Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Reconfiguring Linux CLM applications to use SSL HTTPS

Warning

Most BMC customers should not need to use these steps in their Cloud Lifecycle Management environment. For example, if you installed TrueSight Server Automation (formerly called BMC Server Automation) with the default settings, HTTPS on SSL is already enabled. You should not need to complete these steps if SSL is already enabled. You run the risk of accidentally breaking functionality that is already working properly.

This topic includes two main sets of highly unusual tasks that BMC customers might use to secure communication between specific Cloud Lifecycle Management applications.

  • How to reconfigure SSL HTTPS on applications like TrueSight Server Automation or TrueSight Network Automation (formerly called BMC Network Automation) if necessary. 
  • How to reconfigure the Linux versions of Cloud Portal Web Application and CLM Self-Checker to use HTTPS if you installed them originally with HTTP.

Note

Mixing protocols in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (for example, AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in HTTP mode or in HTTPS mode.

 

Tip

Copy and paste the SSL commands into a text editor, strip out the line breaks, and modify the syntax for your environment.

Before you begin

  • Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes! 
  • When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host. 
  • If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL HTTPS.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic.  But most customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Symantec.

To configure SSL with TrueSight Server Automation

Warning

If you installed TrueSight Server Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

For more information on using a CA-issued certificate or certificate chain rather than the default self-signed certificate, see Securing communication with CA certificates in the TrueSight Server Automation documentation. 

Note

Make sure that the Oracle instance is running.

  1. On the TrueSight Server Automation host, create KeysCertificates, and CSR folders. 
  2. Copy RootCA.key to /data1/Keys/.
  3. Copy RootCA.crt to /data1/Certificates/
  4. Stop the BladeLogic Application Server.
    For example:
    /etc/init.d/blappserv stop 
  5. Back up the bladelogic.keystore file and then delete the old file. This procedure creates a new bladelogic.keystore file.
    By default, this file is located in /opt/bmc/bladelogic/NSH/br/deployments
  6. Open a command prompt and navigate to the jre/bin folder (for example, /usr/java/jdk1.7.0_75/jre/bin).

  7. On the TrueSight Server Automation primary host, create a new keystore using the keytool utility. 
    If TrueSight Server Automation is behind a load balancer, you can use CN as the load-balancer name.

    clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -genkey 
    -alias blade -keyalg RSA -keysize 1024 -keypass "changeit" 
    -storepass "changeit" 
    -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore
    What is your first and last name?
      [Unknown]:  John Stamps
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  San Jose
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose, ST=CA, C=US correct?
      [no]:  yes
    clm-aus-005115# pwd
    /opt/bmc/bladelogic/NSH/br/deployments
    clm-aus-005115# ls -l bl*
    -rw-r--r-- 1 root    root    1373 May 28 13:32 bladelogic.keystore
    -rw-r--r-- 1 bladmin bladmin 2040 May 19 06:43 bladelogic.keystore.bak

  8. Create the Certificate Signing Request (CSR) from TrueSight Server Automation primary to retrieve the certificate from CA (that is, CLM).

    clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -certreq 
    -keyalg RSA -alias blade -file /data1/CSR/blade.csr 
    -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore
    Enter keystore password:
    clm-aus-005115#

    At the prompt, enter changeit as the password.

  9. Use the following openssl command (for example, /usr/bin/openssl) to generate a BladeLogic server certificate (blade.crt) on the TrueSight Server Automation primary host in the Certificates folder: 

    clm-aus-005115# /usr/bin/openssl x509 -req -days 365 
    -in /data1/CSR/blade.csr -CA /data1/Certificates/RootCA.crt 
    -CAkey /data1/Keys/RootCA.key -set_serial 01 -out /data1/Certificates/blade.crt
    Signature ok
    subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps
    Getting CA Private Key

  10. On the TrueSight Server Automation primary host, import the Root CA certificate:

    clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool -import 
    -alias blade -keystore 
    /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore 
    -trustcacerts -file /data1/Certificates/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
    OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    clm-aus-005115#
    1. At the prompt, enter changeit as the password.
    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore. 

