Implementing SSL certificates

All communications from the browser to the MainView Middleware Administrator (MVMA) service occur over a secure connection using the https protocol. BMC recommends that you provide a properly trusted certificate to be used by the MVMA service (BMC provides a self-signed certificate for initial use).

Using your own certificate

To configure MVMA to use your own certificate, place that certificate in a key store and provide the associated configuration to the application.
If you have a key store already configured with the intended SSL certificate, follow the steps below.

To use your own certificate

  1. Open <install_directory>/etc/jetty.xml in a text editor.
  2. Find the SSL connector configuration, look for the text "<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">".
  3. Change the "KeyStorePath" property so that it points to your key store file. Note that if you are using an absolute path to your key store, remove the SystemProperty element.
  4. Set the "KeyStorePassword" property to the password of your key store. You may encode this password by running the <install_directory>/bin/encodePassword.bat (Windows) or encodePassword.sh (Linux) utility and pasting the output into this field. 

    Note

    You must include the 'OBF:' prefix when using an obfuscated password. Do NOT use the MD5 password in this case.
  5. If required, add a "KeyManagerPassword" property and set it to the password for your certificate. You may encode this password by running the <install_directory>/bin/encodePassword.bat (Windows) or encodePassword.sh (Linux) utility and pasting the output into this field.

Use the keytool utility (create a key store)

If you have a certificate but do not have a key store, use the keytool utility to create a key store. You can then insert your certificate into the key store. MVMA uses this certificate.

Creating a key store can be a very complicated process; the following procedure details the basic steps only.

To create a key store using the keytool utility

  1. Make sure you have a valid certificate and you know the password for the certificate.
  2. Run the command <install_directory>/jre/<JRE platform>/ bin/keytool -importcert -keystore mykeystore.jks -file cert.pem
  3. When prompted, enter a password (and confirm it by re-entering it) for the key store.
  4. You may now use this key store in the MVMA configuration. Use the encodePassword utility to conceal your passwords if required.

Keytool examples

This section includes examples of listing certificates in a jks key store, and printing a certificate to see the certificate chain.

Note

MVMA only supports Java key store files (i.e. jks).

Listing certificates in a jks key store

Note that this also forces you to verify that the key store is of a supported type.

Run the keytool with the -list parameter and optionally -v to get more verbose output.

For example:

  • To get a summary of the certificates and keys currently stored in a key or truststore run the following command:

    keytool --list -keystore keystore.jks -storepass bmcsoftware

    Example output:

    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    bmmadminhttps, Sep 7, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D
  • To get a detailed list of the certificates and keys kept in a key or truststore, use the -v option as in the following command:

    keytool --list -keystore keystore.jks -storepass bmcsoftware -v

    Example output:

    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    Alias name: bmmadminhttps
    Creation date: Sep 7, 2017
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
    Issuer: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: b525bf03a32ba45d Valid from: Thu Sep 07 11:08:02 CEST 2017 until: Sat Oct 07 11:08:02 CEST 2017 Certificate fingerprints:
    MD5:  06:CE:D6:DE:0B:60:C3:49:C9:7D:C0:DE:4B:5C:AC:83
    SHA1: 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D
    SHA256: 71:9B:43:F5:9F:23:93:F4:C8:50:5C:AC:41:1F:26:99:36:C8:73:F0:2B:04:FA:F0:43:25:2C:29:A5:E8:93:60
    Signature algorithm name: SHA256withRSA
    Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
    0000: 67 29 98 F8 06 DD EC 03   A4 7A 5E AE 29 A1 E8 89  g).......z^.)...
    0010: 02 E1 A4 5A  ...Z
    ]
    ]
    #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]
    #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
    0000: 67 29 98 F8 06 DD EC 03   A4 7A 5E AE 29 A1 E8 89  g).......z^.)...
    0010: 02 E1 A4 5A ...Z
    ]
    ]


Printing a certificate to see the certificate chain

This functionality requires you to run the keytool with the -printcert switch against a certificate file. Again you can use the -v switch to get verbose output. 

For example:

  • For a self-signed certificate (Owner and Issuer are the same), use the following command:

    $ keytool -printcert -file bmmadminhttps.pem -v

    Example output:

    Owner: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
    Issuer: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: f57e86726ec751a9 Valid from: Fri Sep 08 12:45:31 CEST 2017 until: Sun Oct 08 12:45:31 CEST 2017 Certificate fingerprints:
    MD5:  A2:EC:62:CD:D0:A5:BB:C9:0D:3B:D8:41:E5:32:3F:87
    SHA1: 43:FC:51:47:B3:4A:0D:20:70:69:36:91:68:A6:44:10:CF:1F:18:27
    SHA256: BF:44:1B:A7:FB:F2:81:78:71:2D:2F:5D:7B:61:1C:76:4D:6D:53:78:C9:42:98:72:51:0F:55:C7:D8:F7:42:60
    Signature algorithm name: SHA256withRSA
    Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
    0000: B9 BD 13 6E 18 AD 92 82   07 F5 FE A2 4F 42 69 31  ...n........OBi1
    0010: E9 1B 42 3E    ..B>
    ]
    ]
    #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]
    #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
    0000: B9 BD 13 6E 18 AD 92 82   07 F5 FE A2 4F 42 69 31  ...n........OBi1
    0010: E9 1B 42 3E   ..B>
    ]
    ]
  • For a certificate not self-signed use the following command example from TIBCO EMS certificates:

    keytool -v -printcert -file client.cert.pem

    The output refers to the Issuer as part of the cert chain:

    Owner: EMAILADDRESS=client@testcompany.com, CN=client, OU=client Unit, O=Test Company, L=us-english, ST=California, C=US
    Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: d652375c551d16af Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
    MD5:  72:34:D8:B9:2B:DD:AC:96:2B:D2:89:98:F1:2E:E1:E4
    SHA1: C0:8D:10:29:8A:14:EC:BF:57:FE:C3:46:45:46:68:4C:A8:77:BC:ED
    SHA256: C1:42:40:B7:7C:81:B7:70:01:55:BC:31:9E:45:62:46:B4:D0:4B:62:40:22:F9:5C:39:2E:F8:D7:CB:CC:C6:B3
    Signature algorithm name: SHA256withRSA
    Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
    CA:false
    PathLen: undefined
    ]
  • To follow the chain you can typically do so with the same certificate the issuer in the previous certificate was referring to:

    keytool -v -printcert -file client_root.cert.pem

    Example output:

    Owner: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US
    Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: fec57ad3cd27746a Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
    MD5:  1E:A5:08:A6:86:38:96:11:18:F5:FD:89:8A:53:1F:F3
    SHA1: 39:E0:93:76:E2:99:9A:AC:0C:23:B9:5E:61:8A:90:8D:76:48:96:65
    SHA256: B9:15:2A:6E:AC:DF:EF:28:9F:A5:3F:17:15:A2:75:87:CB:AB:46:8C:10:41:E4:13:A0:82:7E:8E:18:46:61:CA
    Signature algorithm name: SHA256withRSA
    Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
    CA:true
    PathLen:0
    ]


Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Anisha Mohanty

    Here, We need to make a change in Doc that the JRE path is changed in MVMA 9.1 as earlier was in MVMA 9.0

    <MVMA Installation Directory>\jre\jdk****\bin

    Sep 16, 2020 10:46