Enabling secure communication with TrueSight Orchestration

To secure the communication of data between TrueSight Server Automation and TrueSight Orchestration, you must enable an HTTPS connection on both products as instructed in the following procedures.


Note

This optional task is relevant also when setting up a connection to TrueSight Orchestration for the creation of Workflow Jobs through the TrueSight Server Automation Console. For more information, see Creating-and-modifying-Workflow-Jobs.

The keytool command used in the following procedures is a key and certificate management utility that is provided with the Java Runtime Environment (JRE). It is typically located in the Java (JRE) bin directory. To use keytool commands on Windows platforms, you must run the commands with elevated rights or administrator rights.

When you install TrueSight Orchestration, the Apache Tomcat server is installed with certificates, by default. 

Enabling HTTPS support for TrueSight Orchestration on TrueSight Server Automation for a fresh deployment of TrueSight Server Automation

  1. If TrueSight Orchestration is installed on a different computer, copy the C:<BAOtomcatServerDirectory>\conf\.keystore file from the TrueSight Orchestration CDP system to the system where the TrueSight Server Automation application server is installed.

  2. On the system where the TrueSight Server Automation application server is installed, export the public certificate from the keystore file generated for TrueSight Orchestration to a temporary file by entering the following command:

    keytool -export -alias <alias> -file <file> -keystore <keystore> -storepass changeit

    In this command, note the following:

    • <alias> is the name used to distinguish certificates. The value entered for the alias must match the TrueSight Orchestration server hostname and the CN in the associated certificate. TrueSight Server Automation needs this to match so that the host and the certificate can be verified during the SSL connection process.
    • <file> is the name and location of the certificate file that will be created from this command.
    • <keystore> is the name and location of the keystore file that you created for TrueSight Orchestration.
      If you are using a UNIX/Linux system, the default keystore file location is $<BAOinstallationDirectory>/cdp/tomcat/conf/.keystore.

    For example:

    keytool -export -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore C:<BAOtomcatServerDirectory>\conf\.keystore -storepass changeit

    keytool -export -alias tomcat -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BAO\CDP\tomcat\conf\.keystore" -storepass changeit

  3. Add the public certificate from the temporary file to the trusted certificate file by entering a command such as the following example:

    keytool -import -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore "<keystorePath>" -storepass changeit

    keytool -import -alias bao.dem.bmc.local -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BladeLogic\appserver\NSH\jre\lib\security\cacerts"
    -storepass changeit

    Note that the keystore path in this example is a typical default path. This path might differ, depending on the exact details of your installation. The keystore path also depends on the type of operating system:

    • Linux — For a Linux Application Server use the <installationDirectory>/NSH/br/java/lib/security/cacerts file (for example /opt/bmc/bladelogic/NSH/br/java/lib/security/cacerts) to install certificates.
    • Windows — For a Windows Application Server, refer to the path shown in the registry value for SOFTWARE>BladeLogic> Operations Manager >Application Server>-Djava.home. Within this path, look for the lib\security\cacerts file. This is the directory into which you install the certificates.

  4. To check if the certificate is added to the cacerts file, enter the following command:

    keytool -list -keystore <keystorePath> -storepass changeit
  5. Restart the TrueSight Server Automation Application Server.

 Enabling HTTPS support for TrueSight Orchestration on TrueSight Server Automation for an upgraded deployment of TrueSight Server Automation

  1. If TrueSight Orchestration is installed on a different computer, copy the C:<BAOtomcatServerDirectory>\conf\.keystore file from the TrueSight Orchestration CDP system to the system where the TrueSight Server Automation application server is installed.

  2. On the system where the TrueSight Server Automation application server is installed, export the public certificate from the keystore file generated for TrueSight Orchestration to a temporary file by entering the following command:

    keytool -export -alias <alias> -file <file> -keystore <keystore> -storepass changeit

    In this command, note the following:

    • <alias> is the name used to distinguish certificates. The value entered for the alias must match the TrueSight Orchestration server hostname and the CN in the associated certificate. TrueSight Server Automation needs this to match so that the host and the certificate can be verified during the SSL connection process.
    • <file> is the name and location of the certificate file that will be created from this command.
    • <keystore> is the name and location of the keystore file that you created for TrueSight Orchestration.
      If you are using a UNIX/Linux system, the default keystore file location is $<BAOinstallationDirectory>/cdp/tomcat/conf/.keystore.

