Enabling secure communication with TrueSight Orchestration

To secure the communication of data between TrueSight Server Automation and TrueSight Orchestration, you must enable an HTTPS connection on both products as instructed in the following procedures.


Note

This optional task is relevant also when setting up a connection to TrueSight Orchestration for the creation of Workflow Jobs through the TrueSight Server Automation Console. For more information, see Creating-and-modifying-Workflow-Jobs.

The keytool command used in the following procedures is a key and certificate management utility that is provided with the Java Runtime Environment (JRE). It is typically located in the Java (JRE) bin directory. To use keytool commands on Windows platforms, you must run the commands with elevated rights or administrator rights.

When you install TrueSight Orchestration, the Apache Tomcat server is installed with certificates, by default. 

Enabling HTTPS support for TrueSight Orchestration on TrueSight Server Automation for a fresh deployment of TrueSight Server Automation

  1. If TrueSight Orchestration is installed on a different computer, copy the C:<BAOtomcatServerDirectory>\conf\.keystore file from the TrueSight Orchestration CDP system to the system where the TrueSight Server Automation application server is installed.

  2. On the system where the TrueSight Server Automation application server is installed, export the public certificate from the keystore file generated for TrueSight Orchestration to a temporary file by entering the following command:

    keytool -export -alias <alias> -file <file> -keystore <keystore> -storepass changeit

    In this command, note the following:

    • <alias> is the name used to distinguish certificates. The value entered for the alias must match the TrueSight Orchestration server hostname and the CN in the associated certificate. TrueSight Server Automation needs this to match so that the host and the certificate can be verified during the SSL connection process.
    • <file> is the name and location of the certificate file that will be created from this command.
    • <keystore> is the name and location of the keystore file that you created for TrueSight Orchestration.
      If you are using a UNIX/Linux system, the default keystore file location is $<BAOinstallationDirectory>/cdp/tomcat/conf/.keystore.

    For example:

    keytool -export -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore C:<BAOtomcatServerDirectory>\conf\.keystore -storepass changeit

    keytool -export -alias tomcat -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BAO\CDP\tomcat\conf\.keystore" -storepass changeit

  3. Add the public certificate from the temporary file to the trusted certificate file by entering a command such as the following example:

    keytool -import -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore "<keystorePath>" -storepass changeit

    keytool -import -alias bao.dem.bmc.local -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BladeLogic\appserver\NSH\jre\lib\security\cacerts"
    -storepass changeit

    Note that the keystore path in this example is a typical default path. This path might differ, depending on the exact details of your installation. The keystore path also depends on the type of operating system:

    • Linux — For a Linux Application Server use the <installationDirectory>/NSH/br/java/lib/security/cacerts file (for example /opt/bmc/bladelogic/NSH/br/java/lib/security/cacerts) to install certificates.
    • Windows — For a Windows Application Server, refer to the path shown in the registry value for SOFTWARE>BladeLogic> Operations Manager >Application Server>-Djava.home. Within this path, look for the lib\security\cacerts file. This is the directory into which you install the certificates.

  4. To check if the certificate is added to the cacerts file, enter the following command:

    keytool -list -keystore <keystorePath> -storepass changeit
  5. Restart the TrueSight Server Automation Application Server.

 Enabling HTTPS support for TrueSight Orchestration on TrueSight Server Automation for an upgraded deployment of TrueSight Server Automation

  1. If TrueSight Orchestration is installed on a different computer, copy the C:<BAOtomcatServerDirectory>\conf\.keystore file from the TrueSight Orchestration CDP system to the system where the TrueSight Server Automation application server is installed.

  2. On the system where the TrueSight Server Automation application server is installed, export the public certificate from the keystore file generated for TrueSight Orchestration to a temporary file by entering the following command:

    keytool -export -alias <alias> -file <file> -keystore <keystore> -storepass changeit

    In this command, note the following:

    • <alias> is the name used to distinguish certificates. The value entered for the alias must match the TrueSight Orchestration server hostname and the CN in the associated certificate. TrueSight Server Automation needs this to match so that the host and the certificate can be verified during the SSL connection process.
    • <file> is the name and location of the certificate file that will be created from this command.
    • <keystore> is the name and location of the keystore file that you created for TrueSight Orchestration.
      If you are using a UNIX/Linux system, the default keystore file location is $<BAOinstallationDirectory>/cdp/tomcat/conf/.keystore.

