Enabling SSL on Windows

This topic describes how to enable SSL for all the BMC Cloud Lifecycle Management components. It also provides detailed configuration steps to make the secured communication between the components.

Note

To simplify the tasks that customers must follow to enable SSL on Windows, the information in this topic has been divided into four new topics.

Enabling-SSL-HTTPS-on-core-Windows-CLM-applications-that-currently-use-HTTP – this new topic contains the tasks that are typically relevant to most BMC customers in their BMC Cloud Lifecycle Management deployment.
Enabling-SSL-HTTPS-on-non-CLM-applications – this new topic is relevant only to BMC Capacity Optimization customers.
Reconfiguring-Windows-CLM-applications-to-use-SSL-HTTPS – this is a highly specialized topic, not relevant to most BMC customers.
Reconfiguring-Windows-Platform-Manager-to-use-HTTP-instead-of-HTTPS – this is a highly specialized topic, not relevant to most BMC customers.

However, the current topic is preserved for customer reference.

CLM applications that support HTTPS on SSL during installation

The following table lists the CLM applications that support HTTPS on SSL during installation:

Product	Self-sign certificate?	Notes on integration path
Platform Manager	Yes	Import the Platform Manager cacerts file into the JRE of the following products: Mid Tier AR Portal Java Cloud Portal Web Application (EUP) CLM Self-Check Monitor Cloud Portal and Database AR System server Atrium Orchestrator
Cloud Portal Web Application	Yes	Import Self-Checker certificate to display the Dashboard Data.
CLM Self-Check Monitor	Yes
BMC Server Automation (BBSA)	Yes
BMC Network Automation (BBNA)	Yes
Atrium Core Web Services	Yes	Default HTTPS port is 7776. If you use port 7776, update information in the BMC Network Automation console.
Mid Tier	No
BMC Atrium Orchestrator	No

Before you begin

Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes!
When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host.
If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL.

Note

Mixing protocol in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in http mode or in https mode.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic. But most customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Symantec.

To create a Root CA certificate using OpenSSL

Tip

Copy and paste the SSL commands into a text editor, strip out the line breaks, and modify the syntax for your environment.

Note

You need the RootCA.key when you configure the Mid Tier, Atrium Core Web Services, and BMC Atrium Orchestrator with HTTPS on SSL.

Download and install 64-bit OpenSSL1.0 on its own host.
For example, download OpenSSL from the Shining Light Productions website. There are multiple OpenSSL versions available. Make sure that you install an OpenSSL version that includes the openSSL.cfg file.
Create Keys, Certificates, and CSR folders.
These categories are for placing keys, certificates files, and so on.
Open a command prompt and navigate to the OpenSSL folder.
Generate the key pair for root CA.
Store this key pair in the C:\Keys\RootCA.key file.

C:\OpenSSL-Win64\bin>openssl genrsa -out C:\Keys\RootCA.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
...............++++++
....................................................++++++
e is 65537 (0x10001)
Generate a self signed certificate for CA.
This CA certificate is used across all cloud products as a common certificate. Store the certificate in the RootCA.crt file.
1. Enter the following command:
  
  C:\OpenSSL-Win64\bin>openssl req
  -config C:\OpenSSL-Win64\bin\openSSL.cfg
  -new -x509 -days 365 -key C:\Keys\RootCA.key
  -out C:\Certificates\RootCA.crt
2. Create a Distinguished Name (DN)..
  Make sure that you enter all required information. Many fields contain defaults. Some settings you can leave blank. If you enter a period, the field will be left blank.
  
  Country Name (2 letter code) [AU]:US
  State or Province Name (full name) [Some-State]:California
  Locality Name (eg, city) []:San Jose
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:BMC Software
  Organizational Unit Name (eg, section) []:IDD
  Common Name (e.g. server FQDN or YOUR name) []:clm-aus-011538.bmc.com
  Email Address []:jstamps@bmc.com
3. Press Enter to create the certificate.

To configure the Mid Tier SSL

On the Mid Tier host, create Keys, Certificates, and CSR folders.
Stop the Mid Tier Tomcat server.
Open a command prompt and navigate to the JRE folder.
Create a keypair using the keytool utility.
If the Mid Tier is behind a load balancer, use CN as the load balancer name. But here it is vw-aus-clnidd03.

C:\Program Files\Java\jre7\bin>keytool.exe -genkey
-alias tomcat -keyalg RSA -keysize 2048
-keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks
At the prompts, enter the required information to create the keypair, and then press Enter.

C:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias tomcat
-keyalg RSA -keysize 2048 -keypass "changeit"
-storepass "changeit" -keystore C:\Keys\keystore.jks
What is your first and last name?
  [Unknown]: vw-aus-clnidd03
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: SAN JOSE
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=vw-aus-clnidd03, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
  [no]: yes
Create the Certificate Signing Request (CSR) from Mid Tier primary to retrieve the certificate from CA (i.e. CLM).

C:\Program Files\Java\jre7\bin>keytool.exe
-certreq -keyalg RSA -alias tomcat -file C:\CSR\mt.csr
-keystore C:\Keys\keystore.jks
Enter keystore password:

At the prompt, enter changeit as the password.
Copy the mt.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate, and then run the following command on the OpenSSL computer:

C:\OpenSSL-Win64\bin>openssl x509 -req -days 365
-in C:\CSR\mt.csr -CA C:\Certificates\RootCA.crt
-CAkey C:\Keys\RootCA.key -set_serial 01
-out C:\Certificates\mt_server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=vw-aus-clnidd03
Getting CA Private Key
After the certificate is generated (mt_server.crt) in the Certificates folder, copy mt_server.crt and RootCA.crt to the Mid Tier primary and secondary computers into their Certificates folder.
On the Mid Tier primary and secondary computers, import the Root CA certificate:

C:\Program Files\Java\jre7\bin>keytool.exe
-import -alias root
-keystore C:\Keys\keystore.jks
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD, O=BMC, L=SJ, ST=CA, C=US
Issuer: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD, O=BMC, L=SJ, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
C:\Program Files\Java\jre7\bin>
1. At the prompt, enter changeit as the password.
2. When you see the Trust this certificate prompt, enter yes.
  Your certificate is added to the keystore.
Import the mt_server.crt certificate:

