Reconfiguring Windows CLM applications to use SSL HTTPS

Warning

Most BMC customers should not need to use these steps in their Cloud Lifecycle Management environment. For example, if you installed TrueSight Server Automation (formerly called BMC Server Automation) with the default settings, HTTPS on SSL is already enabled. You should not need to complete these steps if SSL is already enabled. You run the risk of accidentally breaking functionality that is already working properly.

This topic includes two main sets of highly unusual tasks that BMC customers might use to secure communication between specific Cloud Lifecycle Management applications.

How to reconfigure Cloud Portal Web Application and CLM Self-Checker to use HTTPS if you installed them originally with HTTP.
How to reconfigure SSL HTTPS on applications like TrueSight Server Automation or TrueSight Network Automation (formerly called BMC Network Automation) if necessary.

Note

Mixing protocols in a BMC Cloud Lifecycle Environment deployment is not supported. All of the BMC Cloud Lifecycle Environment components (for example, AR System Mid Tier, Platform Manager, Quick Start, and the My Cloud Services console) must be in HTTP mode or in HTTPS mode.

Tip

Copy and paste the SSL commands into a text editor like Notepad++ or TextPad, strip out the line breaks, and modify the syntax for your environment.

Before you begin

Take a snapshot of your VMs or back up your servers. This precaution is necessary if you make a mistake and need to roll back your changes!
When importing certificates, keypairs, or keystores, use the JRE embedded with the product or the latest version of JRE/Java installed on your host.
If you are using a Google Chrome browser and encounter the weak ephemeral Diffie-Hellman key error, see KA428034 for a helpful workaround. To review this workaround in context, see To configure AMREPO to work with SSL.

Note

BMC tests SSL with OpenSSL generated certificates, as shown in this topic. But many customers in their production environments have root certificates issued by trusted certificate authorities (CA), for example, Symantec.

For detailed steps on creating Root CA certificates or importing self-signed certificates, see Enabling-SSL-HTTPS-on-core-Windows-CLM-applications-that-currently-use-HTTP.

To reconfigure Cloud Portal Web Application from HTTP to HTTPS with a Self-Signed Certificate

Warning

If you installed Cloud Portal Web Application with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly.

Use the following steps to reconfigure HTTP to HTTPS using a Self-Signed Certificate.

Generate a certificate.
For example:
keytool -genkey -alias tomcat -keyalg RSA
-keystore "C:\clmuiSslCertificate.cert"
-dname "cn=vw-sjc-sln-qa32,ou=CLM,o=BMC,l=PUN,s=MH,c=IN"
-keypass "changeit" -storepass "changeit" -validity 36500
Copy the certificate to the required location.
For example:
C:\Program Files\BMC Software\CloudPortalWebApplication\clmui\Certificates\clmuiSslCertificate.cert
Update C:\Program Files\BMC Software\CloudPortalWebApplication\tomcat\conf\server.xml.
1. Replace the Connector entry:
  <Connector connectionTimeout="20000" port="9070"
  protocol="HTTP/1.1" redirectPort="9443"/>
2. With the following information:
  <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000"
  keystoreFile="C:\Program Files\BMC Software\CloudPortalWebApplication\
  clmui\Certificates\clmuiSslCertificate.cert" keystorePass="changeit"
  maxThreads="150" port="9443" scheme="https" secure="true" sslProtocol="TLS"/>
Restart Cloud Portal Web Application service.

To reconfigure CLM Self-Checker from HTTP to HTTPS with a Self-Signed Certificate

Warning

If you installed CLM Self-Checker with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly.

Use the following steps to reconfigure HTTP to HTTPS using a Self-Signed Certificate.

