Enabling SSL on Linux

This topic describes how to enable SSL for all the BMC Cloud Lifecycle Management components. It also provides detailed configuration steps to make the secured communication between the components. 

• • CLM applications that support HTTPS on SSL during installation
  • Before you begin
  • To create a Root CA certificate using OpenSSL
  • To configure the Mid Tier SSL
  • To integrate the Mid Tier with Platform Manager
  • To configure Atrium Web Services SSL
  • To integrate Atrium Web Services with BMC Network Automation
  • To configure SSL with BMC Server Automation
  • To configure SSL with BMC Server Automation and Platform Manager
  • To configure BMC Network Automation with SSL
  • To configure Platform Manager from HTTPS to HTTP with a Self-Signed Certificate
  • To configure Platform Manager from HTTP to HTTPS with a Self-Signed Certificate
  • To modify the Platform Manager integration with SSL
  • To configure BMC Capacity Optimization with SSL
    • To generate a certificate and key to use with Apache
    • To enable HTTPS in Apache
  • To integrate BMC Capacity Optimization and Platform Manager changes into SSL
  • To configure BMC Atrium Orchestrator with SSL
    • To configure AMREPO to work with SSL
    • To configure primary and secondary CDP to work with SSL
  • To configure BMC Server Automation and Atrium Orchestrator with SSL
  • To configure Atrium Orchestrator and Platform Manager with SSL
  • To configure Atrium Orchestrator and ITSM with SSL
  • To configure Cloud Portal Web Application from HTTP to HTTPS with a Self-Signed Certificate
  • To configure Cloud Portal Web Application from HTTPS to HTTP with a Self-Signed Certificate
  • To configure CLM Self-Checker from HTTP to HTTPS with a Self-Signed Certificate
  • To configure CLM Self-Checker from HTTPS to HTTP with a Self-Signed Certificate
  • Related topic

CLM applications that support HTTPS on SSL during installation

The following table lists the CLM applications that support HTTPS on SSL during installation:

Before you begin

• Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes! 
• When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host. 

To create a Root CA certificate using OpenSSL

1. Download and install the 32-bit and 64-bit OpenSSL packages (openssl-1.0.0-20.el6_2.5.i686.rpm and openssl-1.0.0-20.el6_2.5.x86_64.rpm) on its own host.
   For more information, see System requirements for Linux.
2. Create Keys, Certificates, and CSR folders. 
   These categories are for placing keys, certificates files, and so on.
3. Open a command prompt and navigate to openssl (for example, /usr/bin/openssl). 

4. Generate the key pair for root CA. 
   Store this key pair in the Keys/RootCA.key file.

   [root@vl-aus-csm-dv01 bin]# ./openssl genrsa -out /data1/Keys/RootCA.key 1024
   Generating RSA private key, 1024 bit long modulus
   .................................++++++
   ...........++++++
   e is 65537 (0x10001)
   
5. Generate a self signed certificate for CA. 
   This CA certificate is used across all cloud products as a common certificate. Store the certificate in the RootCA.crt file.

   1. Enter the following command:

      ./openssl req -config /opt/bmc/rscd/NSH/share/openssl.cnf -new -x509 
      -days 365 -key /data1/Keys/RootCA.key -out /data1/Certificates/RootCA.crt

   2. Create a Distinguished Name (DN)..
      Make sure that you enter all required information. Many fields contain defaults. Some settings you can leave blank. If you enter a period, the field will be left blank. 

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:US
      State or Province Name (full name) [Some-State]:CA
      Locality Name (eg, city) []:San Jose
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:BMC
      Organizational Unit Name (eg, section) []:IDD
      Common Name (eg, YOUR name) []:John Stamps
      Email Address []:jstamps@bmc.com
   3. Press Enter to create the certificate.

To configure the Mid Tier SSL

1. On the Mid Tier host, create Keys, Certificates, and CSR folders. 
2. Copy RootCA.key to /data1/Keys/.
3. Copy RootCA.crt to /data1/Certificates/. 

4. Stop the Mid Tier Tomcat server.
   For example:

   /opt/apache/tomcat6.0/bin/shutdown.sh
5. Open a command prompt and navigate to the jre/bin folder (for example, /usr/java/jdk1.7.0_75/jre/bin for version 4.5). 

6. Create a keypair using the keytool utility.
   If the Mid Tier is behind a load balancer, use CN as the load balancer name.  But here it is MT. 

   ./keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 
   -keypass "changeit" -storepass "changeit" -keystore /data1/Keys/keystore.jks

7. At the prompts, enter the required information to create the keypair, and then press Enter. 

   What is your first and last name?
     [Unknown]:  MT
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  CA
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=MT, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
     [no]:  yes

8. Create the Certificate Signing Request (CSR) from Mid Tier primary to retrieve the certificate from CA (that is, CLM).

   ./keytool -certreq -keyalg RSA -alias tomcat 
   -file /data1/CSR/mt.csr -keystore /data1/Keys/keystore.jks

   At the prompt, enter changeit as the password.

9. Use the following openssl command (for example, /usr/bin/openssl)to generate a Mid Tier server certificate (mt_server.crt): 

   ./openssl x509 -req -days 365 -in /data1/CSR/mt.csr 
   -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
   -set_serial 01 -out /data1/Certificates/mt_server.crt
10. (HA only) After the certificate is generated (mt_server.crt) in the Certificates folder, copy mt_server.crt and RootCA.crt to the Mid Tier primary and secondary computers into their Certificates folder.

11. On the Mid Tier primary and secondary computers, import the Root CA certificate:

    /usr/java/jdk1.7.0_75/jre/bin/keytool -import 
    -alias root -keystore /data1/Keys/keystore.jks -trustcacerts 
    -file /data1/Certificates/RootCA.crt

    1. At the prompt, enter changeit as the password.

       [root@clm-aus-005120 Certificates]# cd /usr/java/jdk1.7.0_75/jre/bin/
       [root@clm-aus-005120 bin]# ./keytool -import -alias root 
       -keystore /data1/Keys/keystore.jks -trustcacerts 
       -file /data1/Certificates/RootCA.crt
       Enter keystore password:
       Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD,
       O=BMC, L=San Jose, ST=CA, C=US
       ...
       Trust this certificate? [no]:  yes
       Certificate was added to keystore
       [root@clm-aus-005120 bin]#
    2. When you see the Trust this certificate prompt, enter yes. 
       Your certificate is added to the keystore.  

