Enabling TLS server certificate validation among the internal product components

You can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between the Apache front-end web server (Apache Httpd) and the following product components:

  • Application Server
    • Web Server 
    • Data Hub
    • Primary Scheduler
    • Service Container
  • ETL Engine Server (Local and Remote)  :  Scheduler

Related topics

TLS-considerations-for-TrueSight-Capacity-Optimization

Securing-communication-between-product-components

If these components are communicating in HTTPS mode, then TLS 1.2 is enabled by default. Complete the following steps to enable server certificate validation:

Important

  • If you have installed the Application Server components on multiple computers, repeat steps II and III on each computer.
  • If you have multiple instances of the front-end web server, repeat all steps for each instance.

I. Obtain a signed security certificate

Ensure that you obtain a CA-signed certificate from the security department of your organization or create a request to obtain it from the CA that your organization recommends. For information about creating a request for a signed certificate, see Creating-a-request-for-a-CA-signed-certificate.

The certificate (<CertificateName>.crt) will be available at the following location:

<Server Installation Directory>/3rd_party/apache2/pki/tls/certs/

II. Install the security certificate

The Application Server and ETL Engine Server use cotruststore.ts truststore to communicate with other components. The truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory. The default <Server Installation Directory> is /opt/bmc/BCO.

Complete the following procedure on the Application Server and ETL Engine Server:

  1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

    export PATH=<Server Installation Directory>/jre/bin:$PATH

  2. Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

    keytool -importcert -trustcacerts -file <path>/<CertificateName>.cert -keystore cotruststore.ts -alias <CertificateName>
    Parameter reference

    Replace all instances of <CertificateName> with the appropriate CA signed certificate that is downloaded from the browser.

  3. When you are prompted, enter the password to access the keystore.
  4. When you are prompted to trust the certificate, enter Yes.

III. Configure the product components to use TLS

Complete the following steps on all the computers that have the Application Server components and ETL Engine Server installed:

  1.  Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.

    #Example
    perl switchTLSmode.pl -on -tspwd -flow internal


    Click here for switchTLSmode.pl command details
    #Syntax
    perl switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]

     

    Parameter reference
    -h or --help: Prints the help for the command.

    -on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.

    -dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)

    -tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.

    -flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.

    internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.

    auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Remedy Single Sign-On Server or LDAP server) and Application Server.

    codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.

    externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.

    all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.

2. When you are prompted, enter the password to access the truststore.

The communication channels between the internal product components are now TLS 1.2 enabled with server certificate validation. 

Related topic

Disabling-TLS

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*