Securing the TrueSight Infrastructure Management components

By default, TrueSight Infrastructure Management and its associated components use Transport Layer Security (TLS) versions earlier than TLS 1.2 to communicate with each other. You can upgrade the security in your enterprise environment by using TLS 1.2 to communicate with TrueSight Infrastructure Management components. Following installation of the TrueSight Infrastructure Management components, you can switch from the default inter-component security configuration to TLS 1.2 configuration.

Tip

To create a PDF that contains all of the procedures required to enable TLS 1.2 in your environment, click here.

The PDF is created when you click the link and can take up to 30 seconds to download to your browser.

To configure the TrueSight Infrastructure Management components to enable TLS 1.2

There are different communication channels established between the components of the TrueSight Infrastructure Management components. Perform the TLS configurations per communication channel. Select the communication channel which you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.

TLS

To enable TLS 1.2, complete the procedures by navigating the following tabs, or select the procedures from documentation links in the flowchart.

In BMC TrueSight Infrastructure Management environment, there are various components which will communicate with each other in a secure manner using TLS. These components are as listed below:

  • TrueSight Presentation Server
  • TrueSight Infrastructure Management server
  • PATROL Agent
  • TrueSight Integration Service
  • TrueSight Operations Management Reporting
  • TrueSight Impact Integration Web Services

These components might act like a client or a server based on the context of communication. To achieve TLS mode of communication, the security certificates need to be authenticated between a client and a server. If a component is operating as a client, it requires a truststore to verify a server's credentials. If a component is operating as a server, it requires a keystore that provides credentials to the client to verify. You must procure these certificate files from your organization's security administrator.

There are two types of certificate files that are used for authentication. 

  • A public certificate file which is a Certificate Authority (CA) signed certificate in .crt format. 
  • A private key file which is in Public-Key Cryptography Standards (PKCS) that is .p12 format.

Before you configure the BMC TrueSight Infrastructure Management components to enable TLS 1.2, you must perform the following steps to import the security certificates into the truststore or keystore files.

To procure the security certificates from the security system administrator

  1. Procure the Certificate Authority (CA) signed certificate in .crt format, and the private key in the .p12 format from your organization's security system administrator, and place it in the following locations:

    Component Location
    TrueSight Infrastructure Management Server <Infrastructure Management Server Installation Directory>\pw\pronto\conf
    Default Infrastructure Management server cell <Infrastructure Management Server Installation Directory>\pw\server\etc
    Remote cell <Remote cell Installation directory>\Agent\server\etc
    TrueSight Presentation Server <Presentation Server Installation Directory>\truesightpserver\conf\secure
    TrueSight Integration Service <Infrastructure Management Installation Directory>\pw\pronto\conf
    TrueSight remote Integration Service <Integration Service Installation Directory>\Agent\pronto\conf
    BMC Impact Integration Web Services <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc
    BMC TrueSight Operations Management Reporting <BMC TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security
  2. If you want to configure the Infrastructure Management server to Oracle database communication in TLS 1.2 mode, procure the oracle wallet from the oracle database administrator, and place it to the <Infrastructure Management Server Installation Directory>\pw\pronto\conf

  3. Procure the Certificate Authority (CA) signed certificate in .crt format from the Atrium SSO system security administrator and place it in the following locations:

    Component Location
    TrueSight Infrastructure Management Server <Infrastructure Management Server Installation Directory>\pw\jre\lib\security
    TrueSight Presentation Server <Presentation Server Installation Directory>\jre\lib\security
  4. Procure the Certificate Authority (CA) signed certificate in .crt format from the BMC BladeLogic system security administrator and place it in the <Presentation Server Installation Directory>\jre\lib\security directory location.

  5. Procure the Certificate Authority (CA) signed certificate in .crt format from the BMC Remedy Application Request Change Management System security administrator and place it in the <Presentation Server Installation Directory>\jre\lib\security directory location.

To extract the certificates for the cell component

The cell expects the security certificates in the .crt and .key format for the authentication process. Perform the following steps to extract these certificates in the required format.

  1. Logon to the computer where the Infrastructure Management server is installed, and navigate to the <Infrastructure Management Server Installation Directory>\pw\server\etc directory.

    Note

    If you are using a remote cell, logon to the computer where the remote cell is installed, and navigate to the <Remote cell Installation directory>\Agent\server\etc directory.

  2. Extract the private key from the .p12 format by running the following command:

    openssl pkcs12 -nocerts -in server.p12 -out mcell.key -nodes

    Notes

    The following notes describe the key parameters used in the preceding commands:

    • OpenSSL utility is available by default with the Unix operating system.
    • server.p12 is the name of private key file procured from your system administrator. If the file name is different, use the relevant file name in the preceding command.
    • mcell.key is the name of the private key extracted from the server.p12 file.
  3. Extract the public certificate from the .p12 file by running the following command:

    openssl pkcs12  -in server.p12  -out mcell.crt -nokeys

    Notes

    The following notes describe the key parameters used in the preceding command:

    • server.p12 is the name of private key file procured from your system administrator. If the file name is different, use the relevant file name in the preceding command.
    • mcell.crt is the name of the public certificate extracted from the server.p12 file.
  4. Copy the mcell.crt file into the following directories:

    1. <Infrastructure Management Installation Directory>\pw\pronto\conf directory if you are using a local Integration Service, or into the <Integration Service Installation Directory>\Agent\pronto\conf directory if you are using a remote Integration Service.

    2. <PresentationServer Installation Directory>\truesightpserver\conf\secure directory to secure the Presentation Server to cell communication.

