• server.cer: Certificate generated for the tsr.csr certificate signing request.

Back to the top

To import a signed certificate in the newly created keystore

After creating signed certificates for TrueSight Smart Reporting, you must import them in the keystore that you created.

Before you begin

1. Install keytool Explorer.

2. Install OpenSSL.

3. Add the OpenSSL installation directory path to the PATH environment variable by running the following commands:

   set PATH=<OpenSSL_Installation_Directory>\bin;%PATH%

Importing certificates

Do the following:

1. Export the private key from the new keystore. Do the following:
   1. In the Key Tool Explorer, open tsr_updated.keystore. The following certificates are available:
      • smartreporting
      • tsps
   2. Right-click smartreporting and click Export > Export Private Key.
   3. Enter the password. The default password is changeit.
   4. Select OpenSSL and click OK.
   5. Clear the Encrypt check box.
   6. In the Export File field, browse to the smartreporting.key location. For example, C:\Users\Desktop\<host name>\smartreporting.key
   7. Click Export.
2. Copy the following files in a temporary folder on TrueSight Smart Reporting:

   • smartreporting.key. This is the  private key file exported from the keystore.

   • tsr_updated.keystore. This is the keystore that you created.

   • server.cer. This is the certificate file exported from .p7b file.

   • intermediateCA.cer. This is the intermediate certificate file exported from .p7b file.

   • CA.cer. This is the root CA-signed certificate file exported from .p7b file.

3. Open the temporary folder in the command prompt and run the following commands in the order shown:

   openssl pkcs12 -export -out smartreporting.p12 -inkey smartreporting.key -in server.cer -certfile CA.cer -certfile intermediateCA.cer

   For this command, enter the changeit password at the prompts for Enter Export Password and Verifying - Enter Export Password.

   keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore tsr_updated.keystore -srckeystore smartreporting.p12 -srcstoretype PKCS12 -srcstorepass changeit

4. List all the keys in the tsr_updated.keystore file by running the following command:

   keytool -list -keystore tsr_updated.keystore -storepass changeit

5. Delete the existing certificate alias smartreporting from tsr_updated.keystore by running the following command:

   keytool -delete -alias smartreporting -keystore tsr_updated.keystore -storepass changeit

6. Rename the existing certificate alias 1 from tsr_updated.keystore by running the following command:

   keytool -changealias -alias 1 -destalias smartreporting -keystore tsr_updated.keystore -storepass changeit

Back to the top

To apply the new keystore in TrueSight Smart Reporting

1. Stop the TrueSightSmartReporting service.
2. Go to the conf directory. Use one of the following paths:
   <TrueSight Smart Reporting Installation Directory>\TrueSightSmartReporting\appserver\conf
3. Delete the tsr.keystore file.
4. Copy the tsr_updated.keystore file in the conf directory.
5. Rename tsr_updated.keystore to tsr.keystore.
6. Start the TrueSightSmartReporting service.

To verify the connection to TrueSight Smart Reporting from the browser

You can verify that the new certificates are successfully applied on TrueSight Smart Reporting. To do this:

1. Close all browser instances.
2. Open the following URL in a new browser instance:
   https://<TrueSight Smart Reporting hostname>:<port>/tsr
3. Verify that the TrueSight Smart Reporting URL opens in the https mode and shows the connection as secure.
   
   

Back to the top