Generate a certificate.
For example:
C:\Program Files\Java\jre1.7.0_55\bin>keytool -genkey
-alias tomcat -keyalg RSA
-keystore "C:\ selfcheckerSslCertificate.cert"
-dname "cn=vw-sjc-sln-qa32,ou=CLM,o=BMC,l=PUN,s=MH,c=IN"
-keypass "changeit" -storepass "changeit" -validity 36500
Copy the certificate to the required location.
For example:
C:\Program Files\BMC Software\SelfChecker\selfchecker\Certificates\selfcheckerSslCertificate.cert
Update C:\Program Files\BMC Software\SelfChecker\tomcat\conf\server.xml .
1. Replace the Connector entry:
  <Connector connectionTimeout="20000" port="8090"
  protocol="HTTP/1.1" redirectPort="8443"/>
2. With the following information:
  <Connector SSLEnabled="true" clientAuth="false"
  connectionTimeout="20000"
  keystoreFile=" C:\Program Files\BMC Software\SelfChecker\selfchecker\
  Certificates\selfcheckerSslCertificate.cert" keystorePass="changeit"
  maxThreads="150" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>
Restart the Self Checker service.

To configure SSL with TrueSight Server Automation

Warning

If you installed TrueSight Server Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly.

For more information on using a CA-issued certificate or certificate chain rather than the default self-signed certificate, see Securing communication with CA certificates in the TrueSight Server Automation documentation.

On the TrueSight Server Automation host, create Keys, Certificates, and CSR folders.
Stop the BladeLogic Application Server.
Back up the bladelogic.keystore file, located at C:\Program Files\BMC Software\BladeLogic\appserver\br\deployments or C:\Program Files\BMC Software\BladeLogic\NSH\br\deployments and then delete the original.
Open a command prompt and navigate to the BladeLogic JRE folder (for example, C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin).
On the TrueSight Server Automation primary host, create a keypair using the keytool utility.
If TrueSight Server Automation is behind a load balancer, you can use CN as the load-balancer name.
Note
In the keytool syntax, use the password you created when you installed TrueSight Server Automation, not changeit.
keytool.exe -genkey -alias blade -keyalg RSA -keysize 2048
-keypass "<password>" -storepass "<password>"
-keystore "C:\Program Files\BMC Software\BladeLogic\NSH\br\
deployments\_template\bladelogic.keystore"
What is your first and last name?What is your first and last name?
  [Unknown]: JOHN STAMPS
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: SAN JOSE
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=JOHN STAMPS, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
  [no]: yes
At the prompts, enter the required information to create the keypair, and then press Enter.
Create the Certificate Signing Request (CSR) from TrueSight Server Automation primary to retrieve the certificate from CA (that is, CLM).
keytool.exe -certreq -keyalg RSA -alias blade
-file C:\CSR\blade.csr -keystore "C:\Program Files\BMC Software\
BladeLogic\NSH\br\deployments\_template\bladelogic.keystore"
Enter keystore password:
At the prompt, enter the TrueSight Server Automation password, not changeit.
Copy the blade.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (blade.crt), and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365
-in C:\CSR\blade.csr -CA C:\Certificates\RootCA.crt
-CAkey C:\Keys\RootCA.key -set_serial 01
-out C:\Certificates\blade.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=JOHN STAMPS
Getting CA Private Key
After the certificate is generated (blade.crt) in the Certificates folder, copy blade.crt and RootCA.crt to the TrueSight Server Automation primary host into its Certificates folder.
On the TrueSight Server Automation primary host, import the Root CA certificate:
keytool.exe -import -alias blade
-keystore "C:\Program Files\BMC Software\BladeLogic\NSH\
br\deployments\_template\bladelogic.keystore"
-trustcacerts -file C:\Certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=JOHN, OU=IDD,
O=BMC, L=SJ, ST=CA, C=US
Issuer: EMAILADDRESS=jstamps@bmc.com, CN=JOHN,
OU=IDD, O=BMC, L=SJ, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
1. At the prompt, enter the TrueSight Server Automation password, not changeit.
2. When you see the Trust this certificate prompt, enter yes.
  Your certificate is added to the keystore.
Import the blade.crt certificate:
C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe
-import -alias blade
-keystore "C:\Program Files\BMC Software\BladeLogic\NSH\
br\deployments\_template\bladelogic.keystore"
-trustcacerts -file C:\Certificates\blade.crt
Enter keystore password:
Certificate reply was installed in keystore
Your certificate reply is installed in the keystore.
Copy the bladelogic.keystore file you just created from the _template folder to each of the deployments server folders.
Start the BladeLogic Application Server.
Verify your changes to the TrueSight Server Automation URL by accessing the following link:
https://<BladeLogic>:10843 (where 10843 is the SSL port)
When you access TrueSight Server Automation URL the first time, review the certificate details.
Log on to the BladeLogic Application Server.through TrueSight Server Automation Console.
In the login screen, click Options > Certificates > View to view the certificate. This screen displays the certificate details like issued to clm-hou-bbsa and Issued by CA (for example, CLM).
For TrueSight Server Automation secondary, follows the relevant steps (typically 1 > 2 > 3 > 12 > 13 >14 >15 >16 >17 in order).