To import the procured certificates into the keystore, and the truststore files

Proceed to the following certificate import tasks after you procure these security certificates from your system security administrator and place them in the appropriate locations. Perform the following steps to import the procured security certificates into the truststore, and the keystore files of the respective components:

To import the security certificates into the Presentation Serverkeystore, and thetruststorefiles

Presentation Server uses the tspstruststore.ts truststore, and the loginvault.ks keystore for its communication. These truststore, and the keystore files are bundled along with the Presentation Server installation, and are located in the <PresentationServer Installation Directory>\truesightpserver\conf\secure directory. Perform the following steps to import the security certificates into the respective truststore, and the keystore files:

  1. Log on to the computer where the Presentation Server is installed. The keytoolutility that is used to import the certificates is present in the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Presentation Server Installation Directory>\truesightpserver\modules\jre\bin;%PATH%
      
    #Unix
    export PATH=<Presentation Server Installation Directory>/truesightpserver/modules/jre/bin:$PATH
  2. Navigate to the <PresentationServer Installation Directory>\truesightpserver\conf\secure directory, and import the procured certificates by running the following command:

    keytool -import -alias caserver -file ca.crt -keystore tspstruststore.ts
     
    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore loginvault.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password
    
    
    keytool -import -alias cell -file mcell.cer -keystore tspstruststore.ts

    Parameter description

    The following notes describe the key parameters used in the preceding commands:

    • ca.crt is the name of the CA signedcertificate. If the name of the CA signed certificate procured from your system administrator is different, use the relevant file name in the preceding command.
    • If you want to use self-signedcertificate instead of the CA signed certificate, see Creating self-signed certificates.
    • server.p12 is the name of the server's private key file which is in PKCS12 format. If the name of private key procured from your system administrator is different, use the relevant file name in the preceding command.

    • changeit is the default password for the loginvault.ks keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore loginvault.ks

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.
    • get2net is the default password for the tspstruststore.ts keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore tspstruststore.ts

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

    • password is the password for the server.p12 private key.

To import the security certificates into the Infrastructure Management Serverkeystore, and thetruststorefiles

Infrastructure Management Server uses the messagebroker.ts truststore, and the pnserver.ks keystore for its communication. These truststore, and the keystore files are bundled along with the Infrastructure Management Server installation, and are located in the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory. Perform the following steps to import the security certificates into the respectivetruststore, and thekeystore files:

  1. Log on to the computer where the Infrastructure Management Server is installed. The keytoolutility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%
     
    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH
  2. Navigate to the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory, and import the procured certificates by running the following commands:

    keytool -import -alias caserver -file ca.crt -keystore messagebroker.ts
     
    keytool -import -alias caserver -file ca.crt -keystore pnserver.ks
     
    keytool -importkeystore -deststorepass get2net -destkeypass get2net -destkeystore pnserver.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password

    Parameter description

    The following notes describe the key parameters used in the preceding commands:

    • ca.crt is the name of the CA signedcertificate. If the name of the CA signed certificate procured from your system administrator is different, use the relevant file name in the preceding command.
    • If you want to use self-signedcertificate instead of the CA signed certificate, see Creating self-signed certificates.
    • server.p12 is the name of the private key file which is in PKCS12 format. If the name of private key procured from your system administrator is different, use the relevant file name in the preceding command.

    • get2net is the default password for the pnserver.ks keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore pnserver.ks

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

    • password is the password for the server.p12 private key.

 

To import the security certificates into the Infrastructure Management Server truststore

The Infrastructure Management Server uses the messagebroker.ts truststore to cummunicate with the BMC Atrium Single Sign-On. This truststore is bundled along with the Infrastructure Management Server installation, and is located in the <Infrastructure Management Server Installation Directory>\pw\jre\lib\security directory. Perform the following steps to import the security certificates into this truststore:

  1. Log on to the computer where the Infrastructure Management Server is installed. The keytool utility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%
     
    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH
  2. Navigate to the <Infrastructure Management Server Installation Directory>\pw\jre\lib\security directory, and import the procured certificate by running the following commands:

    keytool -import -alias cassoserver -file casso.crt -keystore messagebroker.ts

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • casso.crt is the name of the CA signed certificate procured from the BMC Atrium Single Sign-On system security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.
    • messagebroker.ts is the Infrastructure Management server truststore file name.

To import the security certificates into the Presentation Server truststore

The Presentation Server uses the tspstruststore.ts truststore to cummunicate with the BMC Atrium Single Sign-On. This truststore is bundled along with the Presentation Server installation, and is located in the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory. Perform the following steps to import the security certificates into this truststore:

  1. Log on to the computer where the Presentation Server is installed. The keytool utility that is used to import the certificates is present in the <Presentation Server Installation Directory>\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Presentation Server Installation Directory>\jre\bin;%PATH%
      
    #Unix
    export PATH=<Presentation Server Installation Directory>/jre/bin:$PATH
  2. Navigate to the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory, and import the procured certificate by running the following commands:

    keytool -import -alias cassoserver -file casso.crt -keystore tspstruststore.ts

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • casso.crt is the name of the CA signed certificate procured from the BMC Atrium Single Sign-On system security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.
    • tspstruststore.ts is the Presentation Server truststore file name.

    • get2net is the default password for the tspstruststore.ts keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore tspstruststore.ts

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

To import the security certificates for the Infrastructure Management Server to Oracle database communication

Infrastructure Management Server uses the messagebroker.ts truststore to communicate with the Oracle database. This truststore is bundled along with the Infrastructure Management Server installation, and are located in the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory. Perform the following steps to import the security certificates into the respective truststore, and the keystore files:

  1. Log on to the computer where the Infrastructure Management Server is installed. The keytool utility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%
     
    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH
  2. Import the procured certificates by running the following command:

    keytool -importcert -trustcacerts -file oracle.crt -keystore messagebroker.ts -alias oracleCert

    Note

    • oracle.crt is the name of the Oracle certificate. If the name of the Oracle Wallet certificate procured from your oracle database administrator is different, use the relevant file name in the preceding command.
 

Integration Service communicates with the PATROL Agent and the Infrastructure Management Server. Integration Service needs to import certificates for the following types of communication:

To import the certificates for the Integration Service to PATROL Agent communication

Perform the following steps to import the security certificates to the Integration Service certificate store which is in Mozilla NSS DB store format:

  1. Navigate to the directory by running the following command: 

    # Microsoft Windows operating system
    $cd <IS installation directory>\Agent\patrol\common\security\config_v3.0
     
    # Unix operating system
    $cd <IS installation directory>/Agent/patrol/common/security/config_v3.0
  2. Create a Mozilla certificate store on the Integration Service.