C:\Program Files\Java\jre7\bin>keytool.exe
-import -alias tomcat
-keystore C:\Keys\keystore.jks -trustcacerts
-file C:\Certificates\mt_server.crt
Enter keystore password:
Certificate reply was installed in keystore

At the prompt, enter changeit as the password. Your certificate reply is installed in the keystore.
Open the server.xml file (in Windows, the default location is C:\Program Files\Apache Software Foundation\Tomcat6.0\conf\server.xml) in a text editor and uncomment the SSL related sections.
1. Search for the following text and uncomment out the Connector port section:
  
  
     
2. Modify the Connector port information as follows:
  
  <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
             maxThreads="150" scheme="https" secure="true"
             clientAuth="false" sslProtocol="TLS"
             keystoreFile="C:\Keys\keystore.jks"
             keystorePass="<passwordMustEqualYourKeystorePassword>"
  />
  
  Here you change the connector port to 9443 and add the keyStore file location and keystore password.
  Note
  If you do not add the correct keystore password, the Tomcat server does not start properly.
3. Save the server.xml .
Start the Tomcat server.
Verify your changes to the Mid Tier or Mid Tier Load Balancer by accessing the following URL:
https://midTier:9443/arsys (where 9443 is SSL port)
https://loadBalancer:9443/arsys
Add and confirm any security restrictions in your browser.
When you access the Mid Tier the first time, review the certificate details.
1. Review the General tab and verify who the certificate is issued to and who it was issued by.
2. Click the Details tab and, review the certificate path or hierarchy.
Continue logging on to the Cloud Portal and Database AR System server.

To integrate the Mid Tier with Platform Manager

Open the CMF:PluginConfiguration form in the Cloud Portal and Database AR System server.
1. Edit the CallBackURL from http to https.
2. Edit the port to 9443.
3. Save the record.
Copy the RootCA.crt certificate from the Mid Tier server to the Platform Manager server (for example, to a Certificates folder).
Open a command window and change directories to C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\JVM_1.7.0_55\bin (by default).
Back up the ..\JVM_1.7.0_55\lib\security\cacerts file and then delete the original.
Import the certificate:
keytool.exe -import -alias root
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement
\JVM_1.7.0_55\lib\security\cacerts"
-trustcacerts -file "C:\Certificates\RootCA.crt"
Enter keystore password:
Re-enter new password:
...
Trust this certificate? [no]: yes
Certificate was added to keystore
At the prompt, enter changeit as the password.
When you see the Trust this certificate prompt, enter yes.
Your certificate is added to the keystore.
Restart the server in the following order – first BMC CSM on Platform Manager and second the Cloud Portal and Database AR System server.

To configure Atrium Web Services SSL

The following instructions apply only to Small or Medium deployments.

Note

In Compact Deployment, Atrium Web Services are not available as a separate component. Instead, they are installed as part of the Mid Tier. As a result, you do not need to configure SSL separately for Compact Deployment.

On the primary Atrium Core Web Services Registry host, create Keys, Certificates, and CSR folders.
Stop the Atrium Tomcat server.
Open a command prompt and navigate to the JRE folder.
Create a keypair using the keytool utility.
If the Atrium Web Services are behind a load balancer, you can use CN as the load-balancer name. But here it is AWS.
C:\Program Files\Java\jre7\bin>keytool.exe -genkey
-alias tomcat -keyalg RSA -keysize 2048
-keypass "changeit" -storepass "changeit"
-keystore C:\Keys\keystore.jks
At the prompts, enter the required information to create the keypair, and then press Enter.
keytool.exe -genkey -alias tomcat -keyalg RSA -keysize 2048
-keypass "changeit" -storepass "changeit" -keystore C:\Keys\keystore.jks
What is your first and last name?
  [Unknown]: vw-aus-clnidd01
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: SAN JOSE
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=vw-aus-clnidd01, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
  [no]: yes
Create the Certificate Signing Request (CSR) from Atrium Web Services primary to retrieve the certificate from CA (that is, CLM).
C:\Program Files\Java\jre7\bin>keytool.exe -certreq
-keyalg RSA -alias tomcat
-file C:\CSR\aws.csr -keystore C:\Keys\keystore.jks
Enter keystore password:
At the prompt, enter changeit as the password.
Copy the aws.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (aws_server.crt), and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365
-in C:\CSR\aws.csr -CA C:\Certificates\RootCA.crt
-CAkey C:\Keys\RootCA.key -set_serial 01
-out C:\Certificates\aws_server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=vw-aus-clnidd01
Getting CA Private Key
After the certificate is generated (aws_server.crt) in the Certificates folder, copy aws_server.crt and RootCA.crt to the AWS primary and secondary hosts into their Certificates folder.
On the AWS primary and secondary hosts, import the Root CA certificate:
C:\Program Files\Java\jre7\bin>keytool.exe -import
-alias root -keystore C:\Keys\keystore.jks
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com,
CN=vw-aus-clmidd05.bmc.com, OU=IDD,
O=BMC, L=SAN JOSE, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
1. At the prompt, enter changeit as the password.
2. When you see the Trust this certificate prompt, enter yes.
  Your certificate is added to the keystore.
Import the aws_server.crt certificate:
C:\Program Files\Java\jre7\bin>keytool.exe -import
-alias tomcat -keystore C:\Keys\keystore.jks
-trustcacerts -file C:\Certificates\aws_server.crt
Enter keystore password:
Certificate reply was installed in keystore
At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.
Open the server.xml file (in Windows, the default location is C:\Program Files\BMC Software\Atrium Web Registry\shared\tomcat\conf\server.xml) in a text editor and uncomment the SSL related sections.
1. Search for the following text and uncomment out the Connector port section:
  
     
2. Modify the Connector port information as follows:
  <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
             maxThreads="150" scheme="https" secure="true"
             clientAuth="false" sslProtocol="TLS"
             keystoreFile="C:\Keys\keystore.jks"
  />
  
  Here you change the connector port to 9443 and add the keyStore file location.
3. Save the server.xml .
Start the AWS Tomcat server.
Verify your changes to the AWS or AWS Load Balancer by accessing the following URL:
https://<AWS>:9443 (where 9443 is SSL port)
https://<LoadBalancer>:9443
Add and confirm any security restrictions in your browser.
When you access AWS the first time, review the certificate details.
Review who the certificate is issued to (for example, AWS) and who the certificate was issued by (for example, bmc.com).
Review the certificate path or hierarchy.