  11. Import the blade.crt certificate:

    clm-aus-005115# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias blade 
    -keystore /opt/bmc/bladelogic/NSH/br/deployments/bladelogic.keystore 
    -trustcacerts -file /data1/Certificates/blade.crt
    Enter keystore password:
    Certificate reply was installed in keystore

    Your certificate reply is installed in the keystore.  

  12. Copy the bladelogic.keystore file you just created to each of the deployments server folders (for example, /opt/bmc/bladelogic/NSH/br/deployments/_launcher).
  13. Start the BladeLogic Application Server.
    For example:
    /etc/init.d/blappserv start
  14. Verify your changes to the TrueSight Server Automation URL by accessing the following link:
    https://<BladeLogic>:10843 (where 10843 is the SSL port)
  15. When you access TrueSight Server Automation URL the first time, review the certificate details.
  16. Log on to the BladeLogic Application Server.through TrueSight Server Automation Console.
    In the login screen, click Options > Certificates > View to view the certificate. This screen displays the certificate details like issued to clm-hou-bbsa and Issued by CA (for example, CLM).
  17. For TrueSight Server Automation secondary, follows steps 1 > 2 > 3 > 12 > 13 >14 >15 >16 >17 in order.

To configure SSL with TrueSight Server Automation and Platform Manager

  1. On the Platform Manager host, open the providers.json file (for example, /opt/bmc/BMCCloudLifeCycleManagement/Platform_Manager/configuration/providers.json).

  2. Change the protocol and the SSL port in the providers.json file for the BBSA_SERVER_PORT attribute value.

    For example:

      "name" : "BBSA_SERVER_PORT"
        },
       "attributeValue" : "10843",
       "description" : "BBSA Webservices Port",
       "guid" : "1a0e98f9-905e-4117-99dd-759f7ad41b71",
       "name" : "BBSA_SERVER_PORT"
      }, {
       "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
       "accessAttribute" : {
         "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
         "datatype" : "STRING",
         "description" : "BBSA Server Protocol",
         "guid" : "3bf2db7a-af7e-4bc7-8674-63c6df997a75",
         "isOptional" : false,
         "isPassword" : false,
         "modifiableWithoutRestart" : false,
         "name" : "BBSA_SERVER_PROTOCOL"
        },
       "attributeValue" : "https",
       "description" : "BBSA Server Protocol",
  3. Save your changes and restart the Platform Manager.

To configure TrueSight Network Automation with SSL

Warning

If you installed TrueSight Network Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

Note

The TrueSight Network Automation CLI might not use the default JVM bundled with BNA (for example, /opt/bmc/bca-networks/java/bin). In this case, you must import the root (and any intermediate) certificates into the keystore of the native JVM of the OS (in Windows, for example, /opt/bmc/bca-networks/java/lib/security/cacerts).

  1. On the TrueSight Network Automation host, create KeysCertificates, and CSR folders. 
  2. Copy RootCA.key to /data1/Keys/.
  3. Copy RootCA.crt to /data1/Certificates/
  4. Stop the BCA-Networks Web Server.
    For example:
    /etc/init.d/enatomcat stop 
    /etc/init.d/xinetd stop     
  5. Back up the .keystore file (by default, located at /var/bca-networks-data) and then delete the old file. This procedure creates a new .keystore file.
  6. On the primary TrueSight Network Automation host, open a command prompt and navigate to the BCA-Network JRE folder (for example, /usr/java/jdk1.7.0_75/jre/bin). 

