Managing certificates in BMC Atrium Single Sign-On
The primary reason for using Secure Sockets Layer (SSL) certificates is to encrypt sensitive information sent across the internet so that only the intended recipient can understand it. Encryption is important because the information you send on the internet is passed from computer to computer to get to the recipient. Any computer between the origin and the destination can utilize your username, passwords, and other sensitive information if it is not encrypted by using an SSL certificate.
In addition to providing encryption, an SSL certificate from a trusted provider also provides authentication. With authentication, you can be sure that you are sending information to the right recipient and not to an unknown user.
The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/Transport Layer Security) communications. The keystore and truststore files are stored in the following directory:
For more information about using Certificate Authority (CA) certificates, see:
- Installing certificates
- Adding and removing a CA certificate
- Creating signing and encryption certificates
The initial keystore created during the installation uses a self-signed certificate. If you want to use the default self-signed certificate, you do not have to make any changes. However, the default certificate warns users about the insecure nature of the certificate by displaying a certificate warning exception, because the self-signed certificate is not from a trusted source. You can avoid getting this warning by performing one of the following actions:
- Permanently importing the self-signed certificate into the user's truststore
- Obtaining and importing a signed identity certificate from a trusted CA. The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication.
In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported. By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA.
If you are planning to use signed certificates, BMC recommends that before integrating BMC Atrium Single Sign-On with other BMC products such as BMC Remedy AR System and BMC Remedy Mid Tier, you should install digitally signed certificates. However, if you have already integrated BMC Atrium Single Sign-On with other BMC products, you must reintegrate the products. For more information, see Installing certificates after integration with other BMC products.