To integrate Atrium Web Services with BMC Network Automation

The following instructions apply only to Small or Medium deployments.

Note

Log on to the Mid Tier to access the Cloud Portal and Database AR System server.
You can use https://<MidTier>:9443/arsys to access the Cloud Portal and Database AR System server.
Note
If you are running a dual AR System server environment, modify the default web path for the Enterprise-AR and Cloud-AR servers.
Open the Server Information form for the Cloud Portal and Database AR System server.
Click the Advanced tab, and modify the URL in the Default Web Path field with the updated https and port (for example, 9443).Click the Advanced tab and modify the default web path URL with the updated https and port.
For example, you might enter https://vw-san-clmidd:9443/arsys/.
Restart the Cloud Portal and Database AR System server.
Log on to BMC Network Automation.
Click the Admin tab, and navigate to System Admin > System Parameters.

In the Enable CMDB Integration section, modify the Web Service Endpoint URL field with the updated https and port 9443 URL (for example, https://bnaServer:9443/cmdbws/server/cmdbws.wsdl).
Click Save.
The BMC Network Automation console verifies your changes.

When you finish, verify that physical location is accessed by BMC Network Automation during POD creation through the Atrium Web Services.
If you have successfully integrated Atrium Web service and BNA SSL communication, go to BMC Network Automation and try to create a POD. The physical location created in the AR System server should be visible in the list during POD creation.

To configure SSL with BMC Server Automation

Warning

If you installed BMC Server Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly.

For more information on using a CA-issued certificate or certificate chain rather than the default self-signed certificate, see Securing communication with CA certificates in the BMC Server Automation documentation.

Note

Make sure that the Oracle instance is running.

On the BMC Server Automation host, create Keys, Certificates, and CSR folders.
Stop the BladeLogic Application Server.
Back up the bladelogic.keystore file, located at C:\Program Files\BMC Software\BladeLogic\appserver\br\deployments or C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments and then delete the original.
Open a command prompt and navigate to the BladeLogic JRE folder (for example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin).
On the BMC Server Automation primary host, create a new keystore using the keytool utility.
If BMC Server Automation is behind a load balancer, you can use CN as the load-balancer name.
Note
In the keytool syntax, use the password you created when you installed BMC Server Automation, not changeit.
keytool.exe -genkey -alias blade -keyalg RSA -keysize 2048
-keypass "<password>" -storepass "<password>"
-keystore "C:\Program Files\BMC Software\BladeLogic\NSH\br\
deployments\_template\bladelogic.keystore"
What is your first and last name?What is your first and last name?
  [Unknown]: JOHN STAMPS
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: SAN JOSE
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=JOHN STAMPS, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
  [no]: yes
At the prompts, enter the required information to create the keypair, and then press Enter.
Create the Certificate Signing Request (CSR) from BMC Server Automation primary to retrieve the certificate from CA (that is, CLM).
keytool.exe -certreq -keyalg RSA -alias blade
-file C:\CSR\blade.csr -keystore "C:\Program Files\BMC Software\
BladeLogic\NSH\br\deployments\_template\bladelogic.keystore"
Enter keystore password:
At the prompt, enter the BMC Server Automation password, not changeit.
Copy the blade.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (blade.crt), and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365
-in C:\CSR\blade.csr -CA C:\Certificates\RootCA.crt
-CAkey C:\Keys\RootCA.key -set_serial 01
-out C:\Certificates\blade.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=JOHN STAMPS
Getting CA Private Key
After the certificate is generated (blade.crt) in the Certificates folder, copy blade.crt and RootCA.crt to the BMC Server Automation primary host into its Certificates folder.
On the BMC Server Automation primary host, import the Root CA certificate:
keytool.exe -import -alias blade
-keystore "C:\Program Files\BMC Software\BladeLogic\NSH\
br\deployments\_template\bladelogic.keystore"
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD,
O=BMC, L=SJ, ST=CA, C=US
Issuer: EMAILADDRESS=jstamps@bmc.com, CN=JOHN,
OU=IDD, O=BMC, L=SJ, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
1. At the prompt, enter changeit as the password.
2. When you see the Trust this certificate prompt, enter yes.
  Your certificate is added to the keystore.
Import the blade.crt certificate:
C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe
-import -alias blade
-keystore "C:\Program Files\BMC Software\BladeLogic\NSH\
br\deployments\_template\bladelogic.keystore"
-trustcacerts -file C:\Certificates\blade.crt
Enter keystore password:
Certificate reply was installed in keystore
Your certificate reply is installed in the keystore.
Copy the bladelogic.keystore file you just created from the _template folder to each of the deployments server folders.
Start the BladeLogic Application Server.
Verify your changes to the BMC Server Automation URL by accessing the following link:
https://<BladeLogic>:10843 (where 10843 is the SSL port)
When you access BMC Server Automation URL the first time, review the certificate details.
Log on to the BladeLogic Application Server.through BMC Server Automation Console.
In the login screen, click Options > Certificates > View to view the certificate. This screen displays the certificate details like issued to clm-hou-bbsa and Issued by CA (for example, CLM).
For BMC Server Automation secondary, follows the relevant steps (typically 1 > 2 > 3 > 12 > 13 >14 >15 >16 >17 in order).