12. Import the mt_server.crt certificate:

    ./keytool -import -alias tomcat -keystore /data1/Keys/keystore.jks 
    -trustcacerts -file /data1/Certificates/mt_server.crt

    At the prompt, enter changeit as the password.

    [root@clm-aus-005120 bin]# ./keytool -import -alias tomcat 
    -keystore /data1/Keys/keystore.jks -trustcacerts 
    -file /data1/Certificates/mt_server.crt
    Enter keystore password:
    Certificate reply was installed in keystore

    Your certificate reply is installed in the keystore.  

13. Open the server.xml file (in Linux, the default location is /opt/apache/tomcat6.0/conf/server.xml) in a text editor and uncomment the SSL related sections.

    1. Search for the following text and uncomment out the Connector port section:

       <!-- Define a SSL HTTP/1.1 Connector on port 8443
               This connector uses the JSSE configuration, when using APR, the
                connector should be using the OpenSSL style configuration
                described in the APR documentation -->
          <!--
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                      maxThreads="150" scheme="https" secure="true"
                      clientAuth="false" sslProtocol="TLS" />
          -->
       

        

    2. Modify the Connector port information as follows:

       <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
                  maxThreads="150" scheme="https" secure="true"
                  clientAuth="false" sslProtocol="TLS"
                  keystoreFile="/data1/Keys/keystore.jks"
          keystorePass="<passwordMustEqualYourKeystorePassword>"
       />

        Here you change the connector port to 9443 and add the keystore file location and keystore password. 

       Note

       If you do not add the correct keystore password, the Tomcat server does not start properly.

        

    3. Save server.xml .

14. Start the Tomcat server.

    /opt/apache/tomcat6.0/bin/startup.sh
15. Verify your changes to the Mid Tier or Mid Tier Load Balancer by accessing the following URL:
    https://<MidTier>:9443/arsys (where 9443 is SSL port)
    https://<LoadBalancer>:9443/arsys
16. Add and confirm any security restrictions in your browser (as shown with Firefox).
     
17. When you access the Mid Tier the first time, review the certificate details, as shown with Internet Explorer.
    1. Review the General tab and verify who the certificate is issued to (for example, MT) and who it was issued by (for example, bmc.com).
    2. Click the Details tab and, review the certificate path or hierarchy.
    3. Confirm the security exception and open the Mid Tier. 

To integrate the Mid Tier with Platform Manager

1. Open the CMF:PluginConfiguration form in the Cloud Portal and Database AR System server.
   1. Edit the CallBackURL from http to https.
   2. Edit the port to 9443.
   3. Save the record.
2. Copy the RootCA.crt certificate from the Mid Tier server to the Platform Manager server (for example, to a Certificates folder).

3. Open a command window, change directories to /usr/java/jdk1.7.0_75/jre/bin/ (by default), and then import the certificate:

   ./keytool -import -alias root 
   -keystore "/usr/java/jdk1.7.0_75/jre7/lib/security/cacerts" 
   -trustcacerts -file "/data1/Certificates/RootCA.crt"
4. At the prompt, enter changeit as the password.

5. When you see the Trust this certificate prompt, enter yes. 
   Your certificate is added to the keystore.  

   [root@clm-aus-005121 Certificates]# cd /usr/java/jdk1.7.0_75/jre/bin/
   [root@clm-aus-005121 bin]# ./keytool -import -alias root 
   -keystore "/usr/java/jdk1.7.0_75/jre7/lib/security/cacerts" 
   -trustcacerts -file "/data1/Certificates/RootCA.crt"
   Enter keystore password:
   Re-enter new password:
   Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
   OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
   ...
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
6. Restart the server in the following order – first Platform Manager and second the Cloud Portal and Database AR System server.

To configure Atrium Web Services SSL

The following instructions apply only to Small or Medium deployments.

1. On the primary Atrium Core Web Services Registry host, create Keys, Certificates, and CSR folders. 
2. Copy RootCA.key to /data1/Keys/.
3. Copy RootCA.crt to /data1/Certificates/. 

4. Stop the Atrium Tomcat server.
   For example:

   /opt/bmc/AtriumWebRegistry/shared/tomcat/bin/shutdown.sh
5. Open a command prompt and navigate to the jre/bin folder (for example, /usr/java/jdk1.7.0_75/jre/). 

6. Create a keypair using the keytool utility. 
   If the Atrium Web Services are behind a load balancer, you can use CN as the load-balancer name.  But here it is AWS.

   ./keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 
   -keypass "changeit" -storepass "changeit" -keystore /data1/Keys/keystore.jks

7. At the prompts, enter the required information to create the keypair, and then press Enter. 

   [root@clm-aus-005118 bin]# ./keytool -genkey -alias tomcat 
   -keyalg RSA -keysize 1024 -keypass "changeit" -storepass "changeit" 
   -keystore /data1/Keys/keystore.jks
   What is your first and last name?
     [Unknown]:  AWS
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  CA
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=AWS, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
     [no]:  yes

8. Create the Certificate Signing Request (CSR) from Atrium Web Services primary to retrieve the certificate from CA (that is, CLM).
   

   [root@clm-aus-005118 bin]# ./keytool -certreq -keyalg RSA 
   -alias tomcat -file /data1/CSR/aws.csr -keystore /data1/Keys/keystore.jks
   Enter keystore password:
   

   At the prompt, enter changeit as the password.