    #On Microsoft Windows
    $mkdir <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB
    $certutil -N -d sql:<installationdirectory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB
     
    #On Unix
    $mkdir <IS installationdirectory>/Agent/patrol/common/security/config_v3.0/ISAsServer_DB
    $certutil -N -d sql:<installationdirectory>/Agent/patrol/common/security/config_v3.0/ISAsServer_DB

    Note

    ISAsServer_DB is the name of the server certificate store for the Integration Service

  3. Procure the private key from your security administrator, and place them in the <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB>directory.

  4. If the private key is in public-key cryptography standards 12 format (PKCS12) format, import this certificate using the following command: 

    pk12util pk12util -i server.p12 -d sql: <IS installationdirectory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB -W <password>

     

    Note

    ISAsServer_DB is the name of the server certificate store for the Integration Service

  5. Procure the CA signed certificate form your system administrator and place it in the <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB>.

  6. Import the procured CA certificates to the Integration Service's server certificate store by running the following command:

    certutil -d sql: <IS installationdirectory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • ca.crt is the CA certificate file name.

    • <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB is the path to build the Mozilla NSS server certificate Store

    • Trusted IS CA” is the certificate alias name

    • “CT” is the flag to markcertificateas trusted.

    • You need to import the complete chain of CA certificatesuptoroot CA certificate using the same command.

To import the security certificates for the Integration Service to Infrastructure Management Server, and the cell communication

Integration Service uses the pnagent.ks keystore while communicating with the Infrastructure Management Server and the cell. This keystore file is bundled along with the Integration Service installation, and are located in the <Infrastructure Management Install Directory>\pw\pronto\conf directory. Perform the following steps to import the security certificates into thekeystore file:

  1. Log on to the computer where the Integration Service is installed. The keytoolutility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%
     
    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH
  2. Navigate to the <Infrastructure Management Install Directory>\pw\pronto\conf directory and import the procured certificate by running the following command:

    keytool -importkeystore -deststorepass get2net -destkeypass get2net -destkeystore pnagent.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password
     
    keytool -import -alias cell -file mcell.crt -keystore pnagent.ks

    Parameter description

    The following notes describe the key parameters used in the preceding commands:

    • server.p12 is the name of the private key file which is in PKCS12 format. If the name of private key procured from your system administrator is different, use the relevant file name in the preceding command.

    • mcell.crt is the name of the cell certificate. If the name of the cell certificate is different, use the relevant file name in the preceding command.
    • get2net is the default password for the pnagent.ks keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore pnagent.ks

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

    • password is the password for the server.p12 private key.

To import the security certificates into the PATROL Agent certificate store

PATROL Agent communicates with the Integration Service, PATROL console, and the remote cell.

The PATROL Agent acts as a client or a server based on the components with which it communicates, as explained in the following section:

  • PATROL Agent to Integration Service communication: PATROL Agent acts as a client.
  • PATROL Agent to PATROL console communication: PATROL Agent acts as a server.
  • PATROL Agent to remote cell communication: PATROL Agent acts as a client.

TLS mode of communication requires the client, and the server to have public key infrastructure (PKI) certificates deployed in their respective certificate stores. The authentication process varies depending on the PATROL Agent's role as a server or a client, as explained in the following sections:

  • certutil and pk12util used in the following procedure are the utilities available with the Mozilla NSS binaries to manage PKI certificates.

  • If you do not have these executables in your system environment, use them from the Patrol Agent installation directories as explained in the following section.
    • Windows: %BMC_ROOT%\common\security\bin_v3.0\Windows-x86-64\nss
    • Unix: $BMC_ROOT/common/security/bin_v3.0/Windows-x86-64/nss
  • If you have multiple PATROL Agents in your environment, perform the following steps to simplify the process of importing certificates:

    • Perform the certificate importing tasks on a single PATROL Agent, and then copy PatrolAsServer_DB/ PatrolAsClient_DB to the respective PATROL nodes or keep them on a shared location.

PATROL Agent configured as a client

PATROL Agent operates as a client when it is communicating with the Integration Service, and the remote cell. To enable the TLS handshake, deploy the Mozilla NSS certificates in the DB store format at the PATROL Agent. There are two security options as explained in the following section:

  • Integration Service is authenticated by the PATROL Agent: To enable the PATROL Agent to authenticate the server, import the Certificate Authority (CA) certificates of the Integration Service or remote cell to the PATROL Agent certificate store. This is in continuation to the Security Level 3 implementation of the previous versions of the PATROL Agent communication.
  • Integration Service is not authenticated by the PATROL Agent: In a trusted environment, if the PATROL Agent administrator can ensure the authenticity of the Integration Service Host, or the remote cell the PATROL Agent can be configured to bypass sever authentication. This is in continuation to the Security Level 2 implementation of the previous versions of the PATROL Agent communication.

The following sections explain the procedure to implement the preceding security mechanisms:

Integration Service is not authenticated by the PATROL Agent

In this scenario, the Integration Service certificates are not imported to the PATROL Agent certificate store. You can proceed to configure the PATROL Agent to enable TLS 1.2 mode.

Integration Service is authenticated by the PATROL Agent

Perform the following steps to import the security certificates to the PATROL Agent certificate store.

  1. Create a Mozilla certificate store on the central server for the PATROL Agent.
    Run the following command

    #On Microsoft Windows
    $mkdir <installationdirectory>\common\security\keys\PatrolAsClient_DB
    $certutil -N -d sql:<installationdirectory>\common\security\keys\PatrolAsClient_DB
    
    #On Unix
    $mkdir <installationdirectory>/common/security/keys/PatrolAsClient_DB
    $certutil -N -d sql:<installationdirectory>/common/security/keys/PatrolAsClient_DB
    
    • PatrolAsClient_DB is the name of the client certificate store for the PATROL Agent

  2. Procure CA certificates of the Integration Service from your security administrator, and place them in the <installationdirectory>\common\security\keys\PatrolAsClient_DB directory.