To configure SSL with BMC Server Automation and Platform Manager

On the Platform Manager host, open the providers.json file.
Change the protocol and the SSL port in the providers.json file for the BBSA_SERVER_PORT attribute value.
For example:
  "name" : "BBSA_SERVER_PORT"
    },
   "attributeValue" : "10843",
   "description" : "BBSA Webservices Port",
   "guid" : "1a0e98f9-905e-4117-99dd-759f7ad41b71",
   "name" : "BBSA_SERVER_PORT"
  }, {
   "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
   "accessAttribute" : {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
     "datatype" : "STRING",
     "description" : "BBSA Server Protocol",
     "guid" : "3bf2db7a-af7e-4bc7-8674-63c6df997a75",
     "isOptional" : false,
     "isPassword" : false,
     "modifiableWithoutRestart" : false,
     "name" : "BBSA_SERVER_PROTOCOL"
    },
   "attributeValue" : "https",
   "description" : "BBSA Server Protocol",
Save your changes and restart the Platform Manager.

To configure BMC Network Automation with SSL

Warning

If you installed BMC Network Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly.

Note

The BMC Network Automation CLI might not use the default JVM bundled with BNA (for example, C:\Program Files\BMC Software\BCA-Networks\java\bin). In this case, you must import the root (and any intermediate) certificates into the keystore of the native JVM of the OS (in Windows, for example, C:\Program Files\Jave\jre7\lib\security\cacert).

On the BMC Network Automation host, create Keys, Certificates, and CSR folders.
Stop the BCA-Networks Web Server.
Back up the .keystore file (by default, located at C:\BCA-Networks-Data) and then delete the original.
On the primary BMC Network Automation host, open a command prompt and navigate to the BCA-Network JRE folder (for example, C:\Program Files\BMC Software\BCA-Networks\java\bin).
Create a new keystore using the keytool utility.
If BMC Network Automation is behind a load balancer, you can use CN as the load-balancer name. Use the following syntax so that keytool works properly:
C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe
-genkey -alias clm-bna -keyalg RSA -keysize 2048 -keypass "changeit"
-storepass "changeit" -keystore "C:\BCA-Networks-Data\.keystore"
What is your first and last name?
  [Unknown]: JOHN STAMPS
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: SAN JOSE
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=JOHN STAMPS, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
  [no]: yes
At the prompts, enter the required information to create the keystore, and then press Enter.
Create the Certificate Signing Request (CSR) from BMC Network Automation primary to retrieve the certificate from CA (that is, CLM).
keytool.exe -certreq -keyalg RSA -alias clm-bna
-file C:\CSR\clm-bna.csr -keystore "C:\BCA-Networks-Data\.keystore"
Enter keystore password:
At the prompt, enter changeit as the password.
Copy the clm-bna.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (clm-bna.crt), and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl>openssl x509 -req -days 365
-in C:\CSR\clm-bna.csr -CA C:\Certificates\RootCA.crt
-CAkey C:\Keys\RootCA.key -set_serial 04
-out C:\Certificates\clm-bna.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=clm-bna
Getting CA Private Key
After the certificate is generated (clm-bna.crt) in the Certificates folder, copy clm-bna.crt and RootCA.crt to the BMC Network Automation primary and secondary hosts into their Certificates folder.
On the BMC Network Automation primary and secondary computers, import the first Root CA certificate into the /var/bca-networks-data/.keystore file that was generated:
C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe
-import -alias root -keystore "C:\BCA-Networks-Data\.keystore"
-trustcacerts -file C:\Certificates\RootCA.crt
Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com,
OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
1. At the prompt, enter changeit as the password.
2. When you see the Trust this certificate prompt, enter yes.
  Your certificate is added to the keystore.
3. If you have a secondary BMC Network Automation computer, import only the RootCA certificate in the java/cacerts file.
Import Root CA into the C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts file:
C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe
-import -alias root
-keystore "C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts"
-trustcacerts -file C:\certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD,
O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
Import the blm-bna.crt certificate:
C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe
-import -alias clm-bna -keystore C:\BCA-Networks-Data\.keystore
-trustcacerts -file C:\Certificates\clm-bna.crt
Enter keystore password:
Certificate reply was installed in keystore
Your certificate reply is installed in the keystore.
Generate the encryption string for changeit.
1. Open the BNA maintenance utility (by default, installed in C:\Program Files\BMC Software\BCA-Networks\utility).
2. Click the Encrypt tab.
3. Enter and confirm the changeit password.
4. Click Encrypt to generate the encryption string for changeit.
5. Use the generated string for the keystorePassword parameter in the server.xml file (by default, located at C:\Program Files\BMC Software\BCA-Networks\tomcat\conf).
Start the BCA-Networks Web Server.

Verify the BNA link by accessing https://<BNA-LB>:11443/bca-networks where 11443 is SSL port.
The default login is sysadmin/sysadmin.
If you have a load balancer, failover the BNA service and verify that you can able to access the link with Cluster name and with the same certificate it displays.
When you access the BMC Network Automation URL the first time, review the certificate details, and so on.

Note

No integration level changes are required for BMC Network Automation. In the provider.json file, the BNA section is already populated with the https protocol and SSL port. This SSL port should be same on which you configured BMC Network Automation.

To configure Platform Manager from HTTPS to HTTP with a Self-Signed Certificate

Use the following steps to configure HTTPS to HTTP using a Self-Signed Certificate. If you are running HA, you only need to run the following commands on the primary host. SSL-level certification is not required on the secondary HA host.

Make sure the CSM service is running on the primary Platform Manager host.
On the primary Platform Manager host, create Keys, Certificates, and CSR folders.
Back up the keystore file (by default, located at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security).
Open a command prompt and navigate to the JRE folder (for example, C:\Program Files\java\jre7\bin).
Create a new keystore using the keytool utility and store it at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\security.

keytool.exe -genkey -alias PM -keyalg RSA -keysize 1024
-keypass "changeit" -storepass "changeit"
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore"
What is your first and last name?
  [Unknown]: clm-hou-pm
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: San Jose
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=clm-hou-pm, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
  [no]: yes

At the prompts, enter the required information to create the keystore, and then press Enter.
Create the Certificate Signing Request (PM.csr) to retrieve the certificate from Root CA.

keytool.exe -certreq -keyalg RSA -alias PM
-file C:\CSR\PM.csr
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore"
Enter keystore password:

At the prompt, enter changeit as the password.
Copy the PM.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (PM.crt), and then run the following command on the OpenSSL host:

