×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Important

   

This space contains documentation for TrueSight Smart Reporting for Server Automation 20.02.01. For earlier releases, see TrueSight Smart Reporting for Sever Automation 19.2 Open link .
TrueSight Smart Reporting for Server Automation 20.02.01 Administering

Implementing private certificates in TrueSight Server Automation - Data Warehouse

This topic was edited by a BMC Contributor and has not been approved.  More information.

This topic explains how to use CA-signed certificates for TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform.

Depending on the following scenarios, choose the appropriate procedure for applying certificates:

After performing any of these procedures, you must also import the CA certs for TrueSight Smart Reporting - Platform into the Java truststore of TrueSight Server Automation - Data Warehouse. For more information, see Importing TrueSight Smart Reporting private certificates in TrueSight Server Automation - Data Warehouse.

TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on the same server

When both TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on the same server, and the same host name is used to access both components, you can use the same CA-signed certificate for both these components. If you use different host names to access each component, for example tssr.example.com for TrueSight Smart Reporting - Platform and tssadw.example.com for TrueSight Server Automation - Data Warehouse, use the instructions specified in TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on different servers.

Do the following:

  1. Obtain the CA-signed certificate of TrueSight Smart Reporting - Platform. For instructions, see Implementing private certificates in TrueSight Smart Reporting - Platform Open link .
  2.  Back up the files.
    1. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
    2. Stop the TrueSight Server Automation - Data Warehouse bltomcat service:

      • (Windowssc stop bdstomcat

      • (Linuxservice bltomcat stop
    3. Back up the following files:
      • (Windows)
        • <TSSA-DW_installation_directory>\tomcat\conf\bdsSslCertificate.cert
        • <TSSA-DW_installation_directory>\tomcat\conf\server.xml
      • (Linux)
        • <TSSA-DW_installation_directory>/tomcat/conf/bdsSslCertificate.cert
  3. Create a new keystore for TrueSight Server Automation - Data Warehouse using the TrueSight Smart Reporting - Platform keystore as the source:
    1. Open a command prompt and navigate to the following directory:
      • (Windows) <TSSA-DW_installation_directory>\tomcat\conf
      • (Linux) <TSSA-DW_installation_directory>/tomcat/conf
    2. Run the following command:

    • Example:

      <TSSA-DWInstallationDirectory>/jre/bin/keytool -importkeystore -srckeystore <TSSR-P keystore> -destkeystore <TSSADW Keystore> -srcstoretype JKS -deststoretype JKS -srcstorepass <tssr keystore password> -deststorepass <new password> -srckeypass <tssr key password> -destkeypass <new password> -srcalias smartreporting -destalias tomcat

      Important

      • The destination alias must be tomcat.
      • The destination keypass and storepass must be the same.


      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -importkeystore -srckeystore "C:\Program Files\BMC Software\TrueSightSmartReporting\appserver\conf\tsr.keystore" -destkeystore "C:\Program Files\BMC Software\TSSA-DW\tomcat\conf\tssadw.keystore" -srcstoretype JKS -deststoretype JKS -srcstorepass changeit -deststorepass password  -srckeypass changeit -destkeypass password -srcalias smartreporting -destalias tomcat

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -importkeystore -srckeystore /opt/bmc/TrueSightSmartReporting/appserver/conf/tsr.keystore -destkeystore /opt/bmc/TSSA-DW/tomcat/conf/tssadw.keystore -srcstoretype JKS -deststoretype JKS -srcstorepass changeit -deststorepass password  -srckeypass changeit -destkeypass password -srcalias smartreporting -destalias tomcat

  4. If you have used a different password for the keystore than the one currently set or used a different keystore file name, do the following to update these changes in Tomcat:

    1. If you have used a different password in the previous commands, run the following command to get the blenc hash to be used in the Tomcat configuration:
      Example:

      <TSSA-DWInstallationDirectory>\bin\blenc.exe <deststorepassword>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password

      (Linux)

