The BMC Atrium Single Sign-On installation provides a self-signed certificate installed on the Tomcat server with its own pair of private and public keys. These keys will have default values for most of the attributes of the certificate. However, the hostname attribute contains the name of the server where BMC Atrium Single Sign-On is installed.
The certificates are used for providing secure communication channel between the BMC Atrium Single Sign-On server and the other products. In addition to securing communications, certificates are also used by SAMLv2 to sign messages in order to confirm authentic source and to encrypt messages for protecting sensitive data. The KeyStore used for this functionality is at <installation-directory>/tomcat/cot.jks.
The following topics are provided:
The default Tomcat server used by BMC Atrium Single Sign-On uses a KeyStore and a TrustStore for secure (HTTPS/TLS/SSL) communications. These communications occur by doing one of the following:
- when accessing the admin console
- users login or logout of the system.
- an external LDAP server is accessed with TLS/SSL
- exchanging SAMLv2 metadata
- for user authentication (CAC)
The KeyStore contains the information used to identify the BMC Atrium Single Sign-On server to remote servers and users. The TrustStore is used to hold the certificates of remote servers, users and signing authorities that are to be trusted by the BMC Atrium Single Sign-On server. These files are stored in the following directory:
The initial KeyStore created during the installation uses a self-signed certificate. If you want to use the default self-signed certificate, you do not have to make any changes. But, the default certificate warns the users about the insecure nature of the certificate by displaying a certificate warning exception, as the self-signed certificate is not from a trusted source. This certificate warning can be prevented by doing one of the following:
- Permanently importing the self-signed certificate into the user's TrustStore.
Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA).
The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication. In this case, the user has an established trust relationship with the CA, and this relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.
If you are planning to use signed certificates, BMC recommends that before integrating BMC Atrium Single Sign-On with other BMC products like BMC Remedy AR System and Mid Tier, you should install digitally signed certificates. However, if you have already integrated BMC Atrium Single Sign-On with other BMC products, you must reintegrate the products. For more information, see Installing certificates after integration with other BMC products.
KeyStores and TrustStores
With the BMC Atrium Single Sign-On default installation, the KeyStore and TrustStores are in the following locations:
- Tomcat TrustStore:
- SAMLv2 KeyStore:
These files are used by BMC Atrium Single Sign-On during Secured Socket Layer (SSL) handshake with clients and servers.
- KeyStore –- This file is the keystore.p12 file that contains the BMC Atrium Single Sign-On server certificate. The store contains the certificate that will be served when a client connects to BMC Atrium Single Sign-On server. The alias used for this certificate is tomcat.
- TrustStore –- This file is the cacerts.p12 file that contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL enabled LDAP server that is connecting to BMC Atrium Single Sign-On, you need to import the LDAP server certificate into the cacerts.p12 file. This certificate will identify the requests coming from the LDAP server and authenticate them.
This TrustStore also contains the certificate of BMC Atrium Single Sign-On server with a different alias <FQDN_OF_ASSO_SERVER>:8443. You must also import the same certificate in cacerts.p12 which you import in the keystore.p12 file with alias tomcat.
- SAMLv2 KeyStore — This file is the cot.jks file that contains the SAMLv2 signing and encryption certificates. These certificates are used by SAMLv2 to sign messages in order to confirm authentic source and to encrypt messages for protecting sensitive data .
A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate. The last certificate in the chain is normally a self-signed certificate provided by a trusted certificate authority. When importing certificates into Keystore.p12, you must have all the intermediate CA certificates in the TrustStore, including the root certificate. For more information, see Importing a certificate chain or intermediate certificates.
New CA certificates
The keytool utility is used to import a new CA certificate into the BMC Atrium Single Sign-On TrustStore i.e cacerts.p12. You must import a new CA certificate when:
- CAC authentication is used
- LDAP is used with SSL/TLS
- Department of Defense (DoD) issues new CA certificates
- CA certificates used to create a signed certificate for the BMC Atrium Single Sign-On server is not already within the TrustStore