Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Creating new keystores

The following topics provide information and instructions for creating new keystores:

To create a new keystore

  1. From the command prompt, change your working directory to
    <installationDirectory>\AtriumSSO\tomcat\conf
  2. Create a new keystore by using a new password to secure the certificate:

    • For Microsoft Windows:

      keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore %CATALINA_HOME%\conf\keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE

    • For UNIX:

      keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore $CATALINA_HOME/conf/keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password -providername JsafeJCE

      Note

      Based on your requirements, you can use a keysize value of either 1024 or 2048.

  3. After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key.
    • CN—Common Name of the certificate owner (usually the name of the host)
    • OU—Organizational Unit of the certificate owner
    • O—Organization to which the certificate owner belongs
    • L—Locality name of the certificate owner
    • ST—State or province of the certificate owner
    • C—Country of the certificate owner
  4. Update the server.xml file with the new password for the keystore.

For details, see the Apache Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#SSL.

Locations of keystore and truststores

With the BMC Atrium Single Sign-On default installation, the keystore and truststores are in the following locations:

  • Keystore:
    <installationDirectory>/tomcat/conf/keystore.p12
  • Tomcat truststore:
    <installationDirectory>/tomcat/conf/cacerts.p12
  • Java virtual machine (JVM) truststore:
    <installationDirectory>/jvm/jre/lib/security/cacerts

Example of creating a new keystore

C:\apache-tomcat-6.0.20>keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.p12validity 999 -keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password

Enter keystore password:
What is your first and last name?
[Unknown]:  sample.bmc.com
What is the name of your organizational unit?
[Unknown]:  BMC Atrium SSO
What is the name of your organization?
[Unknown]:  BMC Software, Inc.
What is the name of your City or Locality?
[Unknown]:  Austin
What is the name of your State or Province?
[Unknown]:  TX
What is the two-letter country code for this unit?
[Unknown]:  US
Is CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US correct?
[no]:  yes

Note

If  you are adding the fully qualified domain name (FQDN) URL for a load balancer or reverse proxy in the server certificate, BMC recommends that you add the name of the cluster nodes in the certificate. You can include these names in the certificate by using the following SAN parameter in the keytool command:

-ext "san=DNS:<node>[,DNS:<node>]"

In this example, the following definitions apply:

  • <node> —  FQDN for a node
  • [,DNS:<node>] — Indicates whether additional nodes exist in the cluster

Example

"-ext "san=DNS:node1.bmc.com,DNS:node2.bmc.com""

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*