Creating a self-signed client-side certificate on the Application Server (Windows)
Use this procedure to create a file called id.pem, which contains the self-signed certificate for the Application Server and the private key associated with the certificate. Then add the passphrase used to encrypt the private key to the securecert file on the Application Server.
To create a self-signed client-side certificate on the Application Server version 22.2 or later if the Low Privilege User is not enabled
- Log into a Windows Application Server as Administrator.
- Create a directory called C:\<WINDIR>\rsc\certs\SYSTEM.
In the path shown above, <WINDIR> is typically windows. - Using a command line, generate a self-signed Application Server certificate by entering the following:
bl_gen_ssl -appcert
After you enter the command, you are prompted to provide and then confirm a passphrase. This passphrase is used to encrypt the private key in the id.pem file. The id.pem file is created in the C:\<WINDIR>\rsc\certs\SYSTEM directory. Update the securecert file to include an encoded copy of the passphrase. To accomplish this, use the command line to enter the following:
secadmin -m default -cu SYSTEM -cp <passPhrase>
After issuing this command, the contents of the securecert file are updated to appear similar to the following. The encoded passphrase varies.[default]
SYSTEM=FCUVOMLNGLVRZNOOFor the initial installation of TrueSight Server Automation, you can find the securecert file in the C:\<WINDIR>\rsc directory. If additional instances of TrueSight Server Automation are installed, you can find securecert in <installDirectoryN>\NSH\conf\securecert. For example, the default location for the second instance of TrueSight Server Automation would be C:\Program Files\BMC Software\BladeLogic2\NSH.
To create a self-signed client-side certificate on the Application Server 22.2.00 and later if the Low Privilege User is enabled
- Create a certificate for the SYSTEM user. For instructions, see To create a self-signed client-side certificate on the Application Server version 22.2 or later if the Low Privilege User is not enabled.
- Log into a Windows Application Server as Administrator.
- Using a command line, generate a self-signed Application Server certificate by entering the following:
bl_gen_ssl -appcert bluser
After you enter the command, you are prompted to provide and then confirm a passphrase. This passphrase is used to encrypt the private key in the id.pem file. The id.pem file is created in the C:\<WINDIR>\rsc\certs\bluser directory. Update the securecert file to include an encoded copy of the passphrase. To accomplish this, use the command line to enter the following:
secadmin -m default -cu bluser -cp <passPhrase>
After issuing this command, the contents of the securecert file are updated to appear similar to the following. The encoded passphrase varies.[default]
SYSTEM=LNDOOMLNGLVRZNOO
bluser=FCUVOMLNGLVRZNOOFor the initial installation of TrueSight Server Automation, you can find the securecert file in the C:\<WINDIR>\rsc directory. If additional instances of TrueSight Server Automation are installed, you can find securecert in <installDirectoryN>\NSH\conf\securecert. For example, the default location for the second instance of TrueSight Server Automation would be C:\Program Files\BMC Software\BladeLogic2\NSH.
- If you have created a certificate for the SYSTEM user before upgrading to 22.2.00 or later and applied fingerprint on agent with the SYSTEM user, create a certificate for bluser and push the certificate on agent with bluser:
- To push SHA1 fingerprint, enter the following command:
putcert bluser id.pem <agent1...agentN> - To push other hash algorithm fingerprint, enter this command:
putcert -hashalgo <sha_algorithm> bluser id.pem <agent1...agentN>
For example, to push the SHA512 fingerprint, enter the following command:
putcert -hashalgo sha512 bluser id.pem <agent1...agentN>
- To push SHA1 fingerprint, enter the following command: