Documentation update To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management). Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console..

Implementing private certificates in TrueSight Automation Console

TrueSight Automation Console uses self-signed certificates for secure communication. Instead of using self-signed certificates, you might choose to use a certificate signed by a certification authority (CA). The security administrator of your organization can provide the required CA-signed certificate or you can create a request to obtain a signed certificate from the CA that your organization recommends.

To create a certificate signing request (CSR)

You need to generate a CSR and a private key.  

Do the following:

  1. To generate a private key, run the following command:

    # openssl genrsa -out <private key file name> <2048|4096>

    For example: # openssl genrsa -out www.hostname.com.key.pem 2048

  2. To create a certificate signing request (CSR), run the following command:

    # openssl req \
         -key <private key file name> \
         -new -sha256 -out <certificate file name>
    For example:
    # openssl req \
         -key www.hostname.com.key.pem \
         -new -sha256 -out www.hostname.com.csr.pem

    Enter pass phrase for www.hostname.com.key.pem: <password>
    You are about to be asked to enter information that will be incorporated into your certificate request.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name []:California
    Locality Name []:San Jose
    Organization Name []:BMC Software
    Organizational Unit Name []:Security and Operations
    Common Name []:www.bmc.com
    Email Address []:notify@bmc.com

    <filename>.csr.pem file that contains the CSR is generated.

  3. Send the CSR file to a CA for signing using one of the following methods. The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
    • Have the CSR be signed by a commercial CA. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. 
      OR
    • Use your own CA and get the CSR signed by this CA.

To apply the CA-signed certificates

After you obtain the signed certificates from the CA, you must import them in TrueSight Automation Console.

Do the following:

  1. Download the following certificates in the .pem format: root, intermediate, and signed

  2. Run the following command to create a certificate chain by concatenating the root, intermediate, and signed certificate:

    cat signed_cert ca_cert im_cert signing_cert ... > combined_file

  3. On a host where the TrueSight Automation Console application is installed, run the following commands to back up the existing certificate files:

    cp <install_dir>/application/common/certs/tsvmSslCertificate.crt <install_dir>/application/common/certs/tsvmSslCertificate.crt.original

    cp <install_dir>/application/common/certs/tsvmSslCertificate.key <install_dir>/application/common/certs/tsvmSslCertificate.key.original

  4. Rename and copy the certificate files that you generated from a CA to the names specified here: 

    • www.hostname.com.cert.pem --> tsvmSslCertificate.crt
    • www.hostname.com.key.pem --> tsvmSslCertificate.key
    cp <trusted ca cert file name> <install_dir>/application/common/certs/tsvmSslCertificate.crt
    Example: cp <www.hostname.com.cert.pem> <install_dir>/application/common/certs/tsvmSslCertificate.crt

    cp <trusted ca key file name> <install_dir>/application/common/certs/tsvmSslCertificate.key
    Example: cp <www.hostname.com.key.pem> <install_dir>/application/common/certs/tsvmSslCertificate.key
    (% class="auto-cursor-target" %)

  5. Restart the application. 

    /opt/bmc/stackmanager restart --deployment application

    You can now log on to TrueSight Automation Console using the private certificates. 

Resolving issues with trusted certificates

If you face issues while logging on to TrueSight Automation Console where the certificate is shown as "Not Secured", you may need to implement private certificates in TrueSight Server Automation. For more information, see the knowledge article TrueSight Automation Console (TSAC): The login page shows the SSL certificate as "Not Secured" (TSAC 21.02 above redirects to TSSA URL for login authentication).

Where to go next?

Now that you have configured trusted certificates, administrators can start setting up the application for your patch and vulnerability management needs. You can start using the features based on your role and requirements. See Using.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*