C:\OpenSSL-Win64\bin>openssl x509 -req -days 365
-in C:\CSR\PM.csr -CA C:\Certificates\RootCA.crt
-CAkey C:\Keys\RootCA.key -set_serial 01 -out C:\Certificates\pm.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=clm-hou-pm
Getting CA Private K
After the certificate is generated (PM.crt) in the Certificates folder, copy PM.crt and RootCA.crt to the Platform Manager primary host into the Certificates folder.
On the Platform Manager primary host, import the Root CA certificate:

keytool.exe -import -alias root
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore"
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <root>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
1. At the prompt, enter changeit as the password.
2. If you are prompted that the certificate already exists, enter yes. Your certificate is added to the keystore.
Import the Root CA certificate into the Platform Manager JVM cacerts file.

keytool.exe -import -alias root
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
JVM_1.6.0_31\lib\security\cacerts"
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Certificate was added to keystore

At the prompt, enter changeit as the password.
Import the PM.crt certificate:

keytool.exe -import -alias PM1
-keystore "C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\
Platform_Manager\security\keystore"
-trustcacerts -file C:\Certificates\PM.crt
Enter keystore password:
Certificate was added to keystore
Verify or update the config.ini file (by default, located at /opt/bmc/BMCCloudLifeCycleManagement/Platform_Manager/configuration) with the following parameters:

org.osgi.service.http.port=7070
jetty.port=7070
jetty.ssl.password=changeit
jetty.ssl.keypassword=changeit

Make sure to save the config.ini file.
Verify or update the the configuration in the ../Platform_Manager/csm-bootstrap.properties file with the following parameters:

PersistenceNodeProtocol=http
NodeProtocol=http
NodePort=7070
PersistenceNodePort=7070

Make sure to save the csm-bootstrap.properties file.
Update the config.ini file (by default, located at C:\Program Files\BMC Software\BMCCloudLifeCycleManagement\Platform_Manager\configuration) with the following parameters:
1. Set the secureJetty attributeValue to false and the description to Use HTTP.
  
  {
  "cloudClass" : "com.bmc.cloud.model.beans.CloudService",
  "accessValues" : [ {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
     "accessAttribute" : {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
       "datatype" : "Boolean",
       "description" : "Use HTTP",
       "guid" : "b15fc770-4119-4cd6-bea6-1efdc5ecc768",
       "isOptional" : false,
       "isPassword" : false,
       "length" : 255,
       "modifiableWithoutRestart" : false,
       "name" : "secureJetty"
      },
     "attributeValue" : "false",
     "description" : "Use HTTP",
     "guid" : "2aacb37d-0b0c-48f2-b85f-e010e3705f49",
     "name" : "secureJetty"
    }
2. Set the attributeValue of Jetty port, CSM Local Port, and CSM Global Registry URL to 7070.
  Make sure that you also set the localhost attribute value to "localhost:7070".
  
  {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
     "accessAttribute" : {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
       "datatype" : "Integer",
       "description" : "Jetty Port",
       "guid" : "f1f036cc-7050-4a08-9e00-2a38cedaeef9",
       "isOptional" : false,
       "isPassword" : false,
       "length" : 255,
       "modifiableWithoutRestart" : false,
       "name" : "jettyPort"
      },
     "attributeValue" : "7070",
     "description" : "Jetty Port",
     "guid" : "e2513a26-1c6c-4fd1-9267-d3ff3d00b94a",
     "name" : "jettyPort"
  }
  {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
     "accessAttribute" : {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
       "datatype" : "Integer",
       "description" : "CSM Local Port",
       "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
       "isOptional" : false,
       "isPassword" : false,
       "length" : 255,
       "modifiableWithoutRestart" : false,
       "name" : "csm.local.port"
      },
     "attributeValue" : "7070",
     "description" : "CSM Local Port",
     "guid" : "b86fb3c3-d5c8-46dc-8d7d-5be05a392aff",
     "name" : "csm.local.port"
    }
  
  },{
  "cloudClass" : "com.bmc.cloud.model.beans.CloudService",
  "accessValues" : [ {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
     "accessAttribute" : {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
       "datatype" : "String",
       "description" : "CSM Global Registry URL",
       "guid" : "5f49c658-e3fb-4ace-95aa-d5c13636a82e",
       "isOptional" : false,
       "isPassword" : false,
       "length" : 255,
       "modifiableWithoutRestart" : false,
       "name" : "csm.global.url"
      },
     "attributeValue" : "localhost:7070",
     "description" : "CSM Global Registry URL",
     "guid" : "45cb9fc3-ac7e-49de-88d4-4d1042c48061",
     "name" : "csm.global.url"
    }, {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
     "accessAttribute" : {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
       "datatype" : "Integer",
       "description" : "CSM Local Port",
       "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
       "isOptional" : false,
       "isPassword" : false,
       "length" : 255,
       "modifiableWithoutRestart" : false,
       "name" : "csm.local.port"
      },
     "attributeValue" : 7070,
     "description" : "CSM Local Port",
     "guid" : "80e5622d-4dbc-49de-9ca6-deef7627e7f5",
     "name" : "csm.local.port"
    } ],
  "cloudServiceDefinition" :
    "/cloudservicedefinition/4bc19dbb-22e5-4a3d-a294-c3749e2b2947",
  "cloudServiceDefinitionObject" : {
     "cloudClass" : "com.bmc.cloud.model.beans.CloudServiceDefinition",
     "accessAttributes" : [ {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
       "datatype" : "String",
       "description" : "CSM Global Registry URL",
       "guid" : "5f49c658-e3fb-4ace-95aa-d5c13636a82e",
       "hasValueObject" : [ {
         "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
         "attributeValue" : "localhost:7070",
         "guid" : "79c5b890-1b4e-4514-8e28-ddd216551b3c",
         "name" : "csm.global.url"
        } ],
       "isOptional" : false,
       "isPassword" : false,
       "length" : 255,
       "modifiableWithoutRestart" : false,
       "name" : "csm.global.url"
      }, {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
       "datatype" : "Integer",
       "description" : "CSM Local Port",
       "guid" : "9ceda25b-b408-4f38-bf78-26fc8a941ced",
       "hasValueObject" : [ {
         "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
         "attributeValue" : "7070",
         "guid" : "de64d5ff-ff11-4e2d-b1e0-941072b4ae95",
         "name" : "csm.local.port"
  
  Make sure to save the cloudservices.json file.
Set the value parameter in the ..\Platform_Manager\configuration\PreferenceGroup.json file to http and 7070.
Note
If you plan to have Self-Check Monitor and Cloud Portal Web Application (installed on separate hosts) also on HTTP, make sure the protocol and port values related to these products are updated accordingly.