To configure SSL with TrueSight Server Automation and Platform Manager

On the Platform Manager host, open the providers.json file.
Change the protocol and the SSL port in the providers.json file for the BBSA_SERVER_PORT attribute value.
For example:
  "name" : "BBSA_SERVER_PORT"
    },
   "attributeValue" : "10843",
   "description" : "BBSA Webservices Port",
   "guid" : "1a0e98f9-905e-4117-99dd-759f7ad41b71",
   "name" : "BBSA_SERVER_PORT"
  }, {
   "cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",
   "accessAttribute" : {
     "cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",
     "datatype" : "STRING",
     "description" : "BBSA Server Protocol",
     "guid" : "3bf2db7a-af7e-4bc7-8674-63c6df997a75",
     "isOptional" : false,
     "isPassword" : false,
     "modifiableWithoutRestart" : false,
     "name" : "BBSA_SERVER_PROTOCOL"
    },
   "attributeValue" : "https",
   "description" : "BBSA Server Protocol",
Save your changes and restart the Platform Manager.

To configure TrueSight Network Automation with SSL

Warning

If you installed TrueSight Network Automation with the default settings, HTTPS on SSL is already enabled. Do not complete these steps if SSL is already enabled on the host. Otherwise, you run the risk of accidentally breaking functionality that is already working properly.

Note

The TrueSight Network Automation CLI might not use the default JVM bundled with BNA (for example, C:\Program Files\BMC Software\BCA-Networks\java\bin). In this case, you must import the root (and any intermediate) certificates into the keystore of the native JVM of the OS (in Windows, for example, C:\Program Files\Jave\jre7\lib\security\cacert).

