Using self-signed or custom CA certificates

From BMC Helix IT Operations Management 21.3.03 onwards, you can use self-signed or custom CA certificates while deploying BMC Helix Operations Management. You can use your own CA-signed or your company's CA-signed certificates.

Important

BMC Helix Continuous Optimization supports self-signed or custom CA certificates for version 22.2.01 or later.

Configuration-file-settingsAdding a self-signed or custom CA certificate in BMC Helix Discovery

To use certificates, you must perform the following steps:

  1. Generate a custom CA certificate.
  2. Add the certificate in the trust store.


To generate a custom CA certificate

  1. Log in to the host where you are running the installer.
  2. Create a folder, for example custom_cert.

  3. Navigate to the folder that you created and create a conf file that has all the details, for example custom_cert.cnf
    Ensure that you add the correct DNS names according to your cluster configurations. The following image displays the custom_cert.cnf conf file:
    custom_cert_cnf_file.png 

    Example DNS entries

    DNS.1 =mycomputer-rsso.lab.bmc.com

    DNS.2 =mycomputer-tms.lab.bmc.com

    DNS.3 =mycomputer-minio.lab.bmc.com

    DNS.4 =acme-private-poc.lab.bmc.com

    DNS.5 =acme-disc-private-poc.lab.bmc.com

    DNS.6 =acme-optimize-private-poc.lab.bmc.com

  4. Run the following command to generate the CSR by using the conf file that you created:

    ]$ openssl req -out <csr_filename>.csr -newkey rsa:2048 -nodes -keyout <private_key_filename>.key -config custom_cert.cnf -days 700

    The following files are generated:

    • A .csr file, for example ade.csr
    • A .key file, for example ade_private.key


To add the certificate to the trust store

  1. Copy the self-signed or custom CA certificate (full chain) in the commons/certs/ directory.
    Ensure that the file name of the certificate is custom_cacert.pem (full chain certificate).
  2. Ensure that your local CA certificate chain (full chain) is present in the trust store.


(Only BMC Helix Capacity Optimization) To install the Remote ETL Engine with a self-signed certificate

  1. Copy the on-premises installer certificate file (custom_cacert.pem or custom_cacert.pem.zip) where you have extracted the Remote ETL Engine installer in the BCO/Disk1 folder. This should be the same folder where the setup.sh file is available. 
    For details about how to get the custom_cacert.pem or custom_cacert.pem.zip file, see Deploying-and-configuring-the-ingress-controller-for-OpenShift-or-Kubernetes.
  2. Run the setup.sh file.

The setup file converts the certificate file and introduces such certificates among the one trusted by the Remote ETL Engine jre.

For details about how to install the Remote ETL Engine, see Installing remote components to collect on-premises data.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*