    • You can choose the PatrolAsClient_DB path, and create directories as per the defined path.
    • You can generate self-signed certificates by using one of the tools such as: Oracle keytool, OpenSSL, Mozilla NSS. For more information, see Creating self-signed certificates
  3. Import the CA certificate to the PATROL Agent client certificate store.
    Run the following command

    certutil -d sql: <installationdirectory>\common\security\keys\PatrolAsClient_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt
    • ca.crt is the CA certificate file name.

    • <installationdirectory>\common\security\keys\PatrolAsClient_DB is the path to build the Mozilla NSS client certificate Store

    • Trusted IS CA” is the certificate alias name

    • “CT” is the flag to mark certificate as trusted.

    • You need to import the complete chain of CA certificates upto root CA certificate using the same command
  4. If the CA certificates are in public-key cryptography standards 12 (PKCS12) format, import the certificate using the following command.

    $pk12util pk12util -i client.p12 -d sql: <installationdirectory>\common\security\keys\PatrolAsClient_DB -W <password>
    • client.p12 is name of the client certificate in the PKCS12.

    • password is the password string for the client.p12 file

  5. Perform the configuration changes needed to enable TLS 1.2 mode.

PATROL Agent configured as a server

Perform the following steps, when PATROL Agent is communicating with the PATROL console.

  1. Create a Mozilla certificate store on the central server for the PATROL Agent.
    Run the following command

    #On Microsoft Windows
    $mkdir <installationdirectory>\common\security\keys\PatrolAsServer_DB
    $certutil -N -d sql:<installationdirectory>\common\security\keys\PatrolAsServer_DB
    
    #On Unix
    $mkdir ./<installationdirectory>/common/security/keys/PatrolAsServer_DB
    $certutil -N -d sql:./<installationdirectory>/common/security/keys/PatrolAsServer_DB
    • PatrolAsServer_DB is the name of the server certificate store for the PATROL Agent

  2. Procure the CA certificates from your organisation's security administrator, and place them in the <installationdirectory>\common\security\keys\PatrolAsServer_DB directory.

    • You can choose the PatrolAsServer_DB path, and create directories as per the defined path.
    • You can generate self-signed certificates by using one of the tools such as: Oracle keytool, OpenSSL, Mozilla NSS. For more information, see Creating self-signed certificates
  3. Import the procured CA certificates to the PATROL Agent server certificate store.
    Run the following command

    certutil -d sql: <installationdirectory>\common\security\keys\PatrolAsServer_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt
    • ca.crt is the CA certificate file name.

    • <installationdirectory>\common\security\keys\PatrolAsServer_DB is the path to build the Mozilla NSS server certificate Store

    • Trusted IS CA” is the certificate alias name

    • “CT” is the flag to mark certificate as trusted.

    • You need to import the complete chain of CA certificates upto root CA certificate using the same command
  4. If the CA certificates are in public-key cryptography standards 12 (PKCS12) format, import the certificate using the following command.

    pk12util pk12util -i server.p12 -d sql: <installationdirectory>\common\security\keys\PatrolAsServer_DB -W <password>

    PatrolAsServer_DB is the name of the server certificate store for the PATROL Agent

  5. Perform the configuration changes needed to enable TLS 1.2 mode.

To import the security certificates into the Impact Integration Web Services

Impact Integration Web Services (IIWS) uses the iiws.ks keystore for its communication. This keystore file is bundled along with the IIWS installation, and is located in the <Impact Web Services Install Directory>\Tomcat\webapps\imws\WEB-INF\etc directory. Perform the following steps to import the security certificates into this keystore file:

  1. Log on to the computer where the IIWS is installed. The keytool utility that is used to import the certificates is present in the <Impact Web Services install directory>\BMCIIWSJVM\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Impact Web Services install directory>\BMCIIWSJVM\bin;%PATH%
     
    #Unix
    export PATH=<Impact Web Services install directory>/BMCIIWSJVM/bin:$PATH


  2. Navigate to the <Impact Web Services Install Directory>\Tomcat\webapps\imws\WEB-INF\etc directory, and import the procured certificate by running the following command:

    keytool -import -alias caserver -file ca.crt -keystore iiws.ks

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • ca.crt is the name of the CA signed certificate. If the name of the CA signed certificate procured from your system administrator is different, use the relevant file name in the preceding command.
    • If you want to use self-signed certificate instead of the CA signed certificate, see Creating self-signed certificates.

To import the security certificates into the BMC TrueSight Operations Management Reporting

BMC TrueSight Operations Management Reporting uses the rekeystore.ks keystore, and cacerts truststore for its communication. This keystore, and the truststore files are bundled along with the TrueSight Operations Management Reporting installation, and is located in the <BMC TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.

Perform the following steps to import the security certificates into thiskeystoreandtruststorefiles:

  1. Log on to the computer where the BMC TrueSight Operations Management Reporting is installed. The keytool utility that is used to import the certificates is present in the <BMC TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    # Microsoft Windows operating system 
    $cd <BMC TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin
    
    # Unix operating system 
    $cd <BMC TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
  2. Navigate to the <BMC TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the certificates by running the following commands:

    keytool -import -alias cell -file ca.crt -keystore cacerts
    
    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore rekeystore.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password

    Parameter description

    The following notes describe the key parameters used in the preceding commands:

    • ca.crt is the name of the CA signedcertificate. If the name of the CA signed certificate procured from your system administrator is different, use the relevant file name in the preceding command.
    • If you want to use self-signedcertificate instead of the CA signed certificate, see Creating self-signed certificates.
    • server.p12 is the name of the server's private key file which is in PKCS12 format. If the name of private key procured from your system administrator is different, use the relevant file name in the preceding command.

    • changeit is the default password for the rekeystore.ks keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore rekeystore.ks

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

    • password is the password for the server.p12 private key.