On the TrueSight Network Automation host, create Keys, Certificates, and CSR folders.
Stop the BCA-Networks Web Server.
Back up the .keystore file (by default, located at C:\BCA-Networks-Data) and then delete the original.
On the primary TrueSight Network Automation host, open a command prompt and navigate to the BCA-Network JRE folder (for example, C:\Program Files\BMC Software\BCA-Networks\java\bin).
Create a keypair using the keytool utility.
If TrueSight Network Automation is behind a load balancer, you can use CN as the load-balancer name. Use the following syntax so that keytool works properly:
C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe
-genkey -alias clm-bna -keyalg RSA -keysize 2048 -keypass "changeit"
-storepass "changeit" -keystore "C:\BCA-Networks-Data\.keystore"
What is your first and last name?
  [Unknown]: JOHN STAMPS
What is the name of your organizational unit?
  [Unknown]: IDD
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: SAN JOSE
What is the name of your State or Province?
  [Unknown]: CA
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=JOHN STAMPS, OU=IDD, O=BMC, L=SAN JOSE, ST=CA, C=US correct?
  [no]: yes
At the prompts, enter the required information to create the keypair, and then press Enter.
Create the Certificate Signing Request (CSR) from TrueSight Network Automation primary to retrieve the certificate from CA (that is, CLM).
keytool.exe -certreq -keyalg RSA -alias clm-bna
-file C:\CSR\clm-bna.csr -keystore "C:\BCA-Networks-Data\.keystore"
Enter keystore password:
At the prompt, enter changeit as the password.
Copy the clm-bna.csr file to the CSR folder where OpenSSL is installed so that you can generate a certificate (clm-bna.crt), and then run the following command on the OpenSSL computer:
C:\OpenSSL-Win64\bin>openssl>openssl x509 -req -days 365
-in C:\CSR\clm-bna.csr -CA C:\Certificates\RootCA.crt
-CAkey C:\Keys\RootCA.key -set_serial 04
-out C:\Certificates\clm-bna.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=SAN JOSE/O=BMC/OU=IDD/CN=clm-bna
Getting CA Private Key
After the certificate is generated (clm-bna.crt) in the Certificates folder, copy clm-bna.crt and RootCA.crt to the TrueSight Network Automation primary and secondary hosts into their Certificates folder.
On the TrueSight Network Automation primary and secondary computers, import the first Root CA certificate into the C:\BCA-Networks-Data\.keystore file that we generated:
C:\Program Files\BMC Software\BladeLogic\NSH\jre\bin>keytool.exe
-import -alias root -keystore "C:\BCA-Networks-Data\.keystore"
-trustcacerts -file C:\Certificates\RootCA.crt
Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com,
OU=IDD, O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
1. At the prompt, enter changeit as the password.
2. When you see the Trust this certificate prompt, enter yes.
  Your certificate is added to the keystore.
3. If you have a secondary TrueSight Network Automation computer, import only the RootCA certificate in the java\cacerts file.
Import Root CA into the C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts file:
C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe
-import -alias root
-keystore "C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts"
-trustcacerts -file C:\certificates\RootCA.crt
Enter keystore password:
Owner: EMAILADDRESS=jstamps@bmc.com, CN=bmc.com, OU=IDD,
O=BMC, L=San Jose, ST=CA, C=US
...
Trust this certificate? [no]: yes
Certificate was added to keystore
Import the blm-bna.crt certificate:
C:\Program Files\BMC Software\BCA-Networks\java\bin>keytool.exe
-import -alias clm-bna -keystore C:\BCA-Networks-Data\.keystore
-trustcacerts -file C:\Certificates\clm-bna.crt
Enter keystore password:
Certificate reply was installed in keystore
Your certificate reply is installed in the keystore.
Generate the encryption string for changeit.
1. Open the BNA maintenance utility (by default, installed in C:\Program Files\BMC Software\BCA-Networks\utility).
2. Click the Encrypt tab.
3. Enter and confirm the changeit password.
4. Click Encrypt to generate the encryption string for changeit.
5. Use the generated string for the keystorePassword parameter in the server.xml file (by default, located at C:\Program Files\BMC Software\BCA-Networks\tomcat\conf).
Start the BCA-Networks Web Server.
Verify the BNA link by accessing https://<BNA-LB>:443 where 443 is SSL port.
If you have a load balancer, failover the BNA service and verify that you can able to access the link with Cluster name and with the same certificate it displays.
When you access the TrueSight Network Automation URL the first time, review the certificate details, and so on.

Note

No integration level changes are required for TrueSight Network Automation. In the providers.json file on the Platform Manager host, the BNA section is already populated with the https protocol and SSL port. This SSL port should be same on which you configured TrueSight Network Automation.

Reconfiguring Windows CLM applications to use SSL HTTPS

Before you begin

To reconfigure Cloud Portal Web Application from HTTP to HTTPS with a Self-Signed Certificate

To reconfigure CLM Self-Checker from HTTP to HTTPS with a Self-Signed Certificate

To configure SSL with TrueSight Server Automation

To configure SSL with TrueSight Server Automation and Platform Manager

To configure TrueSight Network Automation with SSL

Related topic

On this page