Installing certificates on a standalone server

For installing signed certificates on a standalone BMC Atrium Single Sign-On server, follow the steps provided in this topic. Run all of the commands outlined in this topic from the <installationdirectory>/tomcat/conf directory.

• • To install the certificates
  • Postinstallation steps
  • Related topics

To install the certificates

The following diagram illustrates the sequence of tasks that you must follow to install certificates.

1. (Optional) If the existing certificate is not relevant for your environment, generate a new keystore for the BMC Atrium Single Sign-On server with the alias tomcat — The BMC Atrium Single Sign-On installation provides a self-signed certificate default certificate with default values for attributes such as Company, City, State. You must delete the existing keystore.p12 certificate file from the <installationdirectory>/tomcat/conf directory and then generate a new keystore.  For information about generating a new keystore, see Creating-new-keystores.
2. Generate the certificate for signing. For more information, see Generating-CSRs.

3. After you get a confirmation that your signed certificate is available, the you must send the CSR to a CA. The CA signs the CSR by using a private key that validates the identity of the server and returns a signed identity certificate. Your CA must provide one of the following files:

   • The base64 signed certificate, cert_name.cer
      
   • The complete chain of certificates in cert_name.p7b (PKCS#7) format

   If the complete chain is unavailable as a single file, you must get the all of the intermediate CA certificates leading to the root. For more information, see Getting-intermediate-CA-certificates.

4. Import signed certificates as follows:

   Note

   You might receive an error telling you that the certificate chain is missing when you try to import the certificate that you received from your CA. If you see this error, you must get the complete certificate chain and all of the intermediate certificates from your CA. When importing certificate chains, you must import the certificates of the signing chain by starting with the root certificate and then import the intermediate signed certificates. For more information, see Importing-certificate-chains-and-intermediate-certificates.

    

   • keystore.p12 — Import the certificate that you received from your CA. The store contains the certificate that will be served when a client connects to the BMC Atrium Single Sign-On server. The alias used for this certificate is tomcat. For more information, see Importing-a-certificate-into-keystore-p12.
     

   • (If connecting to other servers) cacerts.p12 — If BMC Atrium Single Sign-On is connecting to other servers — for example, LDAP or ADFS using secure socket layer (SSL) —  import those server certificates into the cacerts.p12 file. This file is a truststore that contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. For example, when you have an SSL-enabled LDAP server that is connecting to BMC Atrium Single Sign-On, you must import the LDAP server certificate into the cacerts.p12 file. This certificate identifies the requests coming from the LDAP server and authenticates them. For more information, see Importing-a-certificate-into-cacerts-p12.
     
     

     Note

     You must also import the root certificate into cacerts.p12. Run the keytool for cacerts.p12 with parameters defined for the Java virtual machine (JVM) truststore.
     

   • cacerts (JVM truststore) — Import the root certificate into the JVM truststore used by Apache Tomcat server installed with BMC Atrium Single Sign-On. Run the keytool utility for cacerts with the following parameters:

     • For UNIX:

       keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>/jdk/jre/lib/security/cacerts  -keypass changeit -storepass changeit -file <certificateFile>

     • For Microsoft Windows:

       keytool -importcert -trustcacerts -alias RootCA -keyalg RSA -keystore <ASSO_INSTALL_ROOT>\jdk\jre\lib\security\cacerts  -keypass changeit -storepass changeit -file <certificateFile>

       Notes

       If you get a message saying that the certificate already exists in the truststore, you can skip the import process.

5. Stop and restart the Apache Tomcat server.

   Note

   The new CA certificate does not take effect until the Tomcat server is restarted.

6. Update all integrated application truststores with the new public key. You must share this new BMC Atrium Single Sign-On certificate with other server hosts, such as LDAP or Active Directory Federation Services (AD FS) to establish a trust relationship.  

Postinstallation steps

1. Verify the contents of the BMC Atrium Single Sign-On truststore (cacerts.p12) to verify that the certificate has been imported or that the Issuer (Signer) certificate has been imported. For more information, see Checking-the-truststore-for-certificates.
2. Stop the BMC Atrium Single Sign-On server.
3. Stop the server on which other BMC products are installed. For example, stop the AR System server, Mid Tier server, and so on.
4. Restart BMC Atrium Single Sign-On and other servers in the order which they were stopped.
5. Integrate BMC Atrium Single Sign-On with BMC products; for example, BMC Remedy AR System and BMC Remedy Mid Tier:
   
   1. Run the integration utilities on BMC Remedy AR System and BMC Remedy Mid Tier.
   2. Stop all of the services.
   3. Start all of the services in the order in which they were stopped on BMC Atrium Single Sign-On, BMC Remedy AR System, and BMC Remedy Mid Tier.

For more information, see Integrating. 

Related topics

Adding-and-removing-a-CA-certificate

Checking-the-truststore-for-certificates