9. Use the following openssl command (for example, /usr/bin/openssl)to generate an Atrium Core Web Server certificate (aws_server.crt):
   

   ./openssl x509 -req -days 365 -in /data1/CSR/aws.csr 
   -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
   -set_serial 01 -out /data1/Certificates/aws_server.crt
   Signature ok
   subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=AWS
   Getting CA Private Key
10. After the certificate is generated (aws_server.crt) in the Certificates folder, copy aws_server.crt and RootCA.crt to the AWS primary and secondary hosts into their Certificates folder.

11. On the AWS primary and secondary hosts, import the Root CA certificate:
    

    [root@clm-aus-005118 bin]# ./keytool -import -alias root 
    -keystore /data1/Keys/keystore.jks -trustcacerts 
    -file /data1/Certificates/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
    OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    [root@clm-aus-005118 bin]#

    1. At the prompt, enter changeit as the password.
       
    2. When you see the Trust this certificate prompt, enter yes.
       Your certificate is added to the keystore. 

12. Import the aws_server.crt certificate:
    

    [root@clm-aus-005118 bin]# ./keytool -import -alias tomcat 
    -keystore /data1/Keys/keystore.jks -trustcacerts 
    -file /data1/Certificates/aws_server.crt
    Enter keystore password:k
    Certificate reply was installed in keystore

    At the prompt, enter changeit as the password.
    Your certificate reply is installed in the keystore.  

13. Open the server.xml file (in Linux, the default location is /opt/bmc/AtriumWebRegistry/shared/tomcat/conf/server.xml) in a text editor and uncomment the SSL related sections.

    1. Search for the following text and uncomment out the Connector port section: 

       <!-- Define a SSL HTTP/1.1 Connector on port 8443
               This connector uses the JSSE configuration, when using APR, the
                connector should be using the OpenSSL style configuration
                described in the APR documentation -->
          <!--
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                      maxThreads="150" scheme="https" secure="true"
                      clientAuth="false" sslProtocol="TLS" />
          -->
       

        

    2. Modify the Connector port information as follows:
       

       <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
                  maxThreads="150" scheme="https" secure="true"
                  clientAuth="false" sslProtocol="TLS"
                  keystoreFile="/data1/Keys/keystore.jks"
       />

        

       Here you change the connector port to 9443 and add the keyStore file location. 

    3. Save the server.xml .

14. Start the AWS Tomcat server.
    For example:

    /opt/bmc/AtriumWebRegistry/shared/tomcat/bin/startup.sh
15. Verify your changes to the AWS or AWS Load Balancer by accessing the following URL:
    https://<AWS>:9443 (where 9443 is SSL port)
    https://<LoadBalancer>:9443
16. Add and confirm any security restrictions in your browser.
    
17. When you access AWS the first time, review the certificate details.
18. Review who the certificate is issued to (for example, AWS) and who the certificate was issued by (for example, bmc.com).
    
19. Review the certificate path or hierarchy.

To integrate Atrium Web Services with BMC Network Automation

The following instructions apply only to Small or Medium deployments.

1. Log on to the Mid Tier to access the Cloud Portal and Database AR System server.
   You can use https://<MidTier>:9443/arsys to access the Cloud Portal and Database AR System server. 

   Note

   If you are running a dual AR System server environment, modify the default web path for the Enterprise-AR and Cloud-AR servers.  

2. Open the Server Information form for the Cloud Portal and Database AR System server.
3. Click the Advanced tab, and modify the URL in the Default Web Path field with the updated https and port (for example, 9443).Click the Advanced tab and modify the default web path URL with the updated https and port.
   For example, you might enter https://vw-san-clmidd:9443/arsys/.
4. Restart the Cloud Portal and Database AR System server.
5. Log on to BMC Network Automation.
6. Click the Admin tab, and navigate to System Admin > System Parameters.

1. In the Enable CMDB Integration section, modify the Web Service Endpoint URL field with the updated https and port 9443 URL (for example, https://bnaServer:9443/cmdbws/server/cmdbws.wsdl).
    
2. Click Save. 
   The BMC Network Automation console verifies your changes.  

1. When you finish, verify that physical location is accessed by BMC Network Automation during POD creation through the Atrium Web Services.
   If you have successfully integrated Atrium Web service and BNA SSL communication, go to BMC Network Automation and try to create a POD. The physical location created in the AR System server should be visible in the list during POD creation.

To configure SSL with BMC Server Automation

For more information on using a CA-issued certificate or certificate chain rather than the default self-signed certificate, see Securing communication with CA certificates in the BMC Server Automation documentation. 

1. On the BMC Server Automation host, create Keys, Certificates, and CSR folders. 
2. Copy RootCA.key to /data1/Keys/.
3. Copy RootCA.crt to /data1/Certificates/. 
4. Stop the BladeLogic Application Server.
   For example:
   /etc/init.d/blappserv stop 
5. Back up the bladelogic.keystore file and then delete the old file. This procedure creates a new bladelogic.keystore file.
   By default, this file is located in /opt/bmc/bladelogic/NSH/br/deployments. 
6. Open a command prompt and navigate to the jre/bin folder (for example, /usr/java/jdk1.7.0_75/jre/bin).

7. On the BMC Server Automation primary host, create a new keystore using the keytool utility. 
   If BMC Server Automation is behind a load balancer, you can use CN as the load-balancer name.

   clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -genkey 
   -alias blade -keyalg RSA -keysize 1024 -keypass "changeit" 
   -storepass "changeit" 
   -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore
   What is your first and last name?
     [Unknown]:  John Stamps
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  CA
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
     [no]:  yes
   clm-aus-005115# pwd
   /opt/bmc/bladelogic/NSH/br/deployments
   clm-aus-005115# ls -l bl*
   -rw-r--r-- 1 root    root    1373 May 28 13:32 bladelogic.keystore
   -rw-r--r-- 1 bladmin bladmin 2040 May 19 06:43 bladelogic.keystore.bak
   
   

8. Create the Certificate Signing Request (CSR) from BMC Server Automation primary to retrieve the certificate from CA (that is, CLM).

   clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -certreq 
   -keyalg RSA -alias blade -file /data1/CSR/blade.csr 
   -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore
   Enter keystore password:
   clm-aus-005115#

   At the prompt, enter changeit as the password.

