Setting an HTTPS connection
- HTTPS connection is used to communicate securely with the browsers of end-users so as to protect their credentials, to communicate with LDAPS servers, and to simplify exchange of metadata and certificates with SAML Identity Providers (IdPs).
- BMC Atrium Single Sign-On does not recommend using an HTTP connection.
To set up an HTTPS connection, the Tomcat server that hosts the BMC Atrium Single Sign-On server must be modified to define an HTTPS connection with an explicit TrustStore and an explicit KeyStore.
The default Tomcat server used by BMC Artium Single Sign-On uses a KeyStore and a TrustStore for secure (HTTPS, Transport Layer Security) communications.
If the Tomcat server does not have a TrustStore and a KeyStore, you can generate new self-signed certificates. For more information, see Apache Tomcat 7 documentation.
The following XML code is an example of the HTTPS connection and is one of the configuration supported.
The example shows use of KeyStore and TrustStore of type PKCS#12, named keystore.p12 and cacerts.p12 along with password "keystore_password" and "truststore_password" respectively.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="CATALINA_HOME/conf/keystore.p12" keystorePass="keystore_password " keystoreType="PKCS12" keystoreProvider="JsafeJCE" truststoreFile="CATALINA_HOME/conf/cacerts.p12" truststorePass="truststore_password" truststoreType="PKCS12" truststoreProvider="JsafeJCE"/>
Switch CATALINA_HOME to the full path in the Tomcat directory. The values provided to CATALINA_HOME needs to be adjusted according to the environment.
Where to go from here
- To install BMC Atrium Single Sign-On, see .