Unsupported content This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Adding a trusted certificate

Instead of using the default SSL certificate that TrueSight Vulnerability Management provides, some organizations might want to use their own certificate. Organizations can use an existing certificate or obtain one from a certificate authority or other trusted source.

Note

When the default SSL certificate expires, you can update it using the instructions provided in the Knowledge Base Article.

If you want to replace the default certificate, you can use the following procedure to create a keystore, add a certificate to the keystore, and modify the server.xml file.

To add a trusted certificate

  1. On the application server computer, navigate to the truesight-app-vulnerability-management-portal container by using the following command:

    docker exec -it truesight-app-vulnerability-management-portal /bin/bash

  2. Create the keystore and the private key (keystore.jks).
    A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key. This example uses tsvm-server as the alias name.

    keytool -genkeypair -alias tsvm-server -keystore tsvm.keystore -storetype jks -keyalg RSA -keysize 2048
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  vw-aus-clmidd09.bmc.com
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC Software
    What is the name of your City or Locality?
      [Unknown]:  San Jose
    What is the name of your State or Province?
      [Unknown]:  California
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software,
    O=IDD, L=San Jose, ST=California
    , C=US correct?
      [no]:  yes
    Enter key password for <clmui>
            (RETURN if same as keystore password):
    Re-enter new password:

    Note

    When you are prompted for first and last name, provide a fully-qualified domain name, as shown in the example above.

  3. Create the certificate sign-in request (CSR).

    keytool -certreq -alias tsvm-server -keyalg RSA -file <Directory>/<fileName.csr> -keystore tsvm.keystore -sigalg SHA256withRSA

    Replace <Directory> with the directory in which you want to generate the CRS. <filename>.csr is the file that will hold the CSR.

  4. Navigate out of the container using the exit command and send the CSR file to a CA for signing using one of the following methods. The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
  5. Download the certificate (.pem or .crt file) with either the certificate chain (typically a PKCS7, .p7b file) or a list of root, intermediary, and signing certificates (two, three, or more .pem or .crt files).

  6. If the CA provides only individual certificate files for the signed certificate and the certificate chain (and not the p7b), then you must combine these into a p7b format before importing into the keystore. You might have multiple certificates for each CA in the chain, you can concatenate them together and then use the openssl utility to convert to the p7b format:

    cat root_cert.pem intermediate_cert.pem signing_cert.pem <any other intermediate cert> > ca_certs_chain.pem
    openssl crl2pkcs7 -nocrl -certfile <any other signed certificate>.pem -out certs.p7b -certfile ca_certs_chain.pem

    Note

    openssl is a common command line utility on UNIX systems and binaries are available for Windows from the openssl.org site.

  7. Go to the <APP_INSTALL_DIR>/truesight/application/common/certs directory.
  8. Back up all the files in this directory.
  9. Copy the combined certs.p7b file that you have generated in step 6 and paste it in the <APP_INSTALL_DIR>/truesight/application/app/vulnerability-management-portal/data/logs directory.

  10. Navigate to the truesight-app-vulnerability-management-portal container by using the following command:

    docker exec -it truesight-app-vulnerability-management-portal /bin/bash
  11. Navigate to the /opt/bmc/truesight/vulnerability-management/tomcat/conf directory and back up the keystore and key files, and the server.xml file.

  12. Navigate to the /opt/bmc/truesight/vulnerability-management/app/logs folder: 

    cd /opt/bmc/truesight/vulnerability-management/app/logs

  13. Copy the certs.p7b file to the /opt/jre/lib/security directory.

    cp certs.p7b /opt/jre/lib/security

  14. Import the certs.p7b file into the keystore.
    The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, tsvm-server.

    keytool -importcert -keystore <keystoreLocation>/tsvm.keystore -file <Dir_p7bFile>/certs.p7b -storepass changeit -alias tsvm-server -storetype jks

    In this command certs.p7b is the file that contains the CA-signed certificate request and the certificates in the authority chain. The other values are from the previous step when you generated the new keystore. 

  15. Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  
    For example: 

    keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt
  16. Modify the server.xml configuration file, as follows:
    1. Navigate to /tomcat/conf directory, and open the server.xml configuration file with a text editor.
    2. Search for the following Connector tag in the <!-- http connector only used for internal communication --> section (Press f to view the example below in full screen).
      <Connector keystorePass="password" keystoreFile="/opt/bmc/truesight/vulnerability-management/tomcat/config/blpSslCertificate.cert" sslProtocol="TLS" clientAuth="false" secure="true" scheme="https" maxThreads="500" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"   compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector>
    3. In the above Connector tag, modify the keystorePass and keystoreFile parameters so they reflect the values you set when creating the new keystore.

  17. Using the Stack Manager tool, restart the application services using the following commands:

    python truesight-sm.py stop --deployment application
    python truesight-sm.py start --deployment application

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*