9. Use the following openssl command (for example, /usr/bin/openssl) to generate a BladeLogic server certificate (blade.crt) on the BMC Server Automation primary host in the Certificates folder: 
   

   clm-aus-005115# /usr/bin/openssl x509 -req -days 365 
   -in /data1/CSR/blade.csr -CA /data1/Certificates/RootCA.crt 
   -CAkey /data1/Keys/RootCA.key -set_serial 01 -out /data1/Certificates/blade.crt
   Signature ok
   subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps
   Getting CA Private Key

10. On the BMC Server Automation primary host, import the Root CA certificate:

    clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -import 
    -alias blade -keystore 
    /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore 
    -trustcacerts -file /data1/Certificates/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
    OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    clm-aus-005115#
    

    1. At the prompt, enter changeit as the password.
    2. When you see the Trust this certificate prompt, enter yes. 
       Your certificate is added to the keystore. 
       

11. Import the blade.crt certificate:
    

    clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias blade 
    -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore 
    -trustcacerts -file /data1/Certificates/blade.crt
    Enter keystore password:
    Certificate reply was installed in keystore

    Your certificate reply is installed in the keystore.  

12. Copy the bladelogic.keystore file you just created to each of the deployments server folders (for example, /opt/bmc/bladelogic/NSH/br/deployments/_launcher).
13. Start the BladeLogic Application Server.
    For example:
    /etc/init.d/blappserv start
14. Verify your changes to the BMC Server Automation URL by accessing the following link:
    https://<BladeLogic>:10843 (where 10843 is the SSL port)
15. When you access BMC Server Automation URL the first time, review the certificate details.
    
16. Log on to the BladeLogic Application Server.through BMC Server Automation Console.
    In the login screen, click Options > Certificates > View to view the certificate. This screen displays the certificate details like issued to clm-hou-bbsa and Issued by CA (for example, CLM).
17. For BMC Server Automation secondary, follows steps 1 > 2 > 3 > 12 > 13 >14 >15 >16 >17 in order.

To configure SSL with BMC Server Automation and Platform Manager

1. On the Platform Manager host, open the providers.json file (for example, /opt/bmc/BMCCloudLifeCycleManagement/Platform_Manager/configuration/providers.json).

2. Change the protocol and the SSL port in the providers.json file for the BBSA_SERVER_PORT attribute value.

   For example:

     "name" : "BBSA_SERVER_PORT"
       },
      "attributeValue" : "10843",
      "description" : "BBSA Webservices Port",
      "guid" : "1a0e98f9-905e-4117-99dd-759f7ad41b71",
      "name" : "BBSA_SERVER_PORT"
     }, {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
      "accessAttribute" : {
        "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
        "datatype" : "STRING",
        "description" : "BBSA Server Protocol",
        "guid" : "3bf2db7a-af7e-4bc7-8674-63c6df997a75",
        "isOptional" : false,
        "isPassword" : false,
        "modifiableWithoutRestart" : false,
        "name" : "BBSA_SERVER_PROTOCOL"
       },
      "attributeValue" : "https",
      "description" : "BBSA Server Protocol",
3. Save your changes and restart the Platform Manager.

To configure BMC Network Automation with SSL

1. On the BMC Network Automation host, create Keys, Certificates, and CSR folders. 
2. Copy RootCA.key to /data1/Keys/.
3. Copy RootCA.crt to /data1/Certificates/. 
4. Stop the BCA-Networks Web Server.
   For example:
   /etc/init.d/enatomcat stop 
   /etc/init.d/xinetd stop 
5. Back up the .keystore file (by default, located at /var/bca-networks-data) and then delete the old file. This procedure creates a new .keystore file.
6. On the primary BMC Network Automation host, open a command prompt and navigate to the BCA-Network JRE folder (for example, /usr/java/jdk1.7.0_75/jre/bin). 

7. Create a new keystore using the keytool utility. 
   If BMC Network Automation is behind a load balancer, you can use CN as the load-balancer name.  Use the following syntax so that keytool works properly:

   [root@clm-aus-005116 bca-networks-data]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
   -genkey -alias clm-bna -keyalg RSA -keysize 1024 -keypass "changeit" 
   -storepass "changeit" -keystore /var/bca-networks-data/.keystore
   What is your first and last name?
     [Unknown]:  John Stamps
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  CA
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose, 
   ST=CA, C=US correct?
     [no]:  yes
   [root@clm-aus-005116 bca-networks-data]#
8. At the prompts, enter the required information to create the keystore, and then press Enter. 

9. Create the Certificate Signing Request (CSR) from BMC Network Automation primary to retrieve the certificate from CA (that is, CLM).

   [root@clm-aus-005116 ~]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
   -certreq -keyalg RSA -alias clm-bna -file /data1/CSR/clm-bna.csr 
   -keystore /var/bca-networks-data/.keystore
   Enter keystore password:
   [root@clm-aus-005116 ~]#
   

   At the prompt, enter changeit as the password.

10. Use the following openssl command (for example, /usr/bin/openssl)to generate the BBNA server certificate (clm-bna.crt): 
    

    [root@clm-aus-005116 ~]# /usr/bin/openssl x509 -req 
    -days 365 -in /data1/CSR/clm-bna.csr 
    -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
    -set_serial 04 -out /data1/Certificates/clm-bna.cr
    Signature ok
    subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps
    Getting CA Private Key
    
11. After the certificate is generated (clm-bna.crt) in the Certificates folder, copy clm-bna.crt and RootCA.crt to the BMC Network Automation primary and secondary hosts into their Certificates folder.

12. On the BMC Network Automation primary and secondary computers, import the first Root CA certificate into the /var/bca-networks-data/.keystore file that was generated:

    [root@clm-aus-005116 ~]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias root -keystore /var/bca-networks-data/.keystore 
    -trustcacerts -file /data1/Certificates/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
    O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    [root@clm-aus-005116 ~]#
    

    1. At the prompt, enter changeit as the password.
    2. When you see the Trust this certificate prompt, enter yes. 
       Your certificate is added to the keystore. 
    3. If you have a secondary BMC Network Automation computer, import only the RootCA certificate in the java/cacerts file.