{
     "cloudClass": "com.bmc.cloud.model.beans.PreferenceGroupNameValuePair",
     "guid": "98d27d82-44fc-41c8-bde0-007f0fa8fc2f",
     "name": "clmui base URL",
     "value": "http://clm-aus-005121/clmui"
},{
Stop the CSM service and then perform the following actions:
1. Back up the cache and data folders in .\Platform_Manager.
2. Back up the org.eclipse.* folders in .\Platform_Manager\configuration.
3. Delete the cache, data, and org.eclipse.* folders.
Update the Platform Manager Root URL in the CMF:PluginConfiguration form on the Cloud Portal and Database AR System server to http and 7070.
Start the CSM service.
Restart the Cloud Portal and Database AR System service.
Use RESTClient to verify the Platform Manager SSL connection by using the SSL link.

To configure Platform Manager from HTTP to HTTPS with a Self-Signed Certificate

Warning

If you installed Platform Manager with the default settings, HTTPS on SSL is already enabled.

To modify the Platform Manager integration with SSL

The following procedure applies if you are running multiple IT Service Management servers.

In Cloud Portal and Database ITSM, open the CMF:PluginConfiguration form and change the Root URL from http to https and update the SSL port to 9443.
In both ITSM hosts, import the RootCA certificate.
1. Copy the RootCA.crt certificate to both hosts in its own folder (for example, /data1/Certificates).
2. Import the certificate by entering following command.
  C:\Program Files\Java\jre7\bin>keytool -import -alias root -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt
  Enter keystore password:
  Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=C
  A, C=US
  Issuer: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD, O=BMC, L=San Jose, ST=
  CA, C=US
  Serial number: 802aae2101b14487
  Valid from: Thu Apr 10 13:52:46 PDT 2014 until: Fri Apr 10 13:52:46 PDT 2015
  Certificate fingerprints:
           MD5: 15:4C:BE:02:B4:1D:6D:05:12:78:62:14:41:A5:AD:DA
           SHA1: DE:B4:DF:5D:4E:58:B2:0B:EB:37:D7:57:F9:71:13:6B:CE:A5:05:B9
           SHA256: A5:AC:79:D0:E3:21:BA:88:E7:78:77:CD:E8:18:88:14:96:CC:64:64:FD:
  D6:12:76:CE:BF:70:BB:28:82:30:D9
           Signature algorithm name: SHA1withRSA
           Version: 3
  Extensions:
  #1: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76 3(`....G..J.k..v
  0010: 0D 6C 58 51                                        .lXQ
  ]
  ]
  #2: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 33 28 60 0A C6 83 16 47   D9 E2 4A D7 6B F9 DC 76 3(`....G..J.k..v
  0010: 0D 6C 58 51                                        .lXQ
  ]
  ]
  #3: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
    CA:true
    PathLen:2147483647
  ]
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  You do not need to import RootCA into the /usr/java/jdk1.7.0_75/jre/bin path.
Restart the Platform Manager and AR System servers.
Verify your changes by putting the RESTClient on the ITSM host and connecting to the Platform Manager host with SSL URL and the trustcacerts path of Cloud Java (as above).

To configure BMC Capacity Optimization with SSL

Warning

If you installed BMC Capacity Optimization with HTTPS on SSL, these instructions do not apply to you. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly.

This is a two-step process:

Generating a certificate and key to use with Apache
Enabling Apache to use HTTPS for BMC Capacity Optimization

To generate a certificate and key to use with Apache

Install the following packages on the host if they are not already present.
- crypto-utils
- mod_ssl
After installing these packages, generate a new key and a new SSL certificate using the genkey $hostname command.
Here $hostname is the fully qualified domain name of your BMC Capacity Optimization application server machine.
To create a certificate request, select the appropriate option.
Enter the certificate fields with your information (Name, Firm, Country, and so on). If you do not want to manually insert a password every time you restart the Apache Httpd server (for example, if you are in an automatic HA environment), clear the encrypt key option.
During key generation, review the following output on the console:
[root@clm-bco ~]# genkey csm-bco
/usr/bin/keyutil -c genreq -g 1024
-s "CN=csm-bco, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US" -v 24 -a
-o /etc/pki/tls/certs/csm-bco.0.csr
-k /etc/pki/tls/private/csm-bco.key -z /etc/pki/tls/.rand.24660
cmdstr: genreq
cmd_CertReq
command: genreq
...
subject = CN=csm-bco, OU=IDD, O=BMC, L=PUN, ST=SAN JOSE, C=US
valid for 1 months
random seed from /etc/pki/tls/.rand.24660
output will be written to /etc/pki/tls/certs/csm-bco.crt
output key written to /etc/pki/tls/private/csm-bco.key
The Certificate Signing Request (csm-bco.0.csr) file is generated at the /etc/pki/tls/certs location.
Copy the csm-bco-0.csr file where you have CA or generate the CA certificate.
Or send this csr file to CA to get certificate.
Generate the certifcate, using the csm-bco-0.csr file.
/usr/bin/openssl x509 -req -days 365 -in /data1/CSR/csm-bco.0.csr
-CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key
-set_serial 878 -out /data1/Certificates/csm-bco.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=csm-bco
Getting CA Private Key
When you finish generating the key, you have the following results:
- $hostname.crt certificate file in /etc/pki/tls/certs/
- $hostname.key key file in /etc/pki/tls/private/
Create /pki/tls/certs and /pki/tls/private folders at $CPITBASE/3rd_party/apache2/etc.
Copy /etc/pki/tls/certs/$hostname.crt to $CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.cert.
Copy /etc/pki/tls/private/$hostname.key to $CPITBASE/3rd_party/apache2/etc/pki/tls/ private/<hostname>.key.
Change the owner of both the copied files and the created folders to the owner using BMC Capacity Optimization.

