Installing certificates in an HA load-balancing environment
For installing signed certificates on BMC Atrium Single Sign-On servers deployed in a high-availability (HA) load-balancing environment, follow the steps provided in this topic. Run all of the commands outlined in this topic from the <installationdirectory>/tomcat/conf directory.
To install the certificates on the primary node
The following diagram illustrates the sequence of events that you need to follow for installing certificates.
- Generate a new keystore for the BMC Atrium Single Sign-On server with the alias tomcat — The BMC Atrium Single Sign-On installation provides a self-signed certificate installed and the default certificate has default values for attributes such as Company, City, State. You must delete the existing keystore.p12 certificate from the <installationdirectory>/tomcat/conf directory and then generate a new keystore. For generating a new keystore, see Creating new keystores.
- Generate the certificate for signing. For more information, see Generating CSRs.
Once you get a confirmation that your signed certificate is available, the CSR must be sent to a CA to be digitally signed and returned. The CA signs the CSR by using a private key that validates the identity of the server and returns a signed identity certificate. Your CA must provide one of the following files:
- The base64 signed certificate, cert_name.cer.
or - The complete chain of certificates in cert_name.p7b (PKCS#7) format.
If the complete chain is unavailable as a single file, you must get the all of the intermediate CA certificates leading to the root. For more information, see Getting intermediate CAs.
- The base64 signed certificate, cert_name.cer.
- Import signed certificates into:
keystore.p12 — Import the certificate that you received from your CA. The store contains the certificate that will be served when a client connects to the BMC Atrium Single Sign-On server. The alias used for this certificate is tomcat. For more information, see Importing-a-certificate-into-keystore-p12.
- (If connecting to other servers) cacerts.p12 — If BMC Atrium Single Sign-On is connecting to other servers — for example, LDAP or ADFS using secure socket layer (SSL) — import those server certificates into the cacerts.p12 file. This file is a truststore that contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL-enabled LDAP server that is connecting to BMC Atrium Single Sign-On, you must import the LDAP server certificate into the cacerts.p12 file. This certificate identifies the requests coming from the LDAP server and authenticates them. For more information, see Importing-a-certificate-into-cacerts-p12.
- cacerts (JVM truststore) — Import the root certificate into the JVM truststore used by Apache Tomcat server installed with BMC Atrium Single Sign-On. Run the keytool utility for cacerts with the following parameters:
For UNIX:
keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>/jdk/jre/lib/security/cacerts.p12 -keypass changeit -storepass changeit -file <certificateFile>For Microsoft Windows:
keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>\jdk\jre\lib\security\cacerts.p12 -keypass changeit -storepass changeit -file <certificateFile>
Stop and restart the Tomcat server.
- Update all integrated application truststores with the new public key. You must share this new BMC Atrium Single Sign-On certificate to other server hosts like LDAP or ADFS for establishing a trust relationship.
To install the certificates on the secondary nodes
- Copy the keystore.p12 file from the primary node to the secondary node in the HA environment.
- If BMC Atrium Single Sign-On is connecting to other servers — for example, LDAP or ADFS using secure socket layer (SSL) — import those server certificates into the cacerts.p12 file. This file is a truststore that contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL-enabled LDAP server that is connecting to BMC Atrium Single Sign-On, import the LDAP server certificate into the cacerts.p12 file. This certificate identifies the requests coming from the LDAP server and authenticates them. For more information, see Importing-a-certificate-into-cacerts-p12.
- Import the root certificate into the JVM truststore used by Apache Tomcat server installed with BMC Atrium Single Sign-On. Run the keytool utility with the following parameters:
For UNIX:
keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>/jdk/jre/lib/security/cacerts.p12 -keypass changeit -storepass changeit -file <certificateFile>For Microsoft Windows:
keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>\jdk\jre\lib\security\cacerts.p12 -keypass changeit -storepass changeit -file <certificateFile>
Stop and restart the Tomcat server:
- Update all integrated application truststores with the new public key. You must share this new BMC Atrium Single Sign-On certificate with other server hosts, such as LDAP or Active Directory Federation Services (AD FS) to establish a trust relationship.
Repeat these steps for all of the secondary nodes on which BMC Atrium Single Sign-On is installed in the HA environment.
Post-installation steps
- Verify the contents of the BMC Atrium Single Sign-On truststore (cacerts.p12) to verify that the certificate has been imported or that the Issuer (Signer) certificate has been imported. For more information, see Checking the truststore for certificates.
- Stop the BMC Atrium Single Sign-On server.
- Stop the server on which other BMC products are installed. For example, stop the AR System server, Mid Tier server, and so on.
- Restart BMC Atrium Single Sign-On and other servers in the order in which they were stopped.
- Integrate BMC Atrium Single Sign-On with BMC products; for example, BMC Remedy AR System and BMC Remedy Mid Tier.
- Run the integration utilities on BMC Remedy AR System and Mid Tier.
- Stop all of the services.
- Start all of the services in the order in which they were stopped on BMC Atrium Single Sign-On, BMC Remedy AR System, and Mid Tier.
For more information, refer to the Integrating section.
Related topics