Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

Enabling secure communication with TrueSight Orchestration

To secure the communication of data between TrueSight Server Automation and TrueSight Orchestration, you must enable an HTTPS connection on both products as instructed in the following procedures.


Note

This optional task is relevant also when setting up a connection to TrueSight Orchestration for the creation of Workflow Jobs through the TrueSight Server Automation Console. For more information, see Creating and modifying Workflow Jobs.

The keytool command used in the following procedures is a key and certificate management utility that is provided with the Java Runtime Environment (JRE). It is typically located in the Java (JRE) bin directory. To use keytool commands on Windows platforms, you must run the commands with elevated rights or administrator rights.

  The required steps vary, based on the decisions that you made regarding the TrueSight Orchestration version during its installation. Use the following approach for your TrueSight Orchestration setup:

Enabling HTTPS support on TrueSight Orchestration


  1. On the system where the TrueSight Orchestration CDP is installed, create the keystore file by entering a command such as the following example:

    keytool -genkey -alias w2k3-sp-vm5 -dname "cn=w2k3-sp-vm5" -keyalg RSA 
    -keystore C:<BAOtomcatServerDirectory>\conf\.keystore -storepass changeit


    The value entered for the -dname option must match the host name where the TrueSight Orchestration CDP is installed. In this example, the value is w2k3-sp-vm5.
    If you are using a UNIX/Linux system, the default keystore file location is $<BAOinstallationDirectory>/cdp/tomcat/conf/.keystore.

  2. Enable HTTPS on an Apache Tomcat server by completing the following steps:
    1. Open the server.xml file.
    2. Uncomment the following block of configuration information and add the keystoreFile and truststoreFile attributes as follows:

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"
      keystoreFile="C:<BAOtomcatServerDirectory>\conf\.keystore" truststoreFile=
      "C:\Program Files\Java\jdk1.5.0_13\jre\lib\security\cacerts" />

      The keystoreFile attribute to point to the location where the keystore file resides.
      The truststoreFile attribute to point to the CA-issued certs in the JDK installation location.

  3. Restart the TrueSight Orchestration CDP.

Enabling HTTPS support for TrueSight Orchestration on TrueSight Server Automation


  1. If TrueSight Orchestration is installed on a different computer, copy the C:<BAOtomcatServerDirectory>\conf\.keystore file from the TrueSight Orchestration CDP system to the system where the TrueSight Server Automation application server is installed.
  2. On the system where the TrueSight Server Automation application server is installed, export the public certificate from the keystore file generated for TrueSight Orchestration to a temporary file by entering the following command:

    keytool -export -alias <alias> -file <file> -keystore <keystore> -storepass changeit

    In this command, note the following:

    • <alias> is the name used to distinguish certificates. The value entered for the alias must match the TrueSight Orchestration server hostname and the CN in the associated certificate. TrueSight Server Automation needs this to match so that the host and the certificate can be verified during the SSL connection process.
    • <file> is the name and location of the certificate file that will be created from this command.
    • <keystore> is the name and location of the keystore file that you created for TrueSight Orchestration.
      If you are using a UNIX/Linux system, the default keystore file location is $<BAOinstallationDirectory>/cdp/tomcat/conf/.keystore.

    For example:

    keytool -export -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore C:<BAOtomcatServerDirectory>\conf\.keystore -storepass changeit
    
    keytool -export -alias tomcat -file D:\Data\BAO\bao.csr 
    -keystore "C:\Program Files\BMC\BAO\CDP\tomcat\conf\.keystore" -storepass changeit
  3. Add the public certificate from the temporary file to the trusted certificate file by entering a command such as the following example:

    keytool -import -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore "<keystorePath>" -storepass changeit
    
    keytool -import -alias bao.dem.bmc.local -file D:\Data\BAO\bao.csr 
    -keystore "C:\Program Files\BMC\BladeLogic\appserver\NSH\jre\lib\security\cacerts" 
    -storepass changeit

    Note that the keystore path in this example is a typical default path. This path might differ, depending on the exact details of your installation. The keystore path also depends on the type of operating system:

    • Linux — For a Linux Application Server use the <installationDirectory>/NSH/br/java/lib/security/cacerts file (for example /opt/bmc/bladelogic/NSH/br/java/lib/security/cacerts) to install certificates.
    • Windows — For a Windows Application Server, refer to the path shown in the registry value for SOFTWARE>BladeLogic> Operations Manager >Application Server>-Djava.home. Within this path, look for the lib\security\cacerts file. This is the directory into which you install the certificates.
  4. To check if the certificate is added to the cacerts file, enter the following command:

    keytool -list -keystore <keystorePath> -storepass changeit
  5. Restart the TrueSight Server Automation Application Server.

Was this page helpful? Yes No Submitting... Thank you

Comments