    For example:

    keytool -export -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore C:<BAOtomcatServerDirectory>\conf\.keystore -storepass changeit

    keytool -export -alias tomcat -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BAO\CDP\tomcat\conf\.keystore" -storepass changeit

  3. Add the public certificate from the temporary file to the trusted certificate file by entering a command such as the following example:

    keytool -import -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore "<keystorePath>" -storepass changeit

    keytool -import -alias bao.dem.bmc.local -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BladeLogic\appserver\NSH\jre\lib\security\cacerts"
    -storepass changeit

    Note that the keystore path in this example is a typical default path. This path might differ, depending on the exact details of your installation. The keystore path also depends on the type of operating system:

    • Linux — For a Linux Application Server use the <installationDirectory>/NSH/br/java/lib/security/cacerts file (for example /opt/bmc/bladelogic/NSH/br/java/lib/security/cacerts) to install certificates.
    • Windows — For a Windows Application Server, refer to the path shown in the registry value for SOFTWARE>BladeLogic> Operations Manager >Application Server>-Djava.home. Within this path, look for the lib\security\cacerts file. This is the directory into which you install the certificates.

  4. To check if the certificate is added to the cacerts file, enter the following command:

    keytool -list -keystore <keystorePath> -storepass changeit
  5. Recreate the bladelogic.keystore file:
    Performing this procedure generates a 2048-bit RSA key and a self-signed certificate for an Application Server. The certificate is valid for three years, and it is stored under the "blade" alias.
    1.  From <installDirectory>/bin, enter the following command: 
      blmkcert CN= <hostname> <jksFileName> <password>
      The command shown above has the following parameters:
      • <hostname> — Typically set to the host name where you are generating the certificate.
      • <jksFileName> — The full path to the keystore file that you are generating. This file will replace the existing keystore file in the deployments directory for the Application Server that is being updated, such as <installDirectory>/br/deployments.
      • <password> — A password used to encrypt the generated keystore file.
      For example, if you are generating a self-signed certificate on a Windows server called blapp1.example.com, you might enter a command similar to the following: 
      blmkcert CN=blapp1.example.com "bladelogic.keystore" password
      This will create a file named bladelogic.keystore in the current directory. It is not recommended to overwrite the existing bladelogic.keystore while the application server is running.
      New in 8.9.03TrueSight Server Automation supports Secure Hash Algorithm 256 (SHA 256).For fresh installation of application server 8.9.03, the bladelogic.keystore is created with SHA256 Signature Algorithm.In case of upgrade, by default, the existing bladelogic.keystore file is not upgraded to SHA256. To use SHA256 in bladelogic.keystore for upgraded application server, perform the following steps:
      1. Back up the old bladelogic.keystore file.
      2. Recreate the bladelogic.keystore using blmkcert.
      3. Apply the same bladelogic.keystore across the MAS setups.
    2. After generating the new keystore file with the new certificate, skip to the Using the new keystoresection below.
  6. Restart the TrueSight Server Automation Application Server, and verify the integration.

Using the new keystore

Once you have generated the new keystore file using one of the methods above you can start using it on your application server(s) by following these steps.

  1. Stop the Application Server.
  2. Make a backup of the existing <install dir>/br/deployments/bladelogic.keystore 
  3. Copy the new bladelogic.keystore file over the existing file in <install dir>/br/deployments

  4. If the keystore password used in the steps above is not the same as the one currently configured in the application server configuration, then you must update the application server configuration with the new password by running the following commands: 

    blasadmin -a set appserver certstore bladelogic.keystore
    blasadmin -a set appserver certpasswd <keystorePassword>
  5. If you have multiple Application Servers, repeat the above steps on those application servers. For information about this process, see Synchronizing keystore files of multiple Application Servers.
  6. Start the Application Server service.
    1. The first time that you connect to the application server from a RCP client you are informed that a new certificate has arrived from the Application Server. Accept the new certificate.  

    2. The following video demonstrates how to generate the certificate and synchronize it across Application Server deployments:

      icon-play2x.pnghttps://youtu.be/RHEn_86bk_4

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*