Configuring BMC Atrium Orchestrator to use HTTPS

To provide an additional layer of security to clients that pass sensitive information over a network, such as logon information and security certificates, you can configure BMC Atrium Orchestrator to use the HTTPS protocol to connect securely to clients.

To configure BMC Atrium Orchestrator to use HTTPS

Use this procedure to configure each of the BMC Atrium Orchestrator servers that you want to use HTTPS, including the CDP, Access Manager, the repository, any HA-CDPs, any APs, any LAPs, and BMC Atrium Orchestrator Operator Control Panel.

Stop the BMC Atrium Orchestrator services.
On the server, use a text editor to open the <installationDirectory>\tomcat\conf\server.xml file.
Find the element containing the HTTPS protocol information.

It contains text similar to the following example:

The  text indicate that this element is a comment.

To make the element active, delete .

View the following example:

Save and close the server.xml file.

In the <installationDirectory>\tomcat\conf\context.xml file, update the logon URL for the server component:

Change http to https.

Change the port number to match the Connector port value in the server.xml file.

Server component	Property with sample value
Access Manager	<Environment name="com.bmc.security.am.LOGIN_PAGE" override="true" type="java.lang.String" value="https://ipAddressOrHost:securePort/baoam/login.jsf"/>
Repository	<Environment name="com.bmc.security.am.LOGIN_PAGE" override="true" type="java.lang.String" value="https://ipAddressOrHost:securePort/baoam/login.jsf"/>
CDP	<Parameter name="com.bmc.ao.REPOSITORY_URL" override="true" value="https://ipAddressOrHost:securePort/baorepo/http"/>
AP	<Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=AP1"/>
LAP	<Parameter name="com.bmc.ao.PEER_CONFIGURATION" override="true" value="https://admin:admin123@ipAddressOrHost:securePort/baocdp/ws/install?grid=GRID1&peer=LAP1"/>
BMC Atrium Orchestrator Operator Control Panel	<Environment name="peer-endpoint-urls" override="true" type="java.lang.String" value="https://ipAddressOrHost:securePort/baocdp/ws/console"/>

Continue with setting up the self-signed certificate.

To establish a connection using HTTPS with a self-signed certificate

In production environments, you set up HTTPS with a certificate signed by a certificate authority. In testing or development environments, you can use a self-signed certificate to set up HTTPS.

Note

When creating keystore entries, use the same logon credentials as the user that starts the CDP service. By default, the keystore file is created in your home directory. If you change the directory where the keystore file is located, you need to add that location to the server.xml file.
For example: keystoreFile="C:\Documents and Settings\Administrator\.keystore"

With the CDP services stopped, navigate to the AO_HOME\jvm\bin directory and test for an existing Tomcat keystore entry:
From a command prompt or terminal session, type keytool -list -alias tomcat.
When prompted, type the keystorePassword.
Note
The default password for the keytool utility is changeit. If you change the default password, also change the password listed in the BMC Software\AO\tomcat\conf\server.xml file.

The key and the keystore passwords must match. Due to a limitation of the underlying Tomcat engine, the keypass used when storing a key must be the same as the keystore password itself. See the topic Specifying-a-keystore-password.
Perform one of the following actions:
- If a keystore entry is displayed, meaning that a keystore exists for Tomcat, proceed to step 10.
- If the message Alias <tomcat> does not exist is displayed, continue with the next step.
  Note
  In addition to the arguments indicated in the commands provided, you can add an argument of -validity days where days is the number of days until the server certificate expires. Although the default value is 90, BMC recommends changing the value to a longer period.
  For more about this and other arguments that you can use for the keytool utility, type keytool and review the -genkey section.
To create a keystore entry, from a command prompt or terminal session, type keytool -genkey -alias tomcat -keyalg RSA.
When prompted, type the keystore password.
Note
The keystore password for the certificate that you are creating must match the keystore password in the server.xml file. For more information about changing the keystore password in the server.xml file, see Specifying-a-keystore-password for details.
When prompted, provide user details.
- What is your first and last name?
  Note
  When promoted for your first and last name, provide the server's fully qualified host name.
- What is the name of your organizational unit?
- What is the name of your organization?
- What is the name of your City or Locality?
- What is the name of your State or Province?
- What is the two-letter country code for this unit?
  This information is used for the certificate and is visible only within the certificate.
Review the information displayed and confirm that the information is correct.
When prompted to enter the key password for Tomcat, press Enter.
Start the peer.
Test the keystore by launching the software in a browser using HTTPS protocol and port set in the server.xml file. For example, to launch Grid Manager, enter the URL
https://<IP_or_hostname>:<port>/baocdp/gm/index.jsf
.

Configuring BMC Atrium Orchestrator to use HTTPS

To configure BMC Atrium Orchestrator to use HTTPS

To establish a connection using HTTPS with a self-signed certificate

Related topics

On this page