Out of support This documentation supports the 8.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Certificates

The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/TLS) communications. These files are stored in the following directory:

<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf

The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. This certificate warning can be prevented by doing one of the following:

  • Permanently importing the self-signed certificate into the user's truststore.
  • Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA). The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication. In this case, the user has an established trust relationship with the CA, and this relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.

Certificate Signing Request

A CA digitally signed certificate is obtain by generating a Certificate Signing Request (CSR):

The output from the command must be sent to the CA for a digital signature. After the signed identity certificate is returned, the next step is to import the signed identity certificate into the keystore where it replaces the current self-signed certificate.

The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium Single Sign-On.

New CA certificates

Adding another certificate is necessary when CAC authentication is used, when the Department of Defense (DoD) issues new CA certificates, or the CA certificates used to create a signed certificate for the BMC Atrium Single Sign-On server is not already within the truststore. The keytool utility is used to import a new CA certificate into the BMC Atrium Single Sign-On truststore.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*