13. Import Root CA into the /opt/bmc/bca-networks/java/lib/security/cacerts file:

    [root@clm-aus-005116 /]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias root 
    -keystore /opt/bmc/bca-networks/java/lib/security/cacerts 
    -trustcacerts -file /data1/Certificates/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
    OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    [root@clm-aus-005116 /]#

14. Import the blm-bna.crt certificate:

    [root@clm-aus-005116 /]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias clm-bna -keystore /var/bca-networks-data/.keystore 
    -trustcacerts -file /data1/Certificates/clm-bna.crt
    Enter keystore password:
    Certificate reply was installed in keystore
    [root@clm-aus-005116 /]#

    Your certificate reply is installed in the keystore.  

15. Generate the encryption string for changeit.
    1. Open the BNA maintenance utility (by default, installed in /opt/bmc/bca-networks/utility).
    2. Click the Encrypt tab.
    3. Enter and confirm the changeit password.
    4. Click Encrypt to generate the encryption string for changeit. 
    5. Use the generated string for the keystorePassword  parameter in the server.xml file (by default, located at /opt/bmc/bca-networks/tomcat/conf).
16. Start the BCA-Networks Web Server.
    For example:
    /etc/init.d/enatomcat start 
    /etc/init.d/xinetd start 
17. Verify the BNA link by accessing https://<BNA-LB>:11443/bca-networks where 11443 is SSL port.
    The default login is sysadmin/sysadmin.  
18. If you have a load balancer, failover the BNA service and verify that you can able to access the link with Cluster name and with the same certificate it displays.
19. When you access the BMC Network Automation URL the first time, review the certificate details, and so on.

1. In Cloud Portal and Database ITSM, open the CMF:PluginConfiguration form and change the Root URL from http to https and update the SSL port to 9443.
2. In both ITSM hosts, import the RootCA certificate.
   1. Copy the RootCA.crt certificate to both hosts in its own folder (for example, /data1/Certificates).

   2. Import the certificate by entering following command.
      

      /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias root 
      -keystore 
      /opt/bmc/BMCCloudLifeCycleManagement/JVM_1.7.0_55/lib/security/cacerts 
      -trustcacerts -file /data1/Certificates/RootCA.crt
      Enter keystore password:
      Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, 
      OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
      ...
      Trust this certificate? [no]:  yes
      Certificate was added to keystore

      You do not need to import RootCA into the /usr/java/jdk1.7.0_75/jre/bin path. 

3. Restart the Platform Manager and AR System servers.
4. Verify your changes by putting the RESTClient on the ITSM host and connecting to the Platform Manager host with SSL URL and the trustcacerts path of Cloud Java (as above).

To configure BMC Capacity Optimization with SSL

This is a two-step process:

• Generating a certificate and key to use with Apache
• Enabling Apache to use HTTPS for BMC Capacity Optimization

To generate a certificate and key to use with Apache

1. Install the following packages on the host if they are not already present.
   • crypto-utils
   • mod_ssl
2. After installing these packages, generate a new key and a new SSL certificate using the genkey $hostname command. 
   Here $hostname is the fully qualified domain name of your BMC Capacity Optimization application server machine.
3. To create a certificate request, select the appropriate option.
   Enter the certificate fields with your information (Name, Firm, Country, and so on). If you do not want to manually insert a password every time you restart the Apache Httpd server (for example, if you are in an automatic HA environment), clear the encrypt key option.

4. During key generation, review the following output on the console:

   [root@clm-bco ~]# genkey csm-bco
   /usr/bin/keyutil -c genreq -g 1024 
   -s "CN=csm-bco, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US" -v 24 -a 
   -o /etc/pki/tls/certs/csm-bco.0.csr 
   -k /etc/pki/tls/private/csm-bco.key -z /etc/pki/tls/.rand.24660
   cmdstr: genreq
   cmd_CertReq
   command:  genreq
   ...
   subject = CN=csm-bco, OU=IDD, O=BMC, L=PUN, ST=SAN JOSE, C=US
   valid for 1 months
   random seed from /etc/pki/tls/.rand.24660
   output will be written to /etc/pki/tls/certs/csm-bco.crt
   output key written to /etc/pki/tls/private/csm-bco.key

   The Certificate Signing Request (csm-bco.0.csr) file is generated at the /etc/pki/tls/certs location.

5. Copy the csm-bco-0.csr file where you have CA or generate the CA certificate.
   Or send this csr file to CA to get certificate.

6. Generate the certifcate, using the csm-bco-0.csr file. 

   /usr/bin/openssl x509 -req -days 365 -in /data1/CSR/csm-bco.0.csr 
   -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
   -set_serial 878 -out /data1/Certificates/csm-bco.crt
   Loading 'screen' into random state - done
   Signature ok
   subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=csm-bco
   Getting CA Private Key

    

7. When you finish generating the key, you have the following results:
   • $hostname.crt certificate file in /etc/pki/tls/certs/
   • $hostname.key key file in /etc/pki/tls/private/
8. Create /pki/tls/certs and /pki/tls/private folders at $CPITBASE/3rd_party/apache2/etc.
9. Copy /etc/pki/tls/certs/$hostname.crt to $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.cert.
10. Copy /etc/pki/tls/private/$hostname.key to $CPITBASE/3rd_party/apache2/etc/pki/tls/ private/<hostname>.key.
11. Change the owner of both the copied files and the created folders to the owner using BMC Capacity Optimization.

