Using custom CA signed certificates

From BMC Helix IT Operations Management 21.3.03 onwards, you can use self-signed or custom CA certificates while deploying BMC Helix Operations Management. 

Important

BMC Helix Continuous Optimization supports self-signed or custom CA certificates for version 22.2.01 or later.

Related topics

Configuration-file-settings
Adding a self-signed or custom CA certificate in BMC Helix Discovery

To use certificates, you must perform the following steps:

  1. Generate a custom CA certificate.
  2. Add the certificate to the trust store.

To generate a CSR (Certificate Signing Request)

  1. Log in to the host where you are running the installer.
  2. Create a folder; for example, custom_cert.

  3. Navigate to the folder you created and create a conf file with all the details; for example, custom_cert.cnf
    Make sure that you add the correct DNS names according to your cluster configurations.
    The DNS name present in Common Name (CN) must be included in the Subject Alternative Name (SAN) list. If you are using a wildcard name as CN, the wildcard name must also be present in the SAN list.
    The following image shows a custom_cert.cnf file:
    23.1.02_CustomCertCnf.png 

    Example DNS entries

    DNS.1 =acme-rsso.lab.bmc.com

    DNS.2 =acme-tms.lab.bmc.com

    DNS.3 =acme-minio.lab.bmc.com

    DNS.4 =acme-private-poc.lab.bmc.com

    DNS.5 =acme-optimize-private-poc.lab.bmc.com

  4. Run the following command to generate the CSR by using the conf file that you created:

    ]$ openssl req -out <csr_filename>.csr -newkey rsa:2048 -nodes -keyout <private_key_filename>.key -config custom_cert.cnf -days 700

    The following files are generated:

    • A .csr file, for example ade.csr
    • A .key file, for example ade_private.key
  5. Get the .csr file signed by your Certificate Authority (CA) to generate the custom CA certificate. 


To add the certificate to the trust store

  1. Copy the self-signed or custom CA certificate (full CA chain) in the commons/certs/ directory.
    Ensure that the file name of the certificate is custom_cacert.pem (full chain certificate).
  2. Ensure that your local CA certificate chain (full chain) is present in the trust store.


(Only BMC Helix Capacity Optimization) To install the Remote ETL Engine with a self-signed certificate

  1. Copy the on-premises installer certificate file (custom_cacert.pem or custom_cacert.pem.zip) where you have extracted the Remote ETL Engine installer in the BCO/Disk1 folder. This should be the same folder where the setup.sh file is available. 
    For details about how to get the custom_cacert.pem or custom_cacert.pem.zip file, see Deploying-and-configuring-the-ingress-controller-for-OpenShift-or-Kubernetes.
  2. Run the setup.sh file.

The setup file converts the certificate file and introduces such certificates among the one trusted by the Remote ETL Engine jre.

For details about how to install the Remote ETL Engine, see Installing remote components to collect on-premises data.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*