Creating a self-signed, client-side certificate on the repeater

Use this procedure to create a self-signed certificate for the repeater and then add the passphrase for that certificate to the securecert file on the repeater.

On UNIX repeaters, TrueSight Server Automation does not load the certificate if group or world permissions are set for the id.pem file or the .bladelogic directory, where the id.pem file is generated.

Before you begin

You must install Network Shell on the repeater. This procedure requires you to run a command that is only available from Network Shell.

To create a self-signed, client-side certificate on the repeater

  1. Using a command line, generate a self-signed certificate by doing one of the following:
    • (UNIX) Log into the repeater as a user to whom connecting users are mapped (typically root). Then, issue the following command for generating a certificate:
    • (Windows) Do the following:
      1. Log into the repeater server as Administrator.
      2. Create a directory called C:\<WINDIR>\rsc\certs\BladeLogicRSCD.
        In the path shown above, <WINDIR> is typically windows.
      3. Enter the following command for generating a certificate:
        bl_gen_ssl -repeatcert
  2. Enter a passphrase for the private key to the certificate. Then confirm the passphrase by entering it again.
    TrueSight Server Automation generates a certificate in a file named id.pem.
    • (UNIX) The file is created in <userHomeDirectory>/.bladelogic, where <userHomeDirectory> is the user's home directory. For example, if you are logged in as root on a Linux system, id.pem is created in /root/.bladelogic/id.pem.
    • (Windows) The file is created in <WINDIR>\rsc\certs\BladeLogicRSCD.
  3. Update the securecert file to contain an encoded copy of the passphrase. Using Network Shell, enter the following:
    secadmin -m default -cu <user> -cp password
    where <user> is BladeLogicRSCD for Windows repeaters and the user who created the certificate (such as root ) for UNIX repeaters.
    Enter the password in clear text. The secadmin utility encrypts the password.
    After issuing this command, the contents of the securecert file are updated to include an entry for your current user name, such as root or BladeLogicRSCD. For example, this command might create an entry like the following. (The encoded passphrase varies.)
  4. For UNIX repeaters, ensure that access is restricted to the id.pem file and the .bladelogic directory by running the following commands:
    chmod 700 /opt/bmc/bladelogic/NSH/br/.bladelogic
    chmod 600 /opt/bmc/bladelogic/NSH/br/.bladelogic/id.pem
Was this page helpful? Yes No Submitting... Thank you