To enable HTTPS in Apache

To enable HTTPS in your BMC Capacity Optimization installation, perform the following steps:

1. Modify the caplan.conf configuration file located at $CPITBASE/3rd_party/apache2/etc/httpd/conf.d, by adding the following information:

   SSLEngine on
   SSLProxyEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
   SSLCertificateFile 
   $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.crt
   SSLCertificateKeyFile  $CPITBASE/3rd_party/apache2 
   /etc/pki/tls/private/<hostname>.key

2. Create the ssl.conf file in $CPITBASE/3rd_party/apache2/etc/httpd/conf.d and add the following content.

   LoadModule ssl_module modules/mod_ssl.so
   Listen 8443
   AddType application/x-x509-ca-cert .crt
   AddType application/x-pkcs7-crl    .crl
   SSLPassPhraseDialog  builtin
   SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
   SSLSessionCacheTimeout  300
   SSLMutex default
   SSLRandomSeed startup file:/dev/urandom  256
   SSLRandomSeed connect builtin
   SSLCryptoDevice builtin

   Make sure that you change the required SSL port.

3. Restart Httpd using the $CPITBASE/cpit restart httpd command.
   The new URL to connect to BCO will be https://$hostname:8443/console. 

4. Import the certificate into /gfs/cpit/jre/lib/security/cacerts for the trusted CA certificate.

   [root@clm-bco bin]# ./keytool -import -alias root 
   -keystore /gfs/cpit/jre/lib/security/cacerts -trustcacerts 
   -file /etc/pki/tls/certs/RootCA.crt
   Enter keystore password:
   Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=IDD, 
   O=BMC, L=SAN JOSE, ST=CA, C=US
   ...
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
5. When you access the BCO URL, review the following certificate:
   
   
   

To integrate BMC Capacity Optimization and Platform Manager changes into SSL

To configure BMC Atrium Orchestrator with SSL

An HA environment typically has the following components installed.

• Host A Primary: AMREPO (Access Manager and Repository) and CDP installed
• Host B Secondary: AMREPO and HACDP installed
• Host C: SQL DB for AMREPO

In non-HA environments, BMC Atrium Orchestrator Access Manager and Repository are installed on a single server.For example, see To install Atrium Orchestrator AMREPO in Installing Small Deployment Linux for version 4.5. 

1. On the main AO hosts (for example, Host A and B), create Keys, Certificates, and CSR folders.
2. Copy RootCA.key to /data1/Keys/.
3. Copy RootCA.crt to /data1/Certificates/. 
   

4. Stop the Access Manager, Configuration Distribution Peer (CDP), and Repository servers.
   For example:

   /opt/bmc/ao-platform/amrepo/bin/bao.sh stop
   /opt/bmc/ao-platform/cdp/bin/bao.sh stop
5. Open a command prompt and navigate to the JRE folder (for example, /opt/bmc/ao-platform/amrepo/jvm/bin). 

6. On primary Host A, create a keypair using the keytool utility.
   If Atrium Orchestrator is behind a load balancer, use CN as the load balancer name. At the prompts, enter the required information to create the keypair, and then press Enter. 

   [root@clm-aus-005119 bin]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
   -genkey -alias AO -keyalg RSA -keysize 1024 -keypass "changeit" 
   -storepass "changeit" -keystore /data1/Keys/keystore.jks
   What is your first and last name?
     [Unknown]:  John Stamps
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  CA
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose, 
   ST=CA, C=US correct?
     [no]:  yes
   [root@clm-aus-005119 bin]#

7. Create the Certificate Signing Request (ao.csr) from AO primary to retrieve the certificate from CA (that is, CLM).
   At the prompt, enter changeit as the password.

   [root@clm-aus-005119 bin]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
   -certreq -keyalg RSA -alias AO -file /data1/CSR/ao.csr 
   -keystore /data1/Keys/keystore.jks
   Enter keystore password:
   [root@clm-aus-005119 bin]#
   

8. Use the following openssl command (for example, /usr/bin/openssl) to generate an Atrium Orchestrator certificate (ao.crt) in the Certificates folder.: 

   [root@clm-aus-005119 CSR]# /usr/bin/openssl x509 -req 
   -days 365 -in /data1/CSR/ao.csr -CA /data1/Certificates/RootCA.crt 
   -CAkey /data1/Keys/RootCA.key -set_serial 999 
   -out /data1/Certificates/ao.crt
   Signature ok
   subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps
   Getting CA Private Key
   [root@clm-aus-005119 CSR]#
   
9. After the certificate is generated (ao.crt) in the Certificates folder, copy ao.crt and RootCA.crt to the AO primary, AO secondary, and AO Repo computers into their Certificates folder.

To configure AMREPO to work with SSL

1. On the AO primary and AO secondary hosts, import the Root CA certificate.
   At the prompt, enter changeit as the password. When you see the Trust this certificate prompt, enter yes. Your certificate is added to the keystore.  

   [root@clm-aus-005119 Certificates]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
   -import -alias root -keystore /data1/Keys/keystore.jks -trustcacerts 
   -file /data1/Certificates/RootCA.crt
   Enter keystore password:
   Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
   O=BMC, L=San Jose, ST=CA, C=US
   ...
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   [root@clm-aus-005119 Certificates]#

2. Import the ao.crt certificate into the AO jvm security folder.
   At the prompt, enter changeit as the password.
   Your certificate reply is installed in the keystore.  

   [root@clm-aus-005119 security]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
   -import -alias root 
   -keystore /opt/bmc/ao-platform/amrepo/jvm/lib/security/cacerts 
   -trustcacerts -file /data1/Certificates/RootCA.crt
   Enter keystore password:
   Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
   O=BMC, L=San Jose, ST=CA, C=US
   ...
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   [root@clm-aus-005119 security]#

3. Import the ao.crt certificate into keystore.jks (for example, /data1/Keys/keystore.jks):

   [root@clm-aus-005119 security]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
   -import -alias AO -keystore /data1/Keys/keystore.jks 
   -trustcacerts -file /data1/Certificates/ao.crt
   Enter keystore password:
   Certificate reply was installed in keystore
   [root@clm-aus-005119 security]#
4. Open the Access Manager server.xml file (in Windows, for example, /opt/bmc/ao-platform/amrepo/tomcat/conf/server.xml) in a text editor and uncomment the SSL related sections. 