Importing security certificates to communicate with other BMC products

  • BMC TrueSight Presentation Server communicates with the following products over HTTPS, and acts as a client in this context of communication.
    • BMC BladeLogic
    • BMC Atrium Single Sign-On
    • BMC Remedy Application Request Change Management System
  • BMC TrueSight Presentation Server communicates with the following BMC products over HTTPS, and acts as a server in this context of communication.
    • BMC TrueSight IT Data Analytics
    • BMC TrueSight Capacity Optimization
    • BMC TrueSight App Visibility Manager

To import the security certificates into the Presentation Server truststore

The Presentation Server uses the tspstruststore.ts truststore to communicate with the BMC BladeLogic, and BMC Remedy Application Request Change Management System. This truststore is bundled along with the Presentation Server installation, and is located in the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory. Perform the following steps to import the security certificates into this truststore:

  1. Log on to the computer where the Presentation Server is installed. The keytool utility that is used to import the certificates is present in the <Presentation Server Installation Directory>\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Presentation Server Installation Directory>\jre\bin;%PATH%
      
    #Unix
    export PATH=<Presentation Server Installation Directory>/jre/bin:$PATH
  2. Navigate to the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory, and import the procured certificate by running the following commands:

    keytool -import -alias cabladeserver -file cablade.crt -keystore tspstruststore.ts
     
    keytool -import -alias caarcms -file caarcms.crt -keystore tspstruststore.ts

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • cablade.crt is the name of the CA signed certificate procured from the BMC BladeLogic system security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.
    • caarcms.crt is the name of the CA signed certificate procured from the BMC Remedy Application Request Change Management System security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.

    • tspstruststore.ts is the Presentation Server truststore file name.

    • get2net is the default password for the tspstruststore.ts keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore tspstruststore.ts

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

Perform the following steps to configure the Infrastructure Management Server to the Presentation Server communication to enable TLS 1.2 mode:

To configure the Presentation Server

  1. Navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory, and run the following command to check whether the TrueSight Presentation Server is running. 

    tssh server status

    Note

    Ensure that the TrueSight Presentation Server is running before proceeding further.

  2. Log on to the TrueSight console and select Administration> Components.

    Displays the components that are registered with the Presentation Server. Ensure that no TrueSight Infrastructure Management Server is registered with the TrueSight Presentation Server. If a TrueSight Infrastructure Management Server is registered delete the same. For more information, see To delete a component

  3. Set the property in the database by running the following command:

    tssh properties set tsps.cell.conntype ssl
    tssh properties set pronet.jms.conntype ssl
  4. Using a text editor, open the mcell.dir file located in <Presentation Server Install Directory>\conf directory.

  5. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
    #gateway.gateway_subtype	   ts_event_gateway	         mc	             tsps_server1.bmc.com:1900
    #cell                         pncell_tsim_server1        mc              tsim_server1.bmc.com:1828    
  6. Set the encryption key value to *TLS as shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
    gateway.gateway_subtype	     ts_event_gateway	        *TLS	          tsps_server1.bmc.com:1900
    cell                         pncell_tsim_server1        *TLS              tsim_server1.bmc.com:1828   

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • tsps_server1 is the name of the computer where the TrueSight Presentation Server is installed.
    • tsim_server1 is the name of TrueSight Infrastructure Management Server registered with the TrueSight Presentation Server. If there are multiple Infrastructure Management Server entries in the mcell.dir file, change the encryption key to *TLS for all such entries.
  7. Save and close the file.

  8. Stop the Presentation Server by running the following command:

    tssh server stop

To configure the Infrastructure Management Server

  1. Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory by running the following command:

    # Microsoft Windows operating system 
    $cd <Infrastructure Management Server Install Directory>\pw\pronto\bin 
    # Unix operating system 
    $cd <Infrastructure Management Server Install Directory>/pw/pronto/bin


  2. Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSmode.pl script as shown in the following code block:

    #Syntax perl switchTLSmode.pl -<on/off> -flow <communication channel> -tsps <TrueSight Presentation Server name> 
    
    #Example
    perl switchTLSmode.pl -on -flow event_and_data -tsps myserver.bmc.com

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the default tcp/ssl mode of communication.
    • -flow: If the flow is set to event_and_data, the communication between the Infrastructure Management Server and the Presentation Server is TLS 1.2 enabled.
    • TrueSight Presentation Server name: This is the fully qualified domain name (FQDN) of the computer where the Presentation Server is installed.

    • -h: This is an optional parameter, it displays the help for the the switchTLSmode.pl command

To start the servers

  1. Start the Presentation Server by running the following command:

    tssh server start
  2. Start the Infrastructure Management Server by running the following command:

    pw system start

To register the Infrastructure Management Server with the Presentation Server

  1. Ensure that all the processes of the Infrastructure Management Server are up by running the following command:

    pw p l
  2. Register the Infrastructure Management Server with the Presentation Server. For more information, see Registering the component products with the Presentation Server.

The following sections describe the configuration steps for both the local Integration Service and remote Integration Service in TLS 1.2 mode. Perform the configuration steps based on the type of Integration Service installed:

To configure the local Integration Service

  1. Stop the Infrastructure Management Server by running the following command: 

    pw system stop
  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

  3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

    #pronet.apps.agent.conntype=tcp
  4. Set the conntype value to ssltcp as shown in the following code block:

    #Configuration settings to make the Infrastructure Management Server to Local Integration Service TLS 1.2 compliant
    pronet.apps.agent.conntype=ssltcp

    Note

    Modify the file present in the pw\custom\conf directory, if it is a local Integration Service.

  5. Save and close the file.

To configure the remote Integration Service

  1. Stop the Infrastructure Management Server by running the following command: 

    pw system stop
  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

  3. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

    #pronet.apps.agent.conntype=tcp
  4. Set the conntype value to ssltcp as shown in the following code block:

    pronet.apps.agent.conntype=ssltcp
  5. Save and close the file.

  6. Logon to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command: 

    pw is stop
  7. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop
    3. Click Yes to close the warning message that is displayed. 
      The status for the Integration Service changes from Started to (blank).