To enable HTTPS in Apache

Note

Make sure that the ssl.conf file is present under $CPITBASE/3rd_party/apache2/etc/httpd/conf.d. If not, then create it with following SSL contents.
Make sure that the mod_ssl.so file is present under $CPITBASE/3rd_party/apache2/etc/httpd/modules. If not, then copy it from the /etc/httpd/modules path.

To enable HTTPS in your BMC Capacity Optimization installation, perform the following steps:

Modify the caplan.conf configuration file located at $CPITBASE/3rd_party/apache2/etc/httpd/conf.d, by adding the following information:
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile
$CPITBASE/3rd_party/apache2/etc/pki/tls/certs/<hostname>.crt
SSLCertificateKeyFile $CPITBASE/3rd_party/apache2
/etc/pki/tls/private/<hostname>.key
Create the ssl.conf file in $CPITBASE/3rd_party/apache2/etc/httpd/conf.d and add the following content.
LoadModule ssl_module modules/mod_ssl.so
Listen 8443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Make sure that you change the required SSL port.
Restart Httpd using the $CPITBASE/cpit restart httpd command.
The new URL to connect to BCO will be https://$hostname:8443/console.
Import the certificate into /gfs/cpit/jre/lib/security/cacerts for the trusted CA certificate.
[root@clm-bco bin]# ./keytool -import -alias root
-keystore /gfs/cpit/jre/lib/security/cacerts -trustcacerts
-file /etc/pki/tls/certs/RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=clm.bmc.com, CN=CLM, OU=IDD,
O=BMC, L=SAN JOSE, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
When you access the BCO URL, review the following certificate:

To integrate BMC Capacity Optimization and Platform Manager changes into SSL

Note

If you are integrating BMC Capacity Optimization with HTTPS mode with PM, you do not need to perform any manual steps. The integration itself take care of all the required steps.

To configure BMC Atrium Orchestrator with SSL

An HA environment typically has the following components installed.

Host A Primary: AMREPO (Access Manager and Repository) and CDP installed
Host B Secondary: AMREPO and HACDP installed
Host C: SQL DB for AMREPO

In non-HA environments, BMC Atrium Orchestrator Access Manager and Repository are installed on a single server.

On the main AO hosts (for example, Host A and B), create Keys, Certificates, and CSR folders.
Stop the Access Manager, Configuration Distribution Peer (CDP), and Repository servers.
Open a command prompt and navigate to the AMREPO JRE folder (for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\jvm\bin).
On primary Host A, create a keypair using the keytool utility.
If Atrium Orchestrator is behind a load balancer, use CN as the load balancer name. At the prompts, enter the required information to create the keypair, and then press Enter.
keytool.exe -genkey -alias AO -keyalg RSA -keysize 2048
-keypass "changeit" -storepass "changeit"
-keystore C:\Keys\keystore.jks
What is your first and last name?
  [Unknown]: vw-aus-clmidd04.bmc.com
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC Software
What is the name of your City or Locality?
  [Unknown]: SAN JOSE
What is the name of your State or Province?
  [Unknown]: California
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=vw-aus-clmidd04.bmc.com, OU=IDD, O=BMC, L=SAN JOSE, ST=California, C=US correct?
  [no]: yes
Create the Certificate Signing Request (ao.csr) from AO primary to retrieve the certificate from CA (that is, CLM).
At the prompt, enter changeit as the password.
keytool.exe -certreq -keyalg RSA -alias AO
-file C:\CSR\ao.csr -keystore C:\Keys\keystore.jks
Enter keystore password:
Copy the ao.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate, and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365
-in "C:\CSR\ao.csr" -CA "C:\Certificates\RootCA.crt"
-CAkey "C:\Keys\RootCA.key" -set_serial 999 -out "C:\Certificates\ao.crt"
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=California/L=SAN JOSE/O=BMC Software/OU=IDD/CN=vw-aus-clmidd04.bmc.com
Getting CA Private Key
After the certificate is generated (ao.crt) in the Certificates folder, copy ao.crt and RootCA.crt to the AO primary, AO secondary, and AO Repo computers into their Certificates folder.

To configure AMREPO to work with SSL

On the AO primary and AO secondary hosts, import the Root CA certificate.
At the prompt, enter changeit as the password. When you see the Trust this certificate prompt, enter yes. Your certificate is added to the keystore.
keytool.exe -import -alias root -keystore C:\Keys\keystore.jks
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=vw-aus-clmidd05.bmc.com,
OU=IDD, O=BMC Software, L=San Jose, ST=California, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
Import the ao.crt certificate into the AO jvm security folder.
At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.
keytool.exe -import -alias root
-keystore "C:\Program Files\BMC Software\AO-Platform\AMREPO\
jvm\jre\lib\security\cacerts" -trustcacerts
-file C:\Certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=vw-aus-clmidd05.bmc.com,
OU=IDD, O=BMC Software, L=San Jose, ST=California, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
Import the ao.crt certificate into keystore.jks (for example, C:\Keys\keystore.jks):
keytool.exe -import -alias AO -keystore C:\Keys\keystore.jks
-trustcacerts -file C:\Certificates\ao.crt
Enter keystore password:
Certificate reply was installed in keystore
Open the Access Manager server.xml file (in Windows, for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\tomcat\conf\server.xml) in a text editor and uncomment the SSL related sections.
1. Search for the following text and uncomment out the Connector port section:
  
     
2. Modify the Connector port information as follows.
  Uncomment the following section and update the required port (for example, 8443) and add the keystoreFile path for keystore.
  Make sure that you save the file.
  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
                 clientAuth="false" sslProtocol="TLS"
     keystoreFile="/data1/Keys/keystore.jks"
  />
Update the Login page entry in the context.xml file (for example, C:\Program Files\BMC Software\AO-Platform\AMREPO\tomcat\conf\context.xml) as follows:
<Environment name="com.bmc.security.am.LOGIN_PAGE" override="true"
type="java.lang.String" value="https://clm-aus-995119:8443/baoam/login.jsf"/>
Start the Access Manager server and verify the URL.
For example:
https://<AMPrimaryHost>:8443/baoam
Add and confirm any security restrictions in your browser.
The default login is admin/admin123.
The certificate should display who you issued to and who it is issued by. For example:
Make the same changes to the secondary Access Manager server.
1. Copy the keystore file.
2. Update the server.xml and context.xml files.
3. Import the Root CA certificate.
4. Start the secondary Access Manager server.
5. Verify the URL.

