×
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
 
 

Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

TrueSight Server Automation 8.9.00 ... Configuring after installation Administering security Implementing private certificates in TrueSight Server Automation

Enabling third-party Certification Authority certificates to work with Yellowfin

You can enable third-party certificates with Yellowfin. A certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.

Note

This example uses Symantec to create certificates. Other vendors offer their certificates in similar fashion. 

In general, perform the following steps for supporting third-party CA certificates:

  1. Use JRE keytool to create a private key and certificate sign-in request (CSR) and send the CSR to the signing authority. The signing authority returns the signed authority, along with the CA certificate. 
  2. Use the keystore during Yellowfin installation and configuration. 
  3. Configure TrueSight Server Automation with the supporting CA certificates.

This topic contains the following information: 

To create keystores, private and public keys, and certificates

This section creates a third-party certificate to use with Yellowfin

Note

  • Back up your VM or your file system before you start. If you make a mistake, you can revert to a saved snapshot and try again.
  • Copy and paste the SSL commands into a text editor like Notepad, Notepad++, or TextPad, strip out the line breaks, and modify the syntax for your environment. 
  1. Unzip LiveReportingPostInstaller.zip (Window) or LiveReportingPostInstaller.tar (Linux).
    For Linux:
    tar xvf LiveReportingPostInstaller.tar 
  2. From the command prompt, navigate to the directory where keytool is located, for example, C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_71\bin.

  3. Create the keystore and the private key (keystore.jks).
    A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key This example used password as the password.

    keytool -genkey -alias yellowfin-server -keyalg RSA -keystore C:\Keys\keystore.jks -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  vw-aus-clmidd09.bmc.com
What is the name of your organizational unit?
  [Unknown]:  IDD
What is the name of your organization?
  [Unknown]:  BMC Software
What is the name of your City or Locality?
  [Unknown]:  San Jose
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software, 
O=IDD, L=San Jose, ST=California
, C=US correct?
  [no]:  yes
Enter key password for <clmui>
        (RETURN if same as keystore password):
Re-enter new password:

  4. Create the certificate sign-in request (CSR).
    This example used password as the password.

    keytool -certreq -alias yellowfin-server -ext SAN=DNS:appserver1.example.com,
DNS:appserver2.example.com,DNS:appserver3.example.com -file C:\Keys\yellowfin_server.csr 
-keystore C:\Keys\keystore.jks -sigalg SHA1withRSA

    where,
    SAN= contains the host name used in the CN at minimum, and all the Application Server names and any VIP name.

  5. Send the CSR file to a CA for signing using one of the following methods. CA returns a signed SSL certificate, for example, ssl_cert.cer.

  6. (optional) Download and import the Root CA certificate (for example, RootCA.cer) into the browser's trusted root store certification authorities.
    Trial versions of the Root CA certificate must be installed on each browser where you will test it. This step is not necessary with production certificates. For more information, see the Symantec documentation on using root certificates.   

  7. Download and import the Root CA certificate (for example, RootCA.cer) on the product host.
    Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

    keytool -import -trustcacerts -alias root -keystore "C:\Keys\keystore.jks" -file "C:\Keys\RootCA.cer"
Enter keystore password:
Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C
=US
Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.",
C=US
Serial number: 168164a428ca12dfab12f19fb1b93554
Valid from: Tue Mar 31 19:00:00 CDT 2009 until: Sat Mar 31 18:59:59 CDT 2029
Certificate fingerprints:
         MD5:  E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
         SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
         SHA256: 89:DD:5C:3D:FE:28:13:87:45:1F:A3:A0:F7:8C:1A:B6:77:DB:18:63:9E:71:72:AD:B2:52:91:CF:BE:F7:8D:19
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
PS C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_102\bin> 

  8. Download and import the intermediate certificate (for example, intermediate.cer) on the product host.
    Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

    keytool -import -trustcacerts -alias Intermediate -keystore C:\Keys\keystore.jks -file C:\Keys\intermediate.cer 
Enter keystore password:
Certificate was added to keystore
PS C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_102\bin>

    For more information, see the Symantec documentation on using intermediate certificates

  9. Install the SSL certificate (for example, ssl_cert.cer) on the product host.
    The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, blade.

    keytool -import -trustcacerts -alias yellowfin-server -keystore "C:\Keys\keystore.jks"  -file "C:\Keys\ssl_cert.cer"

    For more information, see the Symantec documentation on installing certificates on Tomcat.  

  10. Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  
    For example:

    keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt

Where to go from here

For complete end-to-end instructions on enabling HTTPS in Yellowfin with a third-party certificate, see:

Installing and configuring Yellowfin to enable Live reporting

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Jun 15, 2021

Comments

Implementing private certificates in TrueSight Server Automation
Encrypting your database connection
© Copyright 1996-2019 BladeLogic, Inc. © Copyright 2014-2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.