  8. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.

  9. Comment out the instance of the code line having the conntype value as tcp as shown in the following code block:

    #pronet.apps.agent.conntype=tcp
  10. Set the conntype value to ssltcp as shown in the following code block:

    pronet.apps.agent.conntype=ssltcp

    Note

    Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service. 

  11. Save and close the file.

Start the servers

Perform the following set of steps after the configuration changes are completed.

To edit the Integration Service's properties

  1. Log on to the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
  2. Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
  3. Select the Edit option.
  4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
  5. Click Save.
  6. Start the Infrastructure Management Server by running the following command:

    pw system start
  7. Start the Integration Service (Unix) by running the following command:

    pw is start
  8. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  9. Double-click the Services icon to launch the Services dialog box.
  10. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart
  11. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes to Started from (blank).

    Note

    The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.

The following section guides you to configure the Integration Service to Cell communication in TLS 1.2. Choose the appropriate configuration steps based on the type (local / remote) of the Integration Service and the cell used.

Cell CLI commands

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode. 

To configure the local Integration Service

  1. Stop the Infrastructure Management Server by running the following command: 

    pw system stop
  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.

  3. Comment out the instance of the code line having the encryptionkey value as mc as shown in the following code block:

    #pronet.apps.is.cell.encryptionkey=mc
  4. Set the encryptionkey value to *TLS as shown in the following code block:

    pronet.apps.is.cell.encryptionkey=*TLS
  5. Save and close the file.

  6. Using a text editor, open mcell.dir file located in <Infrastructure Management Server Install directory>\pw\server\etc directory.

  7. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

    #Type                            <name>              encryption key           <host>/<port>
    #cell                             cell_1                  mc              cell_1.bmc.com:1828
    #cell                             HA_Cell                 mc              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828
  8. Set the encryption key value to *TLS as shown in the following code block:

    #Type                            <name>              encryption key           <host>/<port>
    cell                             cell_1                  *TLS              cell_1.bmc.com:1828
    cell                             HA_Cell                 *TLS              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828
    

    Parameter description

    Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:

      • cell_1 is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
      • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.

To configure the remote Integration Service

  1. Log on to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command: 

    pw is stop
  2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop
    3. Click Yes to close the warning message that is displayed. 
      The status for the Integration Service changes from Started to (blank).

  3. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.

  4. Comment out the instance of the code line having the encryptionkey value as mc as shown in the following code block:

    #pronet.apps.is.cell.encryptionkey=mc
  5. Set the encryptionkey value to *TLS the following code block:

    pronet.apps.is.cell.encryptionkey=*TLS

    Note

    Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service. 

  6. Save and close the file.

  7. Using a text editor, open the mcell.dir file located in <Integration Service Install directory>\Agent\server\etc directory.

  8. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
    #cell                             cell_1                 mc              cell_1.bmc.com:1828
    #cell                             HA_Cell                mc              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828
  9. Set the encryption key value to *TLS as shown in the following code block:

    #Type                            <name>             encryption key         <host>/<port>
    cell                             cell_1                 *TLS              cell_1.bmc.com:1828
    cell                             HA_Cell                *TLS              primaryhost.bmc.com:1828         secondaryhost.bmc.com:1828

    Parameter description

    Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:

      • cell_1 is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
      • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.
  10. Save and close the file.

To configure the local Cell

  1. Stop the cell service (Unix) by running the following command:

    mkill -n cellname
  2. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop
    3. Click Yes to close the warning message that is displayed. 
      The status for the cell service changes from Started to (blank).

  3. Using a text editor, open mcell.conf file located in <Infrastructure Management Server Install Directory>\pw\server\etc\pncell_<TSIM_MACHINE_NAME> directory.

  4. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

    #ServerTransportProtocol=tcp


  5. Set the properties as shown in the following code block:

    ServerTransportProtocol=tls
    ServerCertificateFileName=mcell.crt
    ServerPrivateKeyFileName=mcell.key
  6. Save and close the file.

To configure the remote Cell

  1. Log on to the computer where the remote cell is installed.

  2. Stop the cell service (Unix) by running the following command:

    mkill -n cellname
  3. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Stop
    3. Click Yes to close the warning message that is displayed. 
      The status for the cell service changes from Started to (blank).

  4. Using a text editor, open mcell.conf file located in <Remote Cell Install Directory>\Agent\server\etc\cell_name directory.

  5. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

    #ServerTransportProtocol=tcp
  6. Set the properties as shown in the following code block:

    ServerTransportProtocol=tls
    ServerCertificateFileName=mcell.crt
    ServerPrivateKeyFileName=mcell.key
  7. Save and close the file.

To start the servers

  1. Start the cell service (Unix) by running the following command:

    mcell -n cellname
  2. To start the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.

    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list of services, highlight, then click Restart
    3. Click Yes to close the warning message that is displayed. 
      The status for the cell service changes to Started from (blank).

  3. Start the Integration Service (Unix) by running the following command:

    pw is start
  4. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  5. Double-click the Services icon to launch the Services dialog box.
  6. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart
  7. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes to Started from (blank).

Note

The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.

Perform the following steps to configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2 mode:

To configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2

Perform the following steps to enable the Infrastructure Management Server to Oracle database communication to be TLS compliant:

Notes

  • If the Oracle database is configured in TLS 1.2 mode, then perform the following steps to configure the Infrastructure Management Server in TLS 1.2 mode.
  • Oracle database version 11G is TLS 1.0 compliant.
  • Oracle database version 12.1.0.2 is TLS 1.2 compliant.
  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop
  2. Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSmode.pl script as shown in the following code block:

    #Syntax 
    perl switchTLSmode.pl -<on/off> -flow <communication channel> -dbport <Oracle Database port> -dbver <Oracle Database version> 
     
    #Example
    perl switchTLSmode.pl -on -flow oracle –dbport 1521 -dbver 11G

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the default tcp/ssl mode of communication.
    • -flow: This variable can have two options: event_and_data, oracle. If flow is set to oracle, the communication between the Infrastructure Management Server and the Oracle database is TLS 1.2 enabled.
    • -dbport: Provide the port number that is configured for the Oracle database communication.
    • -dbver: Provide the Oracle database version. There are two compatible Oracle database versions: 11G, 12C


  3. Start the Infrastructure Management Server by running the following command:

    pw system start

Perform the following steps to enable the Remote Integration Service to PATROL Agent communication to be TLS 1.2 compliant:

To configure the Integration Service to enable TLS 1.2

The following set of steps guide you to configure both the local or remote Integration Services.