      /opt/bmc/TSSA-DW/bin/blenc password

    2. Note the encrypted password after BLencrypt: in the output.

    3. Navigate to the following path, and open the server.xml file:
      <TSSA-DW_installation_directory>/tomcat/conf/server.xml

    4. In the <Connector port="9443" section, update the keystore file name and password if either has changed:
      (Windows)

      keystoreFile="<TSSA-DWInstallationDirectory>\tomcat\conf\tssadw.keystore"
keystorePass="<encryptedpassword>"

      (Linux)

      keystoreFile="<TSSA-DWInstallationDirectory>/tomcat/conf/tssadw.keystore"
keystorePass="<encryptedpassword>"
  5. Start the TrueSight Server Automation - Data Warehouse service.

    • (Windowssc start bdstomcat

    • (Linuxservice bltomcat start

TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform on separate servers 

When TrueSight Server Automation - Data Warehouse and TrueSight Smart Reporting - Platform are installed on separate servers, or installed on the same server but accessed via different hostnames then follow the below procedure:

Do the following:

  1. Back up the files.
    1. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
    2. Back up the following files:
      • (Windows)
        • <TSSA-DW_installation_directory>\tomcat\conf\bdsSslCertificate.cert
        • <TSSA-DW_installation_directory>\tomcat\conf\server.xml
      • (Linux)
        <TSSA-DW_installation_directory>/tomcat/conf/bdsSslCertificate.cert
  2. Create a new keystore and key in a temporary location:
    1. Open a command prompt and run the following command:

    2. Example:

      <TSSA-DWInstallationDirectory>\jre\bin\keytool.exe -genkey -alias tomcat -keyalg RSA -keystore <keystoreFile> -storepass <keystorePassword> -dname "CN=<TSSADW FQDN>" -keypass
 <keyPassword> -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks

      Important

      • The alias must be tomcat.
      • The keypass and storepass must be the same.

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -genkey -alias tomcat -keyalg RSA -keystore "C:\Temp\tssadw.keystore" -storepass password -dname "CN=tssadw.example.com" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /tmp/tssadw.keystore -storepass password -dname "CN=tssadw.example.com" -keypass password -validity 3650 -keysize 4096 -sigalg SHA256withRSA -storetype jks

  3. Create a request for a signed certificate. 

    1. Run the following command to create a certificate signing request (CSR):
      Example:

      <TSSA-DWInstallationDirectory>\jre\bin\keytool.exe -certreq -alias tomcat -keystore <keystoreFile> -storepass <keystorePassword> -keypass <keyPassword> -ext san=dns:<TSSADW FQDN> -file <CSRFileName>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -certreq -alias tomcat -keystore "C:\Temp\tssadw.keystore" -storepass password -keypass password -ext san=dns:tssadw.example.com file "C:\temp\tssadw.csr"

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -certreq -alias tomcat -keystore /tmp/tssadw.keystore -storepass password -keypass password -ext san=dns:tssadw.example.com -file /tmp/tssadw.csr
    2. Send the CSR to the CA for signing and request the CA to return the signed certificate file in the .p7b format.  The p7b will contain the signed cert and the ca-chain certs.
  4. Import the signed certificate into the keystore . 

    1. Run the following command to import the certificate into the keystore:
      Example:

      <TSSA-DWInstallationDirectory>/jre/bin/keytool -importcert -keystore <keystoreFile> -file <cert.p7b> -storepass <keystorePassword> -keypass <keyPassword> -alias tomcat -storetype jks -trustcacerts

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -importcert -keystore "C:\Temp\tssadw.keystore" -file "C:\temp\tssadw.p7b" -storepass password -keypass password -alias tomcat -storetype jks -trustcacerts

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -importcert -keystore /tmp/tssadw.keystore -file /tmp/tssadw.p7b -storepass password -keypass password -alias tomcat -storetype jks -trustcacerts

