Installing certificates in an HA load-balancing environment

For installing signed certificates on BMC Atrium Single Sign-On servers deployed in a high-availability (HA) load-balancing environment, follow the steps provided in this topic. Run all of the commands outlined in this topic from the <installationdirectory>/tomcat/conf directory.

• • To install the certificates on the primary node
  • To install the certificates on the secondary nodes
  • Post-installation steps
  • Related topics

To install the certificates on the primary node

The following diagram illustrates the sequence of events that you need to follow for installing certificates.

1. Generate a new keystore for the BMC Atrium Single Sign-On server with the alias tomcat — The BMC Atrium Single Sign-On installation provides a self-signed certificate installed and the default certificate has default values for attributes such as Company, City, State. You must delete the existing keystore.p12 certificate from the <installationdirectory>/tomcat/conf directory and then generate a new keystore.  For generating a new keystore, see Creating new keystores.
2. Generate the certificate for signing. For more information, see Generating CSRs.

3. Once you get a confirmation that your signed certificate is available, the CSR must be sent to a CA to be digitally signed and returned. The CA signs the CSR by using a private key that validates the identity of the server and returns a signed identity certificate. Your CA must provide one of the following files:

   • The base64 signed certificate, cert_name.cer.
     or 
   • The complete chain of certificates in cert_name.p7b (PKCS#7) format.

   If the complete chain is unavailable as a single file, you must get the all of the intermediate CA certificates leading to the root. For more information, see Getting intermediate CAs.

4. Import signed certificates into:

   • keystore.p12 — Import the certificate that you received from your CA. The store contains the certificate that will be served when a client connects to the BMC Atrium Single Sign-On server. The alias used for this certificate is tomcat. For more information, see Importing-a-certificate-into-keystore-p12.
     

     Note

     You might receive an error telling you that the certificate chain is missing when you try to import the certificate that you received from your CA. If you see this error, you must get the complete certificate chain and all of the intermediate certificates from your CA. When importing certificate chains, you must import the certificates of the signing chain by starting with the root certificate and then import the intermediate signed certificates. For more information, see Importing-certificate-chains-and-intermediate-certificates.

   • (If connecting to other servers) cacerts.p12 — If BMC Atrium Single Sign-On is connecting to other servers — for example, LDAP or ADFS using secure socket layer (SSL) — import those server certificates into the cacerts.p12 file. This file is a truststore that contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL-enabled LDAP server that is connecting to BMC Atrium Single Sign-On, you must import the LDAP server certificate into the cacerts.p12 file. This certificate identifies the requests coming from the LDAP server and authenticates them. For more information, see Importing-a-certificate-into-cacerts-p12.
     
   • cacerts (JVM truststore) — Import the root certificate into the JVM truststore used by Apache Tomcat server installed with BMC Atrium Single Sign-On. Run the keytool utility for cacerts with the following parameters:

     • For UNIX:

       keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>/jdk/jre/lib/security/cacerts.p12  -keypass changeit -storepass changeit -file <certificateFile>

     • For Microsoft Windows:

       keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>\jdk\jre\lib\security\cacerts.p12  -keypass changeit -storepass changeit -file <certificateFile>

       Note

       If you get a message saying that the certificate already exists in the truststore, you can skip the import process.

5. Stop and restart the Tomcat server.

   Note

   The new CA certificate does not take effect until the Tomcat server is restarted.

6. Update all integrated application truststores with the new public key. You must share this new BMC Atrium Single Sign-On certificate to other server hosts like LDAP or ADFS for establishing a trust relationship.

To install the certificates on the secondary nodes

1. Copy the keystore.p12 file from the primary node to the secondary node in the HA environment.
2. If BMC Atrium Single Sign-On is connecting to other servers — for example, LDAP or ADFS using secure socket layer (SSL) — import those server certificates into the cacerts.p12 file. This file is a truststore that contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL-enabled LDAP server that is connecting to BMC Atrium Single Sign-On, import the LDAP server certificate into the cacerts.p12 file. This certificate identifies the requests coming from the LDAP server and authenticates them. For more information, see Importing-a-certificate-into-cacerts-p12.
3. Import the root certificate into the JVM truststore used by Apache Tomcat server installed with BMC Atrium Single Sign-On. Run the keytool utility with the following parameters:

   • For UNIX:

     keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>/jdk/jre/lib/security/cacerts.p12  -keypass changeit -storepass changeit -file <certificateFile>

   • For Microsoft Windows:

     keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>\jdk\jre\lib\security\cacerts.p12  -keypass changeit -storepass changeit -file <certificateFile>

     Note

     If you get a message saying that the certificate already exists in the truststore, you can skip the import process.

4. Stop and restart the Tomcat server:

   Note

   The new CA certificate does not take effect until the Tomcat server is restarted.

5. Update all integrated application truststores with the new public key. You must share this new BMC Atrium Single Sign-On certificate with other server hosts, such as LDAP or Active Directory Federation Services (AD FS) to establish a trust relationship. 

Repeat these steps for all of the secondary nodes on which BMC Atrium Single Sign-On is installed in the HA environment. 

Post-installation steps

1. Verify the contents of the BMC Atrium Single Sign-On truststore (cacerts.p12) to verify that the certificate has been imported or that the Issuer (Signer) certificate has been imported. For more information, see Checking the truststore for certificates.
2. Stop the BMC Atrium Single Sign-On server.
3. Stop the server on which other BMC products are installed. For example, stop the AR System server, Mid Tier server, and so on.
4. Restart BMC Atrium Single Sign-On and other servers in the order in which they were stopped.
5. Integrate BMC Atrium Single Sign-On with BMC products; for example, BMC Remedy AR System and BMC Remedy Mid Tier.
   1. Run the integration utilities on BMC Remedy AR System and Mid Tier.
   2. Stop all of the services.
   3. Start all of the services in the order in which they were stopped on BMC Atrium Single Sign-On, BMC Remedy AR System, and Mid Tier.

For more information, refer to the Integrating section. 

Related topics

Adding-and-removing-a-CA-certificate

Checking-the-truststore-for-certificates