Implementing private certificates in TrueSight Server Automation - Data Warehouse

This topic explains how to use CA-signed certificates for TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform.

Depending on the following scenarios, choose the appropriate procedure for applying certificates:

After performing any of these procedures, you must also import the CA certs for TrueSight Smart Reporting - Platform into the Java truststore of TrueSight Server Automation - Data Warehouse. For more information, see Importing TrueSight Smart Reporting private certificates in TrueSight Server Automation - Data Warehouse.

TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on the same server

When both TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on the same server, and the same host name is used to access both components, you can use the same CA-signed certificate for both these components. If you use different host names to access each component, for example tssr.example.com for TrueSight Smart Reporting - Platform and tssadw.example.com for TrueSight Server Automation - Data Warehouse, use the instructions specified in TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on different servers.

Do the following:

  1. Obtain the CA-signed certificate of TrueSight Smart Reporting - Platform. For instructions, see Implementing private certificates in TrueSight Smart Reporting - Platform .
  2.  Back up the files.
    1. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
    2. Stop the TrueSight Server Automation - Data Warehouse bltomcat service:
      • (Windowssc stop bdstomcat

      • (Linuxservice bltomcat stop
    3. Back up the following files:
      • (Windows)
        • <TSSA-DW_installation_directory>\tomcat\conf\bdsSslCertificate.cert
        • <TSSA-DW_installation_directory>\tomcat\conf\server.xml
      • (Linux)
        • <TSSA-DW_installation_directory>/tomcat/conf/bdsSslCertificate.cert
  3. Create a new keystore for TrueSight Server Automation - Data Warehouse using the TrueSight Smart Reporting - Platform keystore as the source:
    1. Open a command prompt and navigate to the following directory:
      • (Windows) <TSSA-DW_installation_directory>\tomcat\conf
      • (Linux) <TSSA-DW_installation_directory>/tomcat/conf
    2. Run the following command:
    • Example:

      <TSSA-DWInstallationDirectory>/jre/bin/keytool -importkeystore -srckeystore <TSSR-P keystore> -destkeystore <TSSADW Keystore> -srcstoretype JKS -deststoretype JKS -srcstorepass <tssr keystore password> -deststorepass <new password> -srckeypass <tssr key password> -destkeypass <new password> -srcalias smartreporting -destalias tomcat

      Important

      • The destination alias must be tomcat.
      • The destination keypass and storepass must be the same.


      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -importkeystore -srckeystore "C:\Program Files\BMC Software\TrueSightSmartReporting\appserver\conf\tsr.keystore" -destkeystore "C:\Program Files\BMC Software\TSSA-DW\tomcat\conf\tssadw.keystore" -srcstoretype JKS -deststoretype JKS -srcstorepass changeit -deststorepass password  -srckeypass changeit -destkeypass password -srcalias smartreporting -destalias tomcat

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -importkeystore -srckeystore /opt/bmc/TrueSightSmartReporting/appserver/conf/tsr.keystore -destkeystore /opt/bmc/TSSA-DW/tomcat/conf/tssadw.keystore -srcstoretype JKS -deststoretype JKS -srcstorepass changeit -deststorepass password  -srckeypass changeit -destkeypass password -srcalias smartreporting -destalias tomcat
  4. If you have used a different password for the keystore than the one currently set or used a different keystore file name, do the following to update these changes in Tomcat:

    1. If you have used a different password in the previous commands, run the following command to get the blenc hash to be used in the Tomcat configuration:
      Example:

      <TSSA-DWInstallationDirectory>\bin\blenc.exe <deststorepassword>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password

      (Linux)

      /opt/bmc/TSSA-DW/bin/blenc password
    2. Note the encrypted password after BLencrypt: in the output.

    3. Navigate to the following path, and open the server.xml file:
      <TSSA-DW_installation_directory>/tomcat/conf/server.xml

    4. In the <Connector port="9443" section, update the keystore file name and password if either has changed:
      (Windows)

      keystoreFile="<TSSA-DWInstallationDirectory>\tomcat\conf\tssadw.keystore"
      keystorePass="<encryptedpassword>"

      (Linux)

      keystoreFile="<TSSA-DWInstallationDirectory>/tomcat/conf/tssadw.keystore"
      keystorePass="<encryptedpassword>"
  5. Start the TrueSight Server Automation - Data Warehouse service.
    • (Windowssc start bdstomcat

    • (Linuxservice bltomcat start

TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform on separate servers 

When TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on separate servers, or installed on the same server but accessed via different hostnames then follow the below procedure:

Do the following:

  1. Back up the files.
    1. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
    2. Back up the following files:
      • (Windows)
        • <TSSA-DW_installation_directory>\tomcat\conf\bdsSslCertificate.cert
        • <TSSA-DW_installation_directory>\tomcat\conf\server.xml
      • (Linux)
        <TSSA-DW_installation_directory>/tomcat/conf/bdsSslCertificate.cert
  2. Create a new keystore and key in a temporary location:
    1. Open a command prompt and run the following command:
    2. Example:

      <TSSA-DWInstallationDirectory>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore <keystoreFile> -storepass <keystorePassword> -dname "CN=<TSSADW FQDN>" -keypass
       <keyPassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks

      Important

      • The alias must be tomcat.
      • The keypass and storepass must be the same.