  5. Update the configuration to use the new keystore.

    1. Stop the TrueSight Server Automation - Data Warehouse service:

      • (Windows) sc stop bdstomcat
      • (Linux) service bltomcat stop

    2. Copy the new keystore from the temporary location to <TSSA-DWInstallationDirectory>\tomcat\conf

    3. If you have used a different password for the keystore than the one currently set or used a different keystore file name, do the following to update Tomcat with these changes:

      1. If you have used a different password in the previous commands, run the following command to get the blenc hash to be used in the Tomcat configuration:
        Example:

        <TSSA-DWInstallationDirectory>\bin\blenc.exe <keystorePassword>

        (Windows)

        "C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password

        (Linux)

        /opt/bmc/TSSA-DW/bin/blenc password

      2. Note the encrypted password after BLencrypt: in the output.

      3. Navigate to the following path, and open the server.xml file:
        <TSSA-DW_installation_directory>/tomcat/conf/server.xml

      4. In the <Connector port="9443" section, update the keystore file name and password if either has changed:
        (Windows)

        keystoreFile="<TSSA-DWInstallationDirectory>\tomcat\conf\tssadw.keystore"
keystorePass="<encryptedpassword>"

        (Linux)

        keystoreFile="<TSSA-DWInstallationDirectory>/tomcat/conf/tssadw.keystore"
keystorePass="<encryptedpassword>"
  6. Start the TrueSight Server Automation - Data Warehouse service.
    • (Windowssc start bdstomcat
    • (Linuxservice bltomcat start

Import the TrueSight Smart Reporting certificate chain into TrueSight Smart Reporting - Platform Java keystore. 

After performing any of these procedures, you must import the CA certificates for TrueSight Smart Reporting - Platform into the Java keystore of TrueSight Server Automation - Data Warehouse. For more information, see Importing TrueSight Smart Reporting private certificates in TrueSight Server Automation - Data Warehouse.

Verify secure connection to TrueSight Server Automation - Data Warehouse

Do the following to verify that the new certificates are successfully applied to TrueSight Server Automation - Data Warehouse:

  1. Close all browser instances connected to TrueSight Server Automation - Data Warehouse
  2. Open the following URL in a new browser instance:
    https://<hostname>:<portNumber>/tssa-dw
  3. Verify that the TrueSight Server Automation - Data Warehouse URL opens in the HTTPS mode and shows the connection as secure:
Was this page helpful? Yes No Submitting... Thank you
Last modified by Bipin Inamdar on Jan 27, 2021
third_party_certificates third_party_ca_certificates videos contributor_unapproved

Comments

  1. Greg Michael

    The step to import the CA certificates is referring to the steps for TSSR-Platform, rather than for TSSR-SA DW.

    It should read: After performing any of these procedures, you must import the CA certificates for TrueSight Smart Reporting - Data Warehouse into the java trust store of TrueSight Smart Reporting - Platform. There should also be a note that any changes to the TSSR-P certificates would need to be imported into the TSSR-SA DW trust store as well as a link to the documentation for TSSR-P: https://docs.bmc.com/docs/tssr2002/implementing-private-certificates-in-truesight-smart-reporting-platform-905422520.html

    Also, "logically speaking" there is a difference between the key store and the trust store. Separately, a key store contains one or more private/public key pairs; a trust store contains public certificates for servers and/or Certificate Authorities used to sign certificates. While Java does not differentiate the logical definition of these stores, it is often useful to have them separated for distinction. The default Java trust store is the cacerts file located in the /lib/security folder. This file gets overwritten when new versions of the Java implementations are upgraded.

    https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Stores

    Sep 02, 2021 12:57
    1. Sulekha Gulati

      Greg Michael, thanks for the feedback. Looking into it.

      Sep 05, 2021 10:01

Log in or register to comment.

Moving the TrueSight Server Automation - Data Warehouse environment
Importing TrueSight Server Automation - Data Warehouse private certificates in TrueSight Smart Repoting - Platform
© Copyright 1996-2020 BladeLogic, Inc.
© Copyright 2014-2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.