    For example:

    keytool -export -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore C:<BAOtomcatServerDirectory>\conf\.keystore -storepass changeit

    keytool -export -alias tomcat -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BAO\CDP\tomcat\conf\.keystore" -storepass changeit

  3. Add the public certificate from the temporary file to the trusted certificate file by entering a command such as the following example:

    keytool -import -alias w2k3-sp-vm5 -file C:\cert.csr
    -keystore "<keystorePath>" -storepass changeit

    keytool -import -alias bao.dem.bmc.local -file D:\Data\BAO\bao.csr
    -keystore "C:\Program Files\BMC\BladeLogic\appserver\NSH\jre\lib\security\cacerts"
    -storepass changeit

    Note that the keystore path in this example is a typical default path. This path might differ, depending on the exact details of your installation. The keystore path also depends on the type of operating system:

    • Linux — For a Linux Application Server use the <installationDirectory>/NSH/br/java/lib/security/cacerts file (for example /opt/bmc/bladelogic/NSH/br/java/lib/security/cacerts) to install certificates.
    • Windows — For a Windows Application Server, refer to the path shown in the registry value for SOFTWARE>BladeLogic> Operations Manager >Application Server>-Djava.home. Within this path, look for the lib\security\cacerts file. This is the directory into which you install the certificates.

  4. To check if the certificate is added to the cacerts file, enter the following command:

    keytool -list -keystore <keystorePath> -storepass changeit
  5. Recreate the bladelogic.keystore file:
    Performing this procedure generates following artifacts:
    • 2048-bit RSA key, and a self-signed certificate for an Application Server. Certificate for the RSA key is stored under the "blade" alias.
    • 384-bit ECDSA key, and a self-signed certificate for an Application Server. Certificate for the ECDSA key is stored under the "blade_ecdsa" alias. 
    1. You can generate the keystore using blmkcert or keytool utility.
      Use keytool utility for the following scenarios:
      • You want to generate ECDSA key greater than 384-bit (for example, 512-bit). With blmkcert you can generate up to 384-bit ECDSA key.
      • You want to generate RSA key greater than 4096-bit (for example, 4352-bit). With blmkcert you can generate up to 4096-bit  RSA key.
      The certificate generated using blmkcert is valid for three years. If you use the keytool utility, you can customize the validity of the certificate using the <days> parameter.

      To generate the keystore using blmkcert

      From <installDirectory>/bin, enter the following command: 
      blmkcert CN= <hostname> <jksFileName> <password>
      The command shown above has the following parameters:
      • <hostname>— Typically set to the host name where you are generating the certificate.
      • <jksFileName>— The full path to the keystore file that you are generating. This file will replace the existing keystore file in the deployments directory for the Application Server that is being updated, such as <installDirectory>/br/deployments.
      • <password>— A password used to encrypt the generated keystore file.
      For example, if you are generating a self-signed certificate on a Windows server called blapp1.example.com, you might enter a command similar to the following: 
      blmkcert CN=blapp1.example.com "bladelogic.keystore" password
      This will create a file named bladelogic.keystore in the current directory. It is not recommended to overwrite the existing bladelogic.keystore while the application server is running.

