Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring data encryption

This topic provides an overview of data encryption and instructions for provisioning the report server with a trust store.

How encryption works between reports client and reports server

For traffic between the reports client and the reports server, 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

relies on the HTTPS protocol (HTTP over TLS) to enable a secure communication between the web browser and reports server. Users authenticate themselves to the reports server over the HTTPS session. 

The TLS communication protocol automatically negotiates an encryption algorithm to secure data. Server-side certificates are used during the TLS handshake to establish session keys for encrypting traffic between the web browser and the reports server. By default the reports server uses a self-signed certificate, but you can replace it with a custom certificate. To generate a new certificate, you can use a tool such as OpenSSL.

A default installation of 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

sets up a 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Authentication Service, called BMC SARA Authentication. The reports server accesses the BMC SARA Authentication Service to authenticate a user and acquire single sign-on (SSO) credentials in the name of the authenticating user.

By default, the mkcertstore utility extracts and uses the SSL certificate that was created during the 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

installation. During the installation, you are prompted to provide a certificate password.
The installation program then runs the following command on Microsoft Windows:

<BDSSAInstallationDirectory>\bin\mkcertstore.exe "CN=<hostName>"
"<BDSSAInstallationDirectory>\br\deployments\_template\bladelogic.keystore"
"<certificatePassword>"

The installation program then runs the following command on UNIX:

<BDSSAInstallationDirectory>/br/mkcertstore "CN=<hostName>"
"<BDSSAInstallationDirectory>/br/deployments/_template/bladelogic.keystore"
"<certificatePassword>"

In these commands:

  • <hostName> stands for host name of the reports server computer.
  • <certificatePassword> stands for the certificate password.

Notes

  • If the trust certificate is not generated after installing BMC BladeLogic Decision Support for Server Automation, you can use the preceding commands to manually generate a certificate. After generating the certificate, you need to provision the reports server with a PKCS#12 trust store, as described in the following procedure.
  • You can use the Report Administration Utility set webserver command to turn secure, certificate-based communication on and off from the command line. For details, see Configuring-the-communication-settings-for-the-reports-server.

Provisioning the reports server with a PKCS#12 trust store

  1. On the reports server, use the mkpkcs12 utility to generate a PKCS#12 trust store, as follows:

    • (Windows) Enter the following command from the BDSSAInstallationDirectory\bin directory:

      mkpkcs12.exe C:\client_keystore.pkcs12

    • (UNIX) Enter the following command from the BDSSAInstallationDirectory/br directory:

      ./mkpkcs12 /root/client_keystore.pkcs12

      The mkpkcs12 utility generates a file called client_keystore.pkcs12 at the location you have specified.

  2. Copy the client_keystore.pkcs12 file to the following location on the reports server:
    • (Windows) BDSSAInstallationDirectory\security
    • (UNIX) BDSSAInstallationDirectory/security
       Create the securities folder, if it does not exist, and copy the file into the folder.
  3. Restart the reports server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*