Adding a trusted certificate

Instead of using the default SSL certificate that TrueSight Vulnerability Management provides, some organizations might want to use their own certificate. Organizations can use an existing certificate or obtain one from a certificate authority or other trusted source.

If you want to replace the default certificate, you can use the following procedure to create a keystore, add a certificate to the keystore, and modify the server.xml file.

To add a trusted certificate

1. On the application server computer, navigate to the truesight-app-vulnerability-management-portal container by using the following command:

   docker exec -it truesight-app-vulnerability-management-portal /bin/bash

2. Create the keystore and the private key (keystore.jks).
   A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key. This example uses tsvm-server as the alias name.

   keytool -genkeypair -alias tsvm-server -keystore tsvm.keystore -storetype jks -keyalg RSA -keysize 2048
   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]:  vw-aus-clmidd09.bmc.com
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC Software
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  California
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software, 
   O=IDD, L=San Jose, ST=California
   , C=US correct?
     [no]:  yes
   Enter key password for <clmui>
           (RETURN if same as keystore password):
   Re-enter new password:

   Note

   When you are prompted for first and last name, provide a fully-qualified domain name, as shown in the example above.

3. Create the certificate sign-in request (CSR).

   keytool -certreq -alias tsvm-server -keyalg RSA -file <Directory>/<fileName.csr> -keystore tsvm.keystore -sigalg SHA256withRSA
   

   Replace <Directory> with the directory in which you want to generate the CRS. <filename>.csr is the file that will hold the CSR.

4. Navigate out of the container using the exit command and send the CSR file to a CA for signing using one of the following methods. The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
   • Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
     
     • Symantec: http://digitalid.verisign.com/server

     • CertiSign Certificadora Digital Ltd: http://www.certisign.com.br

     • Uptime Commerce Ltd: http://www.uptimecommerce.com

     • BelSign NV/SA: http://www.belsign.be

   • Use your own CA and get the CSR signed by this CA.

5. Download the certificate (.pem or .crt file) with either the certificate chain (typically a PKCS7, .p7b file) or a list of root, intermediary, and signing certificates (two, three, or more .pem or .crt files).

6. If the CA provides only individual certificate files for the signed certificate and the certificate chain (and not the p7b), then you must combine these into a p7b format before importing into the keystore. You might have multiple certificates for each CA in the chain, you can concatenate them together and then use the openssl utility to convert to the p7b format:

   cat root_cert.pem intermediate_cert.pem signing_cert.pem <any other intermediate cert> > ca_certs_chain.pem
   openssl crl2pkcs7 -nocrl -certfile <any other signed certificate>.pem -out certs.p7b -certfile ca_certs_chain.pem

   Note

   openssl is a common command line utility on UNIX systems and binaries are available for Windows from the openssl.org site.

7. Go to the <APP_INSTALL_DIR>/truesight/application/common/certs directory.

8. Back up all the files in this directory.
9. Copy the combined certs.p7b file that you have generated in step 6 and paste it in the <APP_INSTALL_DIR>/truesight/application/app/vulnerability-management-portal/data/logs directory.

10. Navigate to the truesight-app-vulnerability-management-portal container by using the following command:

    docker exec -it truesight-app-vulnerability-management-portal /bin/bash

11. Navigate to the /opt/bmc/truesight/vulnerability-management/tomcat/conf directory and back up the keystore and key files, and the server.xml file.

12. Navigate to the /opt/bmc/truesight/vulnerability-management/app/logs folder: 

    cd /opt/bmc/truesight/vulnerability-management/app/logs

13. Copy the certs.p7b file to the /opt/jre/lib/security directory.

    cp certs.p7b /opt/jre/lib/security

14. Import the certs.p7b file into the keystore.
    The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, tsvm-server.

    keytool -importcert -keystore <keystoreLocation>/tsvm.keystore -file <Dir_p7bFile>/certs.p7b -storepass changeit -alias tsvm-server -storetype jks

    In this command certs.p7b is the file that contains the CA-signed certificate request and the certificates in the authority chain. The other values are from the previous step when you generated the new keystore. 

15. Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  
    For example: 
    

    keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt

16. Modify the server.xml configuration file, as follows:
1. Navigate to /tomcat/conf directory, and open the server.xml configuration file with a text editor.
2. Search for the following Connector tag in the <!-- http connector only used for internal communication --> section (Press f to view the example below in full screen).
   <Connector keystorePass="password" keystoreFile="/opt/bmc/truesight/vulnerability-management/tomcat/config/blpSslCertificate.cert" sslProtocol="TLS" clientAuth="false" secure="true" scheme="https" maxThreads="500" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"   compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector>

3. In the above Connector tag, modify the keystorePass and keystoreFile parameters so they reflect the values you set when creating the new keystore.

17. Using the Stack Manager tool, restart the application services using the following commands:

    python truesight-sm.py stop --deployment application
    python truesight-sm.py start --deployment application