To configure the remote Integration Service and the PATROL Agent communication to enable TLS 1.2


  1. Stop the Integration Service by running the following command: 

    pw is stop
  2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  3. Double-click the Services icon to launch the Services dialog box.
  4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop
  5. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes from Started to (blank).

  6. Navigate to the <Remote Integration Service Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

    # Microsoft Windows operating system
    $cd <Remote Integration Service install directory>\agent\patrol\common\security\config_v3.0
    
    # Unix operating system
    $cd <Remote Integration Service install directory>/agent/patrol/common/security/config_v3.0
  7. Run the following command:

    #Syntax
    set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
    #Example
    $set_unset_tls_IS.cmd <Remote Integration Service Install Directory> SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

To configure the local Integration Service and the PATROL Agent communication to enable TLS 1.2

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop
  2. Navigate to the <Infrastructure Management Server Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

    # Microsoft Windows operating system
    $cd <Infrastructure Management Server Install Directory>\pw\patrol\common\security\config_v3.0
    
    # Unix operating system
    $cd <Infrastructure Management Server Install Directory>/pw/patrol/common/security/config_v3.0
  3. Run the following command:

    #Syntax
    set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
    #Example
    $set_unset_tls_IS.cmd <Infrastructure Management Server Install Directory>\pw  SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

Parameter description

The following notes describe the key parameters used in the preceding command:

  • Use the set_unset_tls_IS.cmd script on the Microsoft Windows operating system, and the set_unset_tls_IS.sh script on the Unix operating system.
  • set_unset_tls.sh -h will display the help for the set_unset_tls_IS command.

  • There are six command line arguments for the set_unset_tls_IS script as explained in the following section:
    • $BMC_ROOT: The directory where the Integration Service is installed.
    • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the Integration Service is configured in TLS mode. If you select UNSET_TLS, the Integration Service is configured in Non-TLS mode.
    • security_level: The current value of this variable represents the security level at which the Integration Service is running. Integration Service runs at a security_level 2 or higher. Ensure that you set the Integration Service's security_level same as your PATROL Agent's security_level.
    • serverDbPath: The directory where the server certificates are present. This argument is mandatory for all the security_levels of the Integration Service.
    • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

To configure the PATROL Agent to enable TLS 1.2

Perform the following steps to make the PATROL Agent to Integration Service communication TLS 1.2 compliant:

  1. Navigate to the config_v3.0 folder by running the following command:

    # Microsoft Windows operating system
    $cd <PATROL Agent installation directory>\common\security\config_v3.0
     
    # Unix operating system
    $cd <PATROL Agent installation directory>/common/security/config_v3.0
  2. Verify your PATROL Agent's installation directory. If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software, perform the following sequence of steps:

    Perform this step only if the installation directory is not same as the default installation directory

     The following set of instructions are applicable:

    • If you want to run set_unset_tls script on the PATROL Agents running on Microsoft Windows operating system to configure TLS 1.2
    • For all the PATROL Agents running on any of the security levels 2,3, or 4.

    1. Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location, and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

      #Modified entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

    2. Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

      #Modified entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

    3. Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

      #Modified entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

  3. Run the script to enable TLS mode as shown in the following code block:

    #Syntax
    set_unset_tls.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -clientDbPath <clientDbPath> -identity <identity>
    #Example
    $set_unset_tls.cmd "C:\Program Files (x86)\BMC Software" SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -clientDbPath "C:\Certificates\client_db" -identity bmcpatrol

    Notes

    • Use set_unset_tls.cmd script on the Microsoft Windows operating system, and set_unset_tls.sh script on the Unix operating system.
    • When you run the set_unset_tls.sh script on AIX and HP-UX operating systems to enable TLS 1.2, the system creates symbolic links for Mozilla NSS v3.20 libraries in the default system library directory /usr/lib.

    • set_unset_tls.sh -h will display the help for the set_unset_tls command.
    • There are six command line arguments for the set_unset_tls script as explained in the following section:
      • BMC_ROOT: The directory where the PATROL Agent is installed.
      • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the PATROL Agent is configured in TLS mode. If you select UNSET_TLS, the PATROL Agent is configured in Non-TLS mode.
      • security_level: PATROL Agent communicates with the Integration Service at a security_level 2 or higher. If your PATROL Agent is running at a security_level 0 or 1, then set the security_level as 2 in the preceding command. Ensure that you set the PATROL Agent's security_level same as your Integrations Service's security_level.
      • serverDbPath: The directory where the server certificates are present. This argument is mandatory if the security_level is set to 3.
      • clientDbPath: The directory where the client certificates are present. This argument is mandatory if the security_level is set to 3.
      • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

To start the servers

Perform the following set of steps after the configuration changes are completed.

To edit the Integration Service's properties

  1. Logon to the TrueSight console, and access Configuration > Managed Devices. Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
  2. Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
  3. Select the Edit option.
  4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
  5. Click Save.

To start the local Integration Service

  1. Start the Infrastructure Management Server by running the following command:

    pw system start

    The Integration Service is restarted along with the Infrastructure Management Server.

To start the remote Integration Service

  1. Start the remote Integration Service (Unix) by running the following command:

    pw is start
  2. To start the remote Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.

  3. Double-click the Services icon to launch the Services dialog box.
  4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart
  5. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes from blank to (started).

To start the PATROL Agent

  1. Start the PATROL Agent by running the following command:

    patrolagent -p 9090

Perform the following steps to enable the Infrastructure Management Server to BMC Impact Integration Web Services (IIWS) communication to be TLS compliant:

To configure the Infrastructure Management Server

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop
  2. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\server\etc directory.

