Using CA certificates

The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/Transport Layer Security) communications. These files are stored in the following directory:

<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf

The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. The certificate warning can be prevented by doing one of the following:

• Permanently importing the self-signed certificate into the user's truststore.
• Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA). The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication.

In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported. By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.

• Using the keytool utility
• Obtaining and importing CA certificates
• Adding another CA certificate
• Creating new keystores
• Importing a certificate into the truststore