For installing signed certificates on a stand-alone BMC Atrium Single Sign-On server, follow the steps provided in this topic.
Before you begin, copy the existing keystore (keystore.p12) and truststore (cacerts.p12) files from <installdirectory>/tomcat/conf directory to a backup directory. In case of failure, you can restore these files to the conf directory and system will be back to the out of the box installation.
To install certificates on a stand-alone server
The following diagram illustrates the sequence of events that you must follow for installing certificates.
- Generate a new key pair for the BMC Atrium Single Sign-On server with the alias tomcat.
The BMC Atrium Single Sign-On installation provides a default self-signed certificate and it contains values for attributes such as Company, City, and State. You can delete that certificate and then generate a new key pair. For information about generating a new key pair, see Creating a new key pair.
- Generate the certificate for sending it to CA for digitally signing it. For more information, see Generating CSRs.
- After you get a confirmation that your signed certificate is available, you must send the CSR to a CA for digitally signature.
The CA signs the CSR using a private key that validates the identity of the server and returns a signed identity certificate. Your CA must provide one of the following files:
- The base64 signed certificate. The certificate can be DER or PEM format.
- The complete chain of certificates in PKCS#7 format.
Import the signed certificates into the keystore and truststore.
BMC Atrium Single Sign-On is SHA-2 compliant, therefore you can import SHA-2 certificates.
Import the certificate that you received from your CA into the keystore.
The keystore contains the certificate that is served when a client connects to the BMC Atrium Single Sign-On server. The alias used for this certificate is tomcat. This certificate is also added to the truststore when you import and save the certificate. For more information, see Importing a certificate into the keystore.
When you try to import the certificate that you received from your CA, if you receive an error telling you the that certificate chain is missing, you must get the complete chain certificate and all the intermediate certificates from your CA. When importing certificate chains, the user should import the certificates of the signing chain by starting with the root certificate and then importing the intermediate signed certificates. For more information, see Importing a certificate chain or intermediate certificates.
Import the trust certificates into the truststore.
If BMC Atrium Single Sign-On is connecting to other servers for SAMLv2 authentication—for example, LDAP or AD FS using Secure Sockets Layer (SSL) — you should import those server certificates into the truststore. The truststore contains the certificates for the servers with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL-enabled LDAP server that is connecting to BMC Atrium Single Sign-On, you just import the LDAP server certificate into the truststore. This certificate identifies and authenticates requests coming from the LDAP server. For more information, see Importing a certificate into the truststore.
You must also import the root certificate into the truststore.
Stop and restart the Tomcat server.
The new CA certificates do not take effect until the Tomcat server is restarted.
Update all integrated BMC application truststores with the new public key pair certificates so that you can generate certificates for signing and encryption. You must share these new BMC Atrium Single Sign-On certificates to other server hosts, such as LDAP or AD FS, to establish a circle of trust. For more information about creating new certificates, see Creating signing and encryption certificates.
If you have already integrated other products such as BMC Remedy Mid Tier, BMC Dashboards, and BMC Analytics, then you must redeploy the BMC Atrium Single Sign-On web agents. For more information, see Installing certificates after integration with other BMC products.
In a HA environment, Keystore certificates are replicated on secondary nodes as soon as you save the changes in the first node's certificate panel. If any of the cluster nodes are down or not available, the certificate must be copied manually to those nodes.
Completing postinstallation steps
- Verify the contents of the BMC Atrium Single Sign-On truststore (cacerts.p12) to verify that the certificates have been imported or that the issuer (signer) certificate has been imported. For more information, see Checking the truststore for certificates.
- Stop the BMdC Atrium Single Sign-On server.
- Stop the servers on which other BMC products are installed. For example, stop the AR System server, the BMC Remedy Mid Tier server, and so on.
- Restart BMC Atrium Single Sign-On and other servers in the order in which they were stopped.
- Integrate BMC Atrium Single Sign-On with other BMC products (for example, BMC Remedy AR System and BMC Remedy Mid Tier):
- Run the BMC Atrium Single Sign-On installer on BMC Remedy AR System and BMC Remedy Mid Tier.
- Stop all servers.
- Start all servers in the order in which they were stopped: BMC Atrium Single Sign-On, BMC Remedy AR System, and BMC Remedy and Mid Tier.
For more information, see Integrating.