  3. Comment out the instance of the code line having encryption key value as mc as shown in the following code block:

    #gateway.imcomm    IIWSGatewayServer    mc    IIWSGatewayServer.bmc.com:1859
  4. Set the encryption key value to *TLS as shown in the following code block:

    gateway.imcomm    IIWSGatewayServer    *TLS    IIWSGatewayServer.bmc.com:1859

    Note

     IIWSGatewayServer is the name of the host computer where the BMC Impact Integration Web Services is installed.

  5. Save and close the file.

To configure the BMC Impact Integration Web Services server

  1. Navigate to the  <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc directory by running the following command:

    # Microsoft Windows operating system 
    $cd <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc
    
    # Unix operating system 
    $cd <Impact Web Services installation directory>/tomcat/webapps/imws/WEB-INF/etc
  2. Using a text editor, open the mcell.dir file.
  3. Comment out the instances of the code lines having encryption key value as mc as shown in the following code block:

    #type                                     Name                            encryption key                       <Host>:1828
    #gateway.imcomm                         IIWSGatewayServer                       mc                           localhost:1859
    #cell                                   pncell_tsim_server                      mc                           tsim_server.bmc.com:1828
  4. Set the encryption key value to *TLS as shown in the following code block:

    #syntax
    #type                                     Name                            encryption key                       <Host>:1828
    gateway.imcomm                         IIWSGatewayServer                       *TLS                           localhost:1859
    cell                                   pncell_tsim_server                      *TLS                           tsim_server.bmc.com:1828

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • Replace the localhost by the computer name where the IIWS server is installed.
    • tsim_server is the name of the host computer where the Infrastructure Management Server is installed.

To start the servers

  1. Start the Infrastructure Management Server by running the following command:

    pw system start
  2. Restart the IIWS server by running the following commands:

    1. From the desktop or Start menu, navigate to Services.

    2. To stop the server, select the BMC Impact Integration Web Services service, and right-click to open the menu. The service name is BMCIWS, and the display name is Impact Integration Web Service.

    3. To stop the application server, select Stop.

Perform the following steps to enable the Infrastructure Management cell to Report Engine communication to be TLS compliant:

Before you begin

Before configuring the Infrastructure Management cell to Report engine communication to be TLS compliant, ensure that you have installed the TrueSight Operations Management Reporting hotfix version 10.00.000.01. For more information, see Announcing support for Transport Layer Security.

To configure the Infrastructure Management cell

  1. Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the BMCTrueSightIMServerInstallDir\pw\server\etc directory.

  2. Check for the instance of the code line having encryption key value as shown in the following code block:

    gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>

    Example

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783
  3. Modify the existing value of encryption key to *TLS as shown in the following code block:

    Example

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783
  4. Save and close the file.

  5. Reload the mcell.dir file by entering the following command from a command line:
    mcontrol -n cellName reload dir
    For examplemcontrol -n  pncell_vm-w23-rds1016 reload dir
    where pncell_vm-w23-rds1016 is the name of the cell. 

To configure the BMC TrueSight Operations Management Reporting

  1. Stop the Reporting engine service. For more information, see Stopping the Reporting Engine service .

  2. Navigate to the reportsCLI directory by running the following command:

    # Microsoft Windows operating system 
    $cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI
    
    # Unix operating system 
    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI
  3. Run the command as shown in the following code block:

    TLSConfig enable -keystore <keystorefile> -keystorepassword <keystore password> -truststore <truststorefile> -truststorepassword <truststore password>

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • <keystorefile>: The path and the file name of the keystore
    • <keystore password>: Password for the keystore
    • <truststorefile>: The path and the file name of the truststore
    • <truststore password>: Password for the truststore
  4. Restart the TrueSight Operations Management Reporting component. For more information, see Starting the TrueSight Operations Management Reporting Engine service .

Perform the following steps to configure the Infrastructure Management server to Publishing Server communication to enable TLS 1.2 mode:

To configure the Infrastructure Management server

Perform the following steps to enable the Infrastructure Management server to Publishing Server communication to be TLS compliant:

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop
  2. Using a text editor, open the pronet.conf located in the <Infrastructure Management Server Install Directory>\pw\custom\conf directory.

  3. Set the properties as shown in the following code block:

    pronet.jms.passwd.file=pronto/conf/.ks_pass
    pronet.apps.ipc.ssl.context.pserver.truststore.filename=messagebroker.ts
    pronet.apps.ipc.ssl.context.pserver.keystore.filename=pnserver.ks
    pronet.apps.ipc.ssl.context.pserver.enabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
    pronet.apps.ipc.ssl.context.pserver.keystore.passwdfile=pronto/conf/.ks_pass
  4. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\pw\server\etcdirectory.

  5. Comment out the instances of the code lines having encryption key value as mc as shown in the following code block:

    #Type                            <name>             encryption key                <host>/<port>
    #cell	                      pncell_hostname	         mc	                pncell_hostname.bmc.com:1828
    #gateway.imcomm              gw_ps_pncell_hostname       mc                    hostname.bmc.com:1839
  6. Set the encryption key value to *TLS as shown in the following code block:

     #Type                            <name>             encryption key               <host>/<port>
     cell	                      pncell_hostname	        *TLS	            pncell_hostname.bmc.com:1828
    gateway.imcomm              gw_ps_pncell_hostname       *TLS                    hostname.bmc.com:1839
  7. Save and close the file.

  8. Using a text editor, open the smmgr.conf located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.
  9. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:

    #ServerTransportProtocol=tcp


  10. Set the ServerTransportProtocol value to tls as shown in the following code block:

    ServerTransportProtocol=tls
    ServerCertificateFileName=mcell.crt
    ServerPrivateKeyFileName=mcell.key


  11. Save and close the file.

  12. Start the Infrastructure Management Server by running the following command:

    pw system start


Was this page helpful? Yes No Submitting... Thank you

Comments