Installing certificates on a standalone server
For installing signed certificates on a standalone BMC Atrium Single Sign-On server, follow the steps provided in this topic. Run all of the commands outlined in this topic from the <installationdirectory>/tomcat/conf directory.
Before you begin, copy the existing keystore.p12 and cacerts.p12 files from conf directory to a backup directory. In case of failure, you can restore these files to the conf directory, and the system will be returned to the out-of-the-box installation.
To install the certificates
The following diagram illustrates the sequence of tasks that you must follow to install certificates.
- (Optional) If the existing certificate is not relevant for your environment, generate a new keystore for the BMC Atrium Single Sign-On server with the alias tomcat — The BMC Atrium Single Sign-On installation provides a self-signed certificate default certificate with default values for attributes such as
Company, City, State. You must delete the existing keystore.p12 certificate file from the <installationdirectory>/tomcat/conf directory and then generate a new keystore. For information about generating a new keystore, see Creating new keystores.
- Generate the certificate for signing. For more information, see Generating CSRs.
- After you get a confirmation that your signed certificate is available, the you must send the CSR to a CA. The CA signs the CSR by using a private key that validates the identity of the server and returns a signed identity certificate. Your CA must provide one of the following files:
- The base64 signed certificate, cert_name.cer
- The complete chain of certificates in cert_name.p7b (PKCS#7) format
- The base64 signed certificate, cert_name.cer
Import signed certificates as follows:
You might receive an error telling you that the certificate chain is missing when you try to import the certificate that you received from your CA. If you see this error, you must get the complete certificate chain and all of the intermediate certificates from your CA. When importing certificate chains, you must import the certificates of the signing chain by starting with the root certificate and then import the intermediate signed certificates. For more information, see Importing certificate chains and intermediate certificates.
keystore.p12 — Import the certificate that you received from your CA. The store contains the certificate that will be served when a client connects to the BMC Atrium Single Sign-On server. The alias used for this certificate is tomcat. For more information, see Importing a certificate into keystore.p12.
(If connecting to other servers) cacerts.p12 — If BMC Atrium Single Sign-On is connecting to other servers — for example, LDAP or ADFS using secure socket layer (SSL) — import those server certificates into the cacerts.p12 file. This file is a truststore that contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL-enabled LDAP server that is connecting to BMC Atrium Single Sign-On, you must import the LDAP server certificate into the cacerts.p12 file. This certificate identifies the requests coming from the LDAP server and authenticates them. For more information, see Importing a certificate into cacerts.p12.
You must also import the root certificate into cacerts.p12. Run the keytool for cacerts.p12 with parameters defined for the Java virtual machine (JVM) truststore.
cacerts (JVM truststore) — Import the root certificate into the JVM truststore used by Apache Tomcat server installed with BMC Atrium Single Sign-On. Run the keytool utility for cacerts with the following parameters:
keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>/jdk/jre/lib/security/cacerts -keypass changeit -storepass changeit -file <certificateFile>
For Microsoft Windows:
keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>\jdk\jre\lib\security\cacerts -keypass changeit -storepass changeit -file <certificateFile>
If you get a message saying that the certificate already exists in the truststore, you can skip the import process.
Stop and restart the Apache Tomcat server.
The new CA certificate does not take effect until the Tomcat server is restarted.
Update all integrated application truststores with the new public key. You must share this new BMC Atrium Single Sign-On certificate with other server hosts, such as LDAP or Active Directory Federation Services (AD FS) to establish a trust relationship.
If you have already integrated other products such as BMC Remedy Mid Tier and BMC Dashboards & Analytics, then you must redeploy the agents. For more information, see Installing certificates after integration with other BMC products.
- Verify the contents of the BMC Atrium Single Sign-On truststore (cacerts.p12) to verify that the certificate has been imported or that the Issuer (Signer) certificate has been imported. For more information, see Checking the truststore for certificates.
- Stop the BMC Atrium Single Sign-On server.
- Stop the server on which other BMC products are installed. For example, stop the AR System server, Mid Tier server, and so on.
- Restart BMC Atrium Single Sign-On and other servers in the order which they were stopped.
- Integrate BMC Atrium Single Sign-On with BMC products; for example, BMC Remedy AR System and BMC Remedy Mid Tier:
- Run the integration utilities on BMC Remedy AR System and BMC Remedy Mid Tier.
- Stop all of the services.
- Start all of the services in the order in which they were stopped on BMC Atrium Single Sign-On, BMC Remedy AR System, and BMC Remedy Mid Tier.
For more information, see Integrating.