   1. Search for the following text and uncomment out the Connector port section:
      

      <!-- Define a SSL HTTP/1.1 Connector on port 8443
              This connector uses the JSSE configuration, when using APR, the
               connector should be using the OpenSSL style configuration
               described in the APR documentation -->
         <!--
         <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS" />
         -->
      

   2. Modify the Connector port information as follows.
      Uncomment the following section and update the required port (for example, 8443) and add the keystoreFile path for keystore. 
      Make sure that you save the file.
      

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS"
         keystoreFile="/data1/Keys/keystore.jks"
      />

       

5. Update the Login page entry in the context.xml file (for example, /opt/bmc/ao-platform/amrepo/tomcat/conf/context.xml) as follows:
   

   <Environment name="com.bmc.security.am.LOGIN_PAGE" override="true" 
   type="java.lang.String" value="https://clm-aus-995119:8443/baoam/login.jsf"/>

6. Start the Access Manager server.
   For example:
   

   /opt/bmc/ao-platform/amrepo/bin/bao.sh start
   /opt/bmc/ao-platform/cdp/bin/bao.sh start
7. Verify the URL.
   For example:
   https://<AMPrimaryHost>:8443/baoam
   
8. Add and confirm any security restrictions in your browser.
   The default login is admin/admin123. 
   The certificate should display who you issued to and who it is issued by. For example:
   
9. Make the same changes to the secondary Access Manager server.
   1. Copy the keystore file.
   2. Update the server.xml and context.xml files.
   3. Import the Root CA certificate.
   4. Start the secondary Access Manager server. 
   5. Verify the URL.

To configure primary and secondary CDP to work with SSL

1. Modify the server.xml file (for example, /opt/bmc/ao-platform/cdp/tomcat/conf/server.xml) as follows.

   Uncomment the following section and update the required port (for example, 9443) and add the keystoreFile path for keystore.
   

   <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
                  maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" 
    keystoreFile="/data1/Keys/keystore.jks"/>

    

2. Modify the context.xml file (for example, /opt/bmc/ao-platform/cdp/tomcat/context.xml) in a text editor.
   Update the following entry with corrected port and https.
   

   <Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" 
   value="https://clm-aus-005119:9443/baorepo/http"/>

3. Import the ROOTCA.crt certificate into the primary CDP JVM security folder.
   At the prompt, enter changeit as the password.
   Your certificate reply is installed in the keystore.
   

   /opt/bmc/ao-platform/amrepo/jvm/bin/keytool -import -alias root 
   -keystore /opt/bmc/ao-platform/cdp/jvm/lib/security/cacerts 
   -trustcacerts -file /data1/Certificates/RootCA.crt
   Enter keystore password:
   Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US
   ...
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
4. Import the ROOTCA.crt certificate into the secondary CDP JVM security folder.

5. On the secondary CDP host, modify the context.xml file (for example, /opt/bmc/ao-platform/cdp/tomcat/conf/context.xml) in a text editor.
   Update the following entries with corrected port and https.
   

   Parameter name="com.bmc.ao.HACDP_CONFIGURATION" override="true" 
   value="https://admin:admin123@vw-hou-sln-qa18:9443/baocdp/ws/install?
   grid=GRID1&amp;peer=HACDP"/>
     <Environment name="grid-name" override="true" type="java.lang.String" 
      value="GRID1"/>
     <Environment name="peer-endpoint-urls" override="true" 
      type="java.lang.String" 
      value="https://vw-hou-sln-qa18:9443/baocdp/ws/console"/>
   

6. Start the CDP server on both nodes.
   For example:
   

   /opt/bmc/ao-platform/cdp/bin/bao.sh start
7. Verify the URL and then add and confirm any security restrictions in your browser.
   The certificate should display who you issued to and who it is issued by. 
   For example:
   https://<CDPHost>:9443/baocdp
   
   

To configure BMC Server Automation and Atrium Orchestrator with SSL

You already generated the bladelogic.keystore file for BMC Server Automation, the keystore file in /data1/Keys/keystore.jks for Atrium Orchestrator, and the RootCA.crt files in /data1/Certificates on both hosts.

1. Import the RootCA.crt certificate into the Bladelogic java security file on the BMC Server Automation node:

   clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -import -alias root 
   -keystore /opt/bmc/bladelogic/NSH/jre/lib/security/cacerts -trustcacerts 
   -file /data1/Certificates/RootCA.crt
   Enter keystore password:
   Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
   O=BMC, L=San Jose, ST=CA, C=US
   ...
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   clm-aus-005115#

2. Import the RootCA.crt certificate into the Bladelogic java security file on the Atrium Orchestrator node:

   [root@clm-aus-005119 /]# /opt/bmc/ao-platform/amrepo/jvm/bin/keytool 
   -import -alias root -keystore /opt/bmc/bladelogic/NSH/jre/lib/security/cacerts 
   -trustcacerts -file /data1/Certificates/RootCA.crt
   Enter keystore password:
   Certificate already exists in system-wide CA keystore under alias <root>
   Do you still want to add it to your own keystore? [no]:  yes
   Certificate was added to keystore
   [root@clm-aus-005119 /]#
3. Log into the BMC Server Automation server from both hosts with defaultProfile and verify the certificate obtained. 

To configure Atrium Orchestrator and Platform Manager with SSL

1. On the Platform Manager server, update the providers.json file for BAO details like https and port numbers wherever required.
   For example:

   [{
    "cloudClass" : "com.bmc.cloud.model.beans.Provider",
    "accessValues" : [ {
      "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
      "accessAttribute" : {
        "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
        "datatype" : "STRING",
        "guid" : "52461ff1-2ec4-11e0-91fa-0800200c9a66",
        "isOptional" : false,
        "isPassword" : false,
        "modifiableWithoutRestart" : false,
        "name" : "AO_SERVER_URL"
       },
      "attributeValue" : "https://clm-aus-005119:9443/baocdp/orca",
      "guid" : "78274c00-9d52-4b7a-bd07-7e7bfa413855",
      "name" : "AO_SERVER_URL"
     }

2. Stop and restart Platform Manager. 
   For example:

   /etc/init.d/bmccsm stop
   /etc/init.d/bmccsm start

    

To configure Atrium Orchestrator and ITSM with SSL

1. On the Cloud Portal and Database server, open the CMF:PluginConfiguration form and update Atrium Orchestrator details like FIELD_AO_PROTOCOL, the FIELD_AO_PORT, and so on. 