      To generate the keystore using keytool

      From <installDirectory>/bin, enter the following command:
      keytool -genkey -alias  <aliasName> -keyalg <keyPairAlg> -keystore <jksFileName> -storepass <password> -dname "CN=<hostname>" -keypass <password> -validity <days> -keysize <size> -sigalg <algorithm> -storetype <keystoreImpl>
      The command shown above has the following parameters:
      • <aliasName>— Name of the alias used for this certificate.
      • <keyPairAlg>— Key pair generation algorithm used.
      • <jksFileName>— The full path to the keystore file that you are generating. This file will replace the existing keystore file in the deployments directory for the Application Server that is being updated, such as <installDirectory>/br/deployments.
      • -storepass <password>— A password used to encrypt the generated keystore file.
      • <hostname>— Typically set to the host name where you are generating the certificate.
      • -keypass <password>— An initial password required by subsequent commands to access the private key associated with the alias <aliasName>.
      • <days>— Number of days the certificate is valid.
      • <size>— Bit size of the key being generated.
      • <algorithm>— The signature algorithm used.
      • <size>— bit size of the key being generated.
      • <keystoreImpl>— The keystore implementation used. Default keystore type is "jks".
      Important
      • The alias name must be blade_ecdsa for ECDSA certificate and blade for RSA certificate.
      • Create separate certificates for ECDSA and RSA using the keytool command. Then store both the certificates into a single keystore as shown below.
      If you are generating a self-signed ECDSA certificate on a Windows server called blapp1.example.com, you might enter a command similar to the following: 
      keytool -genkey -alias  blade_ecdsa -keyalg EC -keystore bladelogic.keystore2 -storepass password -dname "CN=blapp1.example.com" -keypass password -validity 365 -keysize 384 -sigalg SHA256withECDSA -storetype jks
      If you are generating a self-signed RSA certificate on a Windows server called blapp1.example.com, you might enter a command similar to the following: 
      keytool -genkey -alias  blade -keyalg RSA -keystore bladelogic.keystore -storepass password -dname "CN=blapp1.example.com" -keypass password -validity 365 -keysize 2048 -sigalg SHA256withRSA -storetype jks

      To store both the certificates into a single keystore, you might enter a command similar to the following: 
      keytool -importkeystore -srckeystore bladelogic.keystore2 -destkeystore bladelogic.keystore  -srcstorepass password -deststorepass passwordThis will create a file named bladelogic.keystore in the current directory. It is not recommended to overwrite the existing bladelogic.keystore while the application server is running.
      Starting from version 23.1, TrueSight Server Automation supports Elliptic Curve Digital Signature Algorithm (ECDSA).For fresh installation of application server 23.1, the bladelogic.keystore is created with ECDSA.In case of upgrade, by default, the existing bladelogic.keystore file is not upgraded to ECDSA. To use ECDSA in bladelogic.keystore for upgraded application server, perform the following steps:
      1. Back up the existing bladelogic.keystore file.
      2. Recreate the bladelogic.keystore file using the blmkcert or keytool utility. 
      3. Import your other certificates (for example, certificates for integrations with TSAC, TSO, etc.) from the backed up file into the bladelogic.keystore file.
      4. Copy the bladelogic.keystore file to all the Application Servers in a Multiple Application Server (MAS) environment.
      Note that ECDSA certificate is used only for components that use webservices for communication. This certificate is not used for TrueSight Server Automation communication. (For example, this certificate is not used when RCP client communicates with the Application Server or when the Application Server communicates with the RSCD agent).
    2. After generating the new keystore file with the new certificate, skip to the Using the new keystoresection below.
  6. Restart the TrueSight Server Automation Application Server, and verify the integration.

Using the new keystore

Once you have generated the new keystore file using one of the methods above you can start using it on your application server(s) by following these steps.

  1. Stop the Application Server.
  2. Make a backup of the existing <install dir>/br/deployments/bladelogic.keystore 
  3. Copy the new bladelogic.keystore file over the existing file in <install dir>/br/deployments

  4. If the keystore password used in the steps above is not the same as the one currently configured in the application server configuration, then you must update the application server configuration with the new password by running the following commands: 

    blasadmin -a set appserver certstore bladelogic.keystore
    blasadmin -a set appserver certpasswd <keystorePassword>
  5. If you have multiple Application Servers, repeat the above steps on those application servers. For information about this process, see Synchronizing keystore files of multiple Application Servers.
  6. Start the Application Server service.
    1. The first time that you connect to the application server from a RCP client you are informed that a new certificate has arrived from the Application Server. Accept the new certificate.  

    2. The following video demonstrates how to generate the certificate and synchronize it across Application Server deployments:

      icon-play2x.pnghttps://youtu.be/RHEn_86bk_4

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*