Installing and managing certificates in BMC Atrium Single Sign-On

The primary reason for using Secure Sockets Layer (SSL) certificates is to keep sensitive information sent across the internet encrypted so that only the intended recipient can understand it. This security is important because the information you send on the internet is passed from computer to computer to get to the recipient. Any computer between you and the destination can utilize your username, passwords, and other sensitive information if the information is not encrypted with an SSL certificate. 

In addition to encryption, a proper SSL certificate also provides authentication. With authentication, you can be sure that you are sending information to the right recipient and not to an unknown user. You can ensure authentication by using an SSL Certificate from a trusted SSL provider.

The default Apache Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/Transport Layer Security) communications. The keystore and truststore files are stored in the following directory: 

<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf

For more information about using Certificate Authority (CA) certificates, see the following topics:

• Using the keytool utility
• Installing certificates on a standalone server
• Installing certificates in an HA load-balancing environment
• Generating self-signed certificates
• Creating new keystores
• Generating and importing CA certificates
• Importing a certificate into keystore.p12
• Importing a certificate into cacerts.p12
• Getting intermediate CA certificates
• Importing certificate chains and intermediate certificates
• Checking the truststore for certificates
• Installing certificates after integration with other BMC products

The initial keystore created during the installation uses a self-signed certificate. If you want to use the default self-signed certificate, you do not have to make any changes. However, the default certificate warns users about the insecure nature of the certificate by displaying a  certificate warning exception, because the self-signed certificate is not from a trusted source. You can prevent this warning from appearing by performing one of the following actions:

• Permanently importing the self-signed certificate into the user's truststore
• Obtaining and importing a signed identity certificate from a trusted CA. The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication.

In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported. By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages to appear when users access the server to perform authentication. The warning messages appear because the certificate is not signed by a CA.