2. Stop and restart the AR System server. 
   For example:

   /data1/bmc/ARSystem/bin/arsystem stop
   /data1/bmc/ARSystem/bin/arsystem start

To configure Cloud Portal Web Application from HTTP to HTTPS with a Self-Signed Certificate

Use the following steps to configure HTTP to HTTPS using a Self-Signed Certificate on the Cloud Portal Web Application host. 

1. Generate a certificate (if the certificate does not exist).
   For example:

   [root@clm-aus-005289 data1]# /opt/bmc/CloudPortalWebApplication/jre/bin/keytool 
   -genkey -alias clmui
   -keyalg RSA -keystore /data1/Certificates/clmuiSslCertificate.cert 
   -dname "cn=vw-sjc-sln-qa32,ou=CLM,o=BMC,l=SAN JOSE,s=CA,c=US" 
   -keypass "changeit" -storepass "changeit" -validity 36500
   [root@clm-aus-005289 data1]#
   
2. Copy the certificate to the required location.
   For example:
   /opt/bmc/CloudPortalWebApplication/clmui/Certificates 
3. Update /opt/bmc/CloudPortalWebApplication/tomcat/conf/server.xml.

   1. Replace the Connector entry:

      <Connector connectionTimeout="20000" port="9070" protocol="HTTP/1.1" 
      redirectPort="9443"/>

   2. With the following information:

      <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" 
      keystoreFile="/opt/bmc/CloudPortalWebApplication/clmui/Certificates
      /clmuiSslCertificate.cert" 
      keystorePass="changeit" maxThreads="150" port="8443" scheme="https" 
      secure="true" sslProtocol="TLS"/>

4. Stop and restart Cloud Portal Web Application service.
   For example:

   /opt/bmc/CloudPortalWebApplication/tomcat/bin/shutdown.sh
   /opt/bmc/CloudPortalWebApplication/tomcat/bin/startup.sh

To configure Cloud Portal Web Application from HTTPS to HTTP with a Self-Signed Certificate

Use the following steps to configure HTTPS to HTTP using a Self-Signed Certificate. 

1. Update /opt/bmc/CloudPortalWebApplication/tomcat/conf/server.xml. 
   

   1. Replace the Connector entry:

       

      <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000"
      keystoreFile="/opt/bmc/CloudPortalWebApplication/clmui/Certificates
      /clmuiSslCertificate.cert"
      keystorePass="changeit" maxThreads="150" port="8443" scheme="https"
      secure="true" sslProtocol="TLS"/>

   2. With the following information:

       

       <Connector connectionTimeout="20000" port="9070"
      protocol="HTTP/1.1"
      redirectPort="9443"/>

2. Restart Cloud Portal Web Application service.
   For example:

    

   /opt/bmc/CloudPortalWebApplication/tomcat/bin/shutdown.sh /opt/bmc/CloudPortalWebApplication/tomcat/bin/startup.sh

To configure CLM Self-Checker from HTTP to HTTPS with a Self-Signed Certificate

Use the following steps to configure HTTP to HTTPS using a Self-Signed Certificate. 

1. Generate a certificate (if the certificate does not exist).
   For example:

   [root@clm-aus-005282 ~]# /opt/bmc/selfchecker/jre/bin/keytool 
   -genkey -alias clmselfchecker -keyalg RSA 
   -keystore /data1/Certificates/selfcheckerSslCertificate.cert 
   -dname "cn=clm-aus-005282,ou=IDD,o=BMC,l=San Jose,s=CA,c=US" 
   -keypass "changeit" -storepass "changeit" -validity 36500
   [root@clm-aus-005282 ~]#
   
2. Copy the certificate to the required location.
   For example:  
   /opt/bmc/selfchecker/selfchecker/Certificates/selfcheckerSslCertificate.cert 
3. Update /opt/bmc/selfchecker/tomcat/conf/server.xml .

   1. Replace the Connector entry:

      <Connector connectionTimeout="20000" port="8090" protocol="HTTP/1.1" 
      redirectPort="8443"/>

   2. With the following information:

      <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" 
      keystoreFile="/opt/bmc/selfchecker/selfchecker/Certificates
      /selfcheckSslCertificate.cert" 
      keystorePass="changeit" maxThreads="150" port="8443" scheme="https" 
      secure="true" sslProtocol="TLS"/>

4. Stop and restart the Self Checker service.
   For example:

   /opt/bmc/selfchecker/tomcat/bin/shutdown.sh
   /opt/bmc/selfchecker/tomcat/bin/startup.sh

To configure CLM Self-Checker from HTTPS to HTTP with a Self-Signed Certificate

 Use the following steps to configure HTTPS to HTTP using a Self-Signed Certificate. 

1. Update /opt/bmc/selfchecker/tomcat/conf/server.xml. 
   

   1. Replace the Connector entry:

       

      <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000"
      keystoreFile="/opt/bmc/selfchecker/selfchecker/Certificates
      /selfcheckSslCertificate.cert"
      keystorePass="changeit" maxThreads="150" port="8443" scheme="https"
      secure="true" sslProtocol="TLS"/>

   2. With the following information:

       

      <Connector connectionTimeout="20000" port="8090" protocol="HTTP/1.1"
      redirectPort="8443"/>

2. Restart the Self Checker service.
   For example:

    

    
   /opt/bmc/selfchecker/tomcat/bin/shutdown.sh
   /opt/bmc/selfchecker/tomcat/bin/startup.sh

Related topic

Using-CLM-applications-with-third-party-Certification-Authority-certificates