Adding a trusted certificate
Instead of using the default SSL certificate that TrueSight Vulnerability Management provides, some organizations might want to use their own certificate. Organizations can use an existing certificate or obtain one from a certificate authority or other trusted source.
If you want to replace the default certificate, you can use the following procedure to create a keystore, add a certificate to the keystore, and modify the server.xml file.
To add a trusted certificate
On the application server computer, navigate to the truesight-app-vulnerability-management-portal container by using the following command:
docker exec -it truesight-app-vulnerability-management-portal /bin/bashCreate the keystore and the private key (keystore.jks).
A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key. This example uses tsvm-server as the alias name.keytool -genkeypair -alias tsvm-server -keystore tsvm.keystore -storetype jks -keyalg RSA -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: vw-aus-clmidd09.bmc.com
What is the name of your organizational unit?
[Unknown]: IDD
What is the name of your organization?
[Unknown]: BMC Software
What is the name of your City or Locality?
[Unknown]: San Jose
What is the name of your State or Province?
[Unknown]: California
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software,
O=IDD, L=San Jose, ST=California
, C=US correct?
[no]: yes
Enter key password for <clmui>
(RETURN if same as keystore password):
Re-enter new password:Create the certificate sign-in request (CSR).
keytool -certreq -alias tsvm-server -keyalg RSA -file <Directory>/<fileName.csr> -keystore tsvm.keystore -sigalg SHA256withRSAReplace <Directory> with the directory in which you want to generate the CRS. <filename>.csr is the file that will hold the CSR.
- Navigate out of the container using the exit command and send the CSR file to a CA for signing using one of the following methods. The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
- Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
- Symantec: http://digitalid.verisign.com/server
- CertiSign Certificadora Digital Ltd: http://www.certisign.com.br
- Uptime Commerce Ltd: http://www.uptimecommerce.com
- BelSign NV/SA: http://www.belsign.be
- Use your own CA and get the CSR signed by this CA.
- Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
- Download the certificate (.pem or .crt file) with either the certificate chain (typically a PKCS7, .p7b file) or a list of root, intermediary, and signing certificates (two, three, or more .pem or .crt files).
If the CA provides only individual certificate files for the signed certificate and the certificate chain (and not the p7b), then you must combine these into a p7b format before importing into the keystore. You might have multiple certificates for each CA in the chain, you can concatenate them together and then use the openssl utility to convert to the p7b format:
cat root_cert.pem intermediate_cert.pem signing_cert.pem <any other intermediate cert> > ca_certs_chain.pem
openssl crl2pkcs7 -nocrl -certfile <any other signed certificate>.pem -out certs.p7b -certfile ca_certs_chain.pem- Go to the <APP_INSTALL_DIR>/truesight/application/common/certs directory.
- Back up all the files in this directory.
- Copy the combined certs.p7b file that you have generated in step 6 and paste it in the <APP_INSTALL_DIR>/truesight/application/app/vulnerability-management-portal/data/logs directory.
Navigate to the truesight-app-vulnerability-management-portal container by using the following command:
docker exec -it truesight-app-vulnerability-management-portal /bin/bash- Navigate to the /opt/bmc/truesight/vulnerability-management/tomcat/conf directory and back up the keystore and key files, and the server.xml file.
Navigate to the /opt/bmc/truesight/vulnerability-management/app/logs folder:
cd /opt/bmc/truesight/vulnerability-management/app/logsCopy the certs.p7b file to the /opt/jre/lib/security directory.
cp certs.p7b /opt/jre/lib/securityImport the certs.p7b file into the keystore.
The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, tsvm-server.keytool -importcert -keystore <keystoreLocation>/tsvm.keystore -file <Dir_p7bFile>/certs.p7b -storepass changeit -alias tsvm-server -storetype jksIn this command certs.p7b is the file that contains the CA-signed certificate request and the certificates in the authority chain. The other values are from the previous step when you generated the new keystore.
Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.
For example:keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt- Modify the server.xml configuration file, as follows:
- Navigate to /tomcat/conf directory, and open the server.xml configuration file with a text editor.
- Search for the following Connector tag in the <!-- http connector only used for internal communication --> section (Press f to view the example below in full screen).
<Connector keystorePass="password" keystoreFile="/opt/bmc/truesight/vulnerability-management/tomcat/config/blpSslCertificate.cert" sslProtocol="TLS" clientAuth="false" secure="true" scheme="https" maxThreads="500" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector> - In the above Connector tag, modify the keystorePass and keystoreFile parameters so they reflect the values you set when creating the new keystore.
Using the Stack Manager tool, restart the application services using the following commands:
python truesight-sm.py stop --deployment application
python truesight-sm.py start --deployment application