  7. Create a new keystore using the keytool utility. 
    If TrueSight Network Automation is behind a load balancer, you can use CN as the load-balancer name.  Use the following syntax so that keytool works properly:

    [root@clm-aus-005116 bca-networks-data]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -genkey -alias clm-bna -keyalg RSA -keysize 1024 -keypass "changeit" 
    -storepass "changeit" -keystore /var/bca-networks-data/.keystore
    What is your first and last name?
      [Unknown]:  John Stamps
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC
    What is the name of your City or Locality?
      [Unknown]:  San Jose
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=John Stamps, OU=IDD, O=BMC, L=San Jose
    ST=CA, C=US correct?
      [no]:  yes
    [root@clm-aus-005116 bca-networks-data]#
  8. At the prompts, enter the required information to create the keystore, and then press Enter

  9. Create the Certificate Signing Request (CSR) from TrueSight Network Automation primary to retrieve the certificate from CA (that is, CLM).

    [root@clm-aus-005116 ~]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -certreq -keyalg RSA -alias clm-bna -file /data1/CSR/clm-bna.csr 
    -keystore /var/bca-networks-data/.keystore
    Enter keystore password:
    [root@clm-aus-005116 ~]#

    At the prompt, enter changeit as the password.

  10. Use the following openssl command (for example, /usr/bin/openssl)to generate the BBNA server certificate (clm-bna.crt): 

    [root@clm-aus-005116 ~]# /usr/bin/openssl x509 -req 
    -days 365 -in /data1/CSR/clm-bna.csr 
    -CA /data1/Certificates/RootCA.crt -CAkey /data1/Keys/RootCA.key 
    -set_serial 04 -out /data1/Certificates/clm-bna.cr
    Signature ok
    subject=/C=US/ST=CA/L=San Jose/O=BMC/OU=IDD/CN=John Stamps
    Getting CA Private Key
  11. After the certificate is generated (clm-bna.crt) in the Certificates folder, copy clm-bna.crt and RootCA.crt to the TrueSight Network Automation primary and secondary hosts into their Certificates folder.

  12. On the TrueSight Network Automation primary and secondary computers, import the first Root CA certificate into the /var/bca-networks-data/.keystore file that was generated:

    [root@clm-aus-005116 ~]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias root -keystore /var/bca-networks-data/.keystore 
    -trustcacerts -file /data1/Certificates/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, OU=IDD, 
    O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    [root@clm-aus-005116 ~]#
    1. At the prompt, enter changeit as the password.
    2. When you see the Trust this certificate prompt, enter yes
      Your certificate is added to the keystore. 
    3. If you have a secondary TrueSight Network Automation computer, import only the RootCA certificate in the java/cacerts file.

  13. Import Root CA into the /opt/bmc/bca-networks/java/lib/security/cacerts file:

    [root@clm-aus-005116 /]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias root 
    -keystore /opt/bmc/bca-networks/java/lib/security/cacerts 
    -trustcacerts -file /data1/Certificates/RootCA.crt
    Enter keystore password:
    Owner: EMAILADDRESS=jstamps@bmc.com, CN=John Stamps, 
    OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    [root@clm-aus-005116 /]#

  14. Import the blm-bna.crt certificate:

    [root@clm-aus-005116 /]# /usr/java/jdk1.7.0_75/jre/bin/keytool 
    -import -alias clm-bna -keystore /var/bca-networks-data/.keystore 
    -trustcacerts -file /data1/Certificates/clm-bna.crt
    Enter keystore password:
    Certificate reply was installed in keystore
    [root@clm-aus-005116 /]#

    Your certificate reply is installed in the keystore.  

  15. Generate the encryption string for changeit.
    1. Open the BNA maintenance utility (by default, installed in /opt/bmc/bca-networks/utility).
    2. Click the Encrypt tab.
    3. Enter and confirm the changeit password.
    4. Click Encrypt to generate the encryption string for changeit
    5. Use the generated string for the keystorePassword  parameter in the server.xml file (by default, located at /opt/bmc/bca-networks/tomcat/conf).
  16. Start the BCA-Networks Web Server.
    For example:
    /etc/init.d/enatomcat start 
    /etc/init.d/xinetd start 
  17. Verify the BNA link by accessing https://<BNA-LB>:11443/bca-networks where 11443 is SSL port.
    The default login is sysadmin/sysadmin.  
  18. If you have a load balancer, failover the BNA service and verify that you can able to access the link with Cluster name and with the same certificate it displays.
  19. When you access the TrueSight Network Automation URL the first time, review the certificate details, and so on.

