Skip to Content

Using third-party Certification Authority certificates in TrueSight Server Automation - Data Warehouse

A certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. With this certification, relying parties can trust signatures or assertions made by the private key that corresponds to the public key that is certified.

For using third-party CA certificates, perform the following steps:

  1. Create a certificate signing request (CSR) using OpenSSL.
  2. Import the CA certificates for Apache Tomcat.
  3. Configure Apache to support CA certificates. 

Before you begin

  1. Obtain the openssl utility and unzip it into a local directory. You can obtain the relevant copy of this utility (for the appropriate operating system) from BMC Communities. Click here for a sample openssl.cnf file.
  2. Set the OPENSSL_CONF environment variable from the command prompt by executing the following command:

    • (Windows)

      SET OPENSSL_CONF=<localDir>\openssl.cnf

      For example:

      SET OPENSSL_CONF=D:\temp\openssl.cnf

    • (UNIX)

      export OPENSSL_CONF=<localDir>/openssl.cnf

      For example:

      export OPENSSL_CONF=/tmp/openssl.cnf 

To create a CSR request using OpenSSL

  1. Log in to a computer where Network Shell is installed.
  2. From the command prompt, navigate to the following directory:

    • (Windows) 

      <TSSA-DWInstallationDirectory>

      \tomcat\bin

    • (UNIX) 

      <TSSA-DWInstallationDirectory>

      /tomcat/bin

  3. Use the following command to create an RSA private key that is Triple-DES encrypted. This command creates the private key in the directory from where you run the command.

    • (Windows)

      openssl genrsa -des3 -out <namePrivateKey>.key 2048

      For example:

      openssl genrsa -des3 -out tssareports_new.key 2048

    • (UNIX)

      ./openssl genrsa -des3 -out <namePrivateKey>.key 2048

      For example:

      ./openssl genrsa -des3 -out tssareports_new.key 2048

    In the above command:

    • -des3 encrypts the private key with the des3 cipher before outputting it.
    • namePrivateKey indicates the name with which private key will be generated.
    • 2048 indicates the size of the private key to generate in bits.
    Warning

    Note

    If the above commands result in the following error:
    openssl: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory

    Then create links for following files as shown below from /$BDS_HOME/tomcat/bin:

    # ln -s /data1/bmc/TSSA-DW/webserver/lib/libssl.so.1.0.0  libssl.so.1.0.0

    # ln -s /data1/bmc/TSSA-DW/webserver/lib/libcrypto.so.1.0.0 libcrypto.so.1.0.0

  4. Create and confirm the pass phrase for the private key.

  5. After the private key is created, run the following command:

    • (Windows)

      openssl rsa -in tssareports_new.key -out tssareports.key

    • (UNIX)

      ./openssl rsa -in tssareports_new.key -out tssareports.key

    In the above command, tssareports_new.key is the private key that you created in step 3.

  6. Enter the pass phrase that you created in step 4.

  7. Run the following command to create a CSR by using the private key (tssareports.key) that you prepared in step 5:

    • (Windows)

      openssl req -new -key tssareports.key -out tssareports.csr -config <localDir>\openssl.cnf

      For example:

      openssl req -new -key tssareports.key -out tssareports.csr -config D:\temp\openssl.cnf

    • (UNIX)

      ./openssl req -new -key tssareports.key -out tssareports.csr -config <localDir>/openssl.cnf

      For example:

      ./openssl req -new -key tssareports.key -out tssareports.csr -config /tmp/openssl.cnf


    tssareports.csr is the output file containing CSR. The above command sends a request to the CA to generate the certificate in PEM (Base-64 encoded ASCII) format, which is the format required by Apache and Cognos to support CA certificates.

  8. Enter the pass phrase that you created in step 4.
  9. Send the CSR file (tssareports.csr) to a CA for signing using one of the following methods. CA returns two signed certificate files, one is the CA certificate chain and the other is the application certificate. For example, ca-chain.cert.pem and tssareports.pem.
    • Have the CSR signed by a commercial CA like Verisign or Thawte. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed certificate. 
    • Use your own CA and get the CSR signed by this CA.
      The result is a real certificate that can be used for Apache.

To import CA certificates for Apache Tomcat

  1. Convert key and certificate generated from OpenSSL into PKCS12 format.

    • (Windows)

      openssl pkcs12 -export -in <Certificate in pem> -inkey <KEY> -out <outputfile.p12> -name <hostname> -passin <pass:password> -passout <pass.password>

      For example:

      openssl pkcs12 -export -in bdssareports.pem -inkey bdssareports.key -out srv-abc-016201.p12 -name srv-abc-016201 -passin pass:password -passout pass:password

    • (UNIX)

      openssl pkcs12 -export -in <Certificate in pem> -inkey <KEY> -out <outputfile.p12> -name <hostname> -passin <pass:password> -passout <pass.password>

      For example:

      openssl pkcs12 -export -in bdssareports.pem -inkey bdssareports.key -out srv-abc-016201.p12 -name srv-abc-016201 -passin pass:password -passout pass:password

  2. Create Keystore.

    • (Windows)

      \opt\bmc\TSSA-DW\jre\bin\keytool -importkeystore -srckeystore <outputfile.p12>  -srcstoretype PKCS12 -srcstorepass <password> -alias <hostname> -deststorepass <password> -destkeypass <password> -destkeystore <keystorename.jks>

      For example:

      \opt\bmc\TSSA-DW\jre\bin\keytool -importkeystore -srckeystore srv-abc-016201.p12 -srcstoretype PKCS12 -srcstorepass password -alias srv-abc-016201 -deststorepass password -destkeypass password -destkeystore srv-abc-016201-keystore.jks

    • (UNIX)

      /opt/bmc/TSSA-DW/jre/bin/keytool -importkeystore -srckeystore <outputfile.p12>  -srcstoretype PKCS12 -srcstorepass <password> -alias <hostname> -deststorepass <password> -destkeypass <password> -destkeystore <keystorename.jks>

      For example:

      /opt/bmc/TSSA-DW/jre/bin/keytool -importkeystore -srckeystore srv-abc-016201.p12 -srcstoretype PKCS12 -srcstorepass password -alias srv-abc-016201 -deststorepass password -destkeypass password -destkeystore srv-abc-016201-keystore.jks
  3. Copy Keystore file in $BDS_HOME/tomcat/conf file.

  4. Update server.xml file in $BDS_HOME/tomcat/conf file with keystore filename and its password. To set the keystorePass password in encrypted form, use blenc to encrypt the password before adding into the server.xml configuration file.

    • (Windows)

      keystoreFile="\opt\bmc\TSSA-DW\tomcat\conf\srv-abc-016201-keystore.jks"
      keystorePass="password"

    • (UNIX)

      keystoreFile="/opt/bmc/TSSA-DW/tomcat/conf/srv-abc-016201-keystore.jks"
      keystorePass="password"
  5. Restart TrueSight Server Automation - Data Warehouse Web Server Service.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Smart Reporting 19.01