To configure primary and secondary CDP to work with SSL

Note

For CDP, use the same RootCA.crt and keystore.jks files you previously generated. In addition, use the keystore.jks file from the /data1/Keys/keystore.jks path.

Modify the server.xml file (for example, C:\Program Files\BMC Software\AO-Platform\CDP\tomcat\conf\server.xml) as follows.
Uncomment the following section and update the required port (for example, 9443) and add the keystoreFile path for keystore.
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/data1/Keys/keystore.jks"/>
Modify the context.xml file (for example, C:\Program Files\BMC Software\AO\AM\CDP\tomcat\conf\context.xml) in a text editor.
Update the following entry with corrected port and https.
<Parameter name="com.bmc.ao.REPOSITORY_URL" override="true"
value="https://clm-aus-005119:9443/baorepo/http"/>
Change directories to the primary CDP JRE/bin folder, for example, C:\Program Files\BMC Software\AO-Platform\CDP\jvm\jre\bin.
Import the ROOTCA.crt certificate into the primary CDP JVM security folder.
At the prompt, enter changeit as the password.
Your certificate reply is installed in the keystore.
keytool.exe -import -alias root
-keystore "C:\Program Files\BMC Software\AO-Platform\CDP\
jvm\jre\lib\security\cacerts"
-trustcacerts
-file C:\certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=JOHN,
OU=IDD, O=BMC, L=SJ, ST=CA, C=US
Issuer: EMAILADDRESS=jstamps@bmc.com, CN=JOHN,
OU=IDD, O=BMC, L=SJ, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
Import the ROOTCA.crt certificate into the secondary CDP JVM security folder.
On the secondary CDP host, modify the context.xml file (for example, /opt/bmc/ao-platform/cdp/tomcat/conf/context.xml) in a text editor.
Update the following entries with corrected port and https.
Parameter name="com.bmc.ao.HACDP_CONFIGURATION" override="true"
value="https://admin:admin123@vw-hou-sln-qa18:9443/baocdp/ws/install?
grid=GRID1&peer=HACDP"/>
  <Environment name="grid-name" override="true" type="java.lang.String"
   value="GRID1"/>
  <Environment name="peer-endpoint-urls" override="true"
   type="java.lang.String"
   value="https://vw-hou-sln-qa18:9443/baocdp/ws/console"/>
Start the CDP server on both nodes and verify the URL.
For example:
https://<CDPHost>:9443/baocdp
Verify the URL and then add and confirm any security restrictions in your browser.
The certificate should display who you issued to and who it is issued by.
For example:
https://<CDPHost>:9443/baocdp

Note

When you access the BMC Server Automation application server from Atrium Orchestrator hosts, it should display the following certificate details.

image2014-4-15 13:10:50.png

image2014-4-15 13:11:44.png

To configure BMC Server Automation and Atrium Orchestrator with SSL

You already generated the keystore.jks file in C:\Keys\keystore.jks and the RootCA.crt file in C:\Certificates on both hosts.

Import the RootCA.crt certificate into the Bladelogic java security file on both nodes as follows:
keytool.exe -import -alias root
-keystore "C:\Program Files\BMC Software\BladeLogic\NSH\jre\
lib\security\cacerts" -trustcacerts -file C:\Certificates\RootCA.crt
Log into the BMC Server Automation server from both hosts with defaultProfile and verify the certificate obtained.

To configure Atrium Orchestrator and Platform Manager with SSL

On the Platform Manager server, update the providers.json file for BAO details like https and port numbers wherever required.
For example:
[{
"cloudClass" : "com.bmc.cloud.model.beans.Provider",
"accessValues" : [ {
   "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
   "accessAttribute" : {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
     "datatype" : "STRING",
     "guid" : "52461ff1-2ec4-11e0-91fa-0800200c9a66",
     "isOptional" : false,
     "isPassword" : false,
     "modifiableWithoutRestart" : false,
     "name" : "AO_SERVER_URL"
    },
   "attributeValue" : "https://clm-aus-005119:9443/baocdp/orca",
   "guid" : "78274c00-9d52-4b7a-bd07-7e7bfa413855",
   "name" : "AO_SERVER_URL"
  }
Stop and restart Platform Manager.

To configure Atrium Orchestrator and ITSM with SSL

On the Cloud Portal and Database server, open the CMF:PluginConfiguration form and update Atrium Orchestrator details like FIELD_AO_PROTOCOL, the FIELD_AO_PORT, and so on.
Stop and restart the AR System server.

Enabling SSL on Windows

CLM applications that support HTTPS on SSL during installation

Before you begin

To create a Root CA certificate using OpenSSL

To configure the Mid Tier SSL

To integrate the Mid Tier with Platform Manager

To configure Atrium Web Services SSL

To integrate Atrium Web Services with BMC Network Automation

To configure SSL with BMC Server Automation

To configure SSL with BMC Server Automation and Platform Manager

To configure BMC Network Automation with SSL

To configure Platform Manager from HTTPS to HTTP with a Self-Signed Certificate

To configure Platform Manager from HTTP to HTTPS with a Self-Signed Certificate

To modify the Platform Manager integration with SSL

To configure BMC Capacity Optimization with SSL

To generate a certificate and key to use with Apache

To enable HTTPS in Apache

To integrate BMC Capacity Optimization and Platform Manager changes into SSL

To configure BMC Atrium Orchestrator with SSL

To configure AMREPO to work with SSL

To configure primary and secondary CDP to work with SSL

To configure BMC Server Automation and Atrium Orchestrator with SSL

To configure Atrium Orchestrator and Platform Manager with SSL

To configure Atrium Orchestrator and ITSM with SSL

On this page