Note

No integration level changes are required for TrueSight Network Automation. In the provider.json file, the BNA section is already populated with the https protocol and SSL port. This SSL port should be same on which you configured TrueSight Network Automation.

To configure Cloud Portal Web Application from HTTP to HTTPS with a Self-Signed Certificate

Warning

If you installed Cloud Portal Web Application with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

Use the following steps to configure HTTP to HTTPS using a Self-Signed Certificate on the Cloud Portal Web Application host. 

  1. Generate a certificate (if the certificate does not exist).
    For example:

    [root@clm-aus-005289 data1]# /opt/bmc/CloudPortalWebApplication/jre/bin/keytool 
    -genkey -alias clmui
    -keyalg RSA -keystore /data1/Certificates/clmuiSslCertificate.cert 
    -dname "cn=vw-sjc-sln-qa32,ou=CLM,o=BMC,l=SAN JOSE,s=CA,c=US" 
    -keypass "changeit" -storepass "changeit" -validity 36500
    [root@clm-aus-005289 data1]#
  2. Copy the certificate to the required location.
    For example:
    /opt/bmc/CloudPortalWebApplication/clmui/Certificates 
  3. Update /opt/bmc/CloudPortalWebApplication/tomcat/conf/server.xml.

    1. Replace the Connector entry:

      <Connector connectionTimeout="20000" port="9070" protocol="HTTP/1.1" 
      redirectPort="9443"/>

    2. With the following information:

      <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" 
      keystoreFile="/opt/bmc/CloudPortalWebApplication/clmui/Certificates
      /clmuiSslCertificate.cert"       
      keystorePass="changeit" maxThreads="150" port="8443" scheme="https" 
      secure="true" sslProtocol="TLS"/>

  4. Stop and restart Cloud Portal Web Application service.
    For example:

    /opt/bmc/CloudPortalWebApplication/tomcat/bin/shutdown.sh
    /opt/bmc/CloudPortalWebApplication/tomcat/bin/startup.sh

To configure CLM Self-Checker from HTTP to HTTPS with a Self-Signed Certificate

Warning

If you installed CLM Self-Checker with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly. 

Use the following steps to configure HTTP to HTTPS using a Self-Signed Certificate. 

  1. Generate a certificate (if the certificate does not exist).
    For example:

    [root@clm-aus-005282 ~]# /opt/bmc/selfchecker/jre/bin/keytool 
    -genkey -alias clmselfchecker -keyalg RSA 
    -keystore /data1/Certificates/selfcheckerSslCertificate.cert 
    -dname "cn=clm-aus-005282,ou=IDD,o=BMC,l=San Jose,s=CA,c=US" 
    -keypass "changeit" -storepass "changeit" -validity 36500
    [root@clm-aus-005282 ~]#
  2. Copy the certificate to the required location.
    For example:  
    /opt/bmc/selfchecker/selfchecker/Certificates/selfcheckerSslCertificate.cert 
  3. Update /opt/bmc/selfchecker/tomcat/conf/server.xml .

    1. Replace the Connector entry:

      <Connector connectionTimeout="20000" port="8090" protocol="HTTP/1.1" 
      redirectPort="8443"/>

    2. With the following information:

      <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" 
      keystoreFile="/opt/bmc/selfchecker/selfchecker/Certificates
      /selfcheckSslCertificate.cert"       
      keystorePass="changeit" maxThreads="150" port="8443" scheme="https" 
      secure="true" sslProtocol="TLS"/>

  4. Stop and restart the Self Checker service.
    For example:

    /opt/bmc/selfchecker/tomcat/bin/shutdown.sh
    /opt/bmc/selfchecker/tomcat/bin/startup.sh

Related topic

Using-CLM-applications-with-third-party-Certification-Authority-certificates

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*