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -genkey -alias tomcat -keyalg RSA -keystore "C:\Temp\tssadw.keystore" -storepass password -dname "CN=tssadw.example.com" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /tmp/tssadw.keystore -storepass password -dname "CN=tssadw.example.com" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks
  3. Create a request for a signed certificate. 

    1. Run the following command to create a certificate signing request (CSR):
      Example:

      <TSSA-DWInstallationDirectory>\jre\bin\keytool.exe -certreq -alias tomcat -keystore <keystoreFile> -storepass <keystorePassword> -keypass <keyPassword> -ext san=dns:<TSSADW FQDN> -file <CSRFileName>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -certreq -alias tomcat -keystore "C:\Temp\tssadw.keystore" -storepass password -keypass password -ext san=dns:tssadw.example.com file "C:\temp\tssadw.csr"

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -certreq -alias tomcat -keystore /tmp/tssadw.keystore -storepass password -keypass password -ext san=dns:tssadw.example.com -file /tmp/tssadw.csr
    2. Send the CSR to the CA for signing and request the CA to return the signed certificate file in the .p7b format.  The p7b will contain the signed cert and the ca-chain certs.
  4. Import the signed certificate into the keystore . 
    1. Run the following command to import the certificate into the keystore:
      Example:

      <TSSA-DWInstallationDirectory>/jre/bin/keytool -importcert -keystore <keystoreFile> -file <cert.p7b> -storepass <keystorePassword> -keypass <keyPassword> -alias tomcat -storetype jks -trustcacerts

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -importcert -keystore "C:\Temp\tssadw.keystore" -file "C:\temp\tssadw.p7b" -storepass password -keypass password -alias tomcat -storetype jks -trustcacerts
      

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -importcert -keystore /tmp/tssadw.keystore -file /tmp/tssadw.p7b -storepass password -keypass password -alias tomcat -storetype jks -trustcacerts
  5. Update the configuration to use the new keystore.

    1. Stop the TrueSight Server Automation - Data Warehouse service:

      • (Windows) sc stop bdstomcat
      • (Linux) service bltomcat stop
    2. Copy the new keystore from the temporary location to <TSSA-DWInstallationDirectory>\tomcat\conf

    3. If you have used a different password for the keystore than the one currently set or used a different keystore file name, do the following to update Tomcat with these changes:

      1. If you have used a different password in the previous commands, run the following command to get the blenc hash to be used in the Tomcat configuration:
        Example:

        <TSSA-DWInstallationDirectory>\bin\blenc.exe <keystorePassword>

        (Windows)

        "C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password

        (Linux)

        /opt/bmc/TSSA-DW/bin/blenc password
      2. Note the encrypted password after BLencrypt: in the output.

      3. Navigate to the following path, and open the server.xml file:
        <TSSA-DW_installation_directory>/tomcat/conf/server.xml

      4. In the <Connector port="9443" section, update the keystore file name and password if either has changed:
        (Windows)

        keystoreFile="<TSSA-DWInstallationDirectory>\tomcat\conf\tssadw.keystore"
        keystorePass="<encryptedpassword>"

        (Linux)

        keystoreFile="<TSSA-DWInstallationDirectory>/tomcat/conf/tssadw.keystore"
        keystorePass="<encryptedpassword>"
  6. Start the TrueSight Server Automation - Data Warehouse service.
    • (Windowssc start bdstomcat
    • (Linuxservice bltomcat start

Import the TrueSight Smart Reporting certificate chain into TrueSight Smart Reporting - Platform Java keystore. 

After performing any of these procedures, you must import the CA certificates for TrueSight Smart Reporting - Platform into the Java keystore of TrueSight Server Automation - Data Warehouse. For more information, see Importing TrueSight Smart Reporting private certificates in TrueSight Server Automation - Data Warehouse.

Verify secure connection to TrueSight Server Automation - Data Warehouse

Do the following to verify that the new certificates are successfully applied to TrueSight Server Automation - Data Warehouse:

  1. Close all browser instances connected to TrueSight Server Automation - Data Warehouse
  2. Open the following URL in a new browser instance:
    https://<hostname>:<portNumber>/tssa-dw
  3. Verify that the TrueSight Server Automation - Data Warehouse URL opens in the HTTPS mode and shows the connection as secure:
Was this page helpful? Yes No Submitting... Thank you

Comments