Enabling TLS server certificate validation between BMC Helix Continuous Optimization Agents and the Gateway Server

Download and install the BMC Helix Continuous Optimization Agents and Gateway Server version 23.4.00 that are supported with TrueSight Capacity Optimization version 20.02.02. For details, see Support for BMC Helix Continuous Optimization agents.

As an administrator, enable TLS version 1.3 between these components to be used with TrueSight Capacity Optimization. You can enable and configure TLS during or after installation of these components. 

Important

We recommend that you complete the following steps:

  • Enable and configure TLS during installation. For more information, see Installing the Gateway Server and Installing the Continuous Optimization Agent. Make sure that you use the TSCO_ConsoleSilentInstallOptions.txt file for the Gateway Server when using it with TrueSight Capacity Optimization.

  • Enable TLS in the Gateway Server first and then enable TLS in agents.

Related topics

Securing-communication-between-product-components

Troubleshooting-TLS-issues-in-the-Gateway-Server-and-Continuous-Optimization-Agents

Before you begin

Make sure you meet the following requirements:

  • You have administrator privileges to complete the installation of the Gateway Server and Agent.
  • The computer on which you are installing these components is not running AIX 7.1 Operating System.

To enable and configure TLS during installation

  1. Follow the steps described to install the remote components or upgrade these remote components by following the steps described in Upgrading the Gateway Server and Upgrading the Continuous Optimization Agent. Make sure that you use the TSCO_ConsoleSilentInstallOptions.txt file for the Gateway Server when using it with TrueSight Capacity Optimization.

  2. Start the Gateway Server and Agent.
    TLS communication between the two components is enabled based on the configuration settings set in the preceding steps.

  3. Verify the status by parsing the service daemon logfiles.
    For details about logfiles, see Working with Gateway Server and Agent logfiles..

To enable and configure TLS after installation

  1. Stop all the services of the Gateway Server and Agent.
    • (Linux/UNIX) Perform the following steps on computers where these components are installed:
      1. To list the Gateway Server processes, run this command: ps -ef | grep udrCollectMgr, and kill the listed processes.
      2. To stop the Gateway Server, the Agent and the Service daemon, run the following commands:
        1. $BEST1_HOME/bgs/scripts/stopGeneralManager
        2. $BEST1_HOME/bgs/scripts/bgsagent_stop
        3. (Linux) su root -c "systemctl stop bgssd"
          or
          (UNIX) $BEST1_HOME/bgs/bin/bgssd.exe -k
    • (Windows) Perform the following steps:
      1. Open Task Manager and stop the BGS_SDService process.
      2. Stop allied bgscollect and bgsagent processes.

  2. Assign appropriate values to the SECURITY_LEVEL parameter in the $BEST1_HOME/local/setup/Agent.cfg file.

    TLS configuration parameters

    The following table explains the parameter values that can be assigned to the PERFORM_SSLCONF_SECURITY_LEVEL parameter to configure the TLS security level in your product components. 

    Parameter Value

    Description

    SOCKCOMM_SSL_NONE

    Disables TLS in the component and the component communicates using non-TLS sockets. The default value is SECURITY_LEVEL.

    SOCKCOMM_TLSv1_3

    Enables TLS version 1.3.

    SOCKCOMM_SSL_SKIP_HOST_CHECK

    Skips checking of host name during TLS certificate validation.

    SOCKCOMM_SSL_ALLOW_EXPIRED_CERTIFICATE

    Allows components to use TLS certificates that have expired or have no CRL.

    SOCKCOMM_SSL_NO_FALLBACK

    Prevents the Gateway Server from falling back to using non-TLS sockets when communicating with an Agent that is not TLS enabled.

    Sample TLS configuration file

    The following sample excerpt of Agent.cfg enables TLS version 1.3.

    Agent.cfg
    BEGIN_SSL_CONFIGURATION

    # Security level
    # The following parameters are used to set TLS security level

    # The parameters are combined using | to get the desired permission level (no spaces allowed)
    #
    # SOCKCOMM_SSL_NONE                                              - not using TLS security [non-TLS sockets] (default if no SECURITY_LEVEL set)
    # SOCKCOMM_TLSv1_3                                               - use TLS v1.3 (default)
    # SOCKCOMM_SSL_SKIP_HOST_CHECK                                   - client skips name check against host name
    # SOCKCOMM_SSL_ALLOW_EXPIRED_CERTIFICATE                         - allow expired certificates and those w/o CRL
    # SOCKCOMM_SSL_NO_FALLBACK                                       - client does not fallback to plain sockets


    # use the following recommended settings for TLS support
    # SECURITY_LEVEL = SOCKCOMM_TLSv1_3|SOCKCOMM_SSL_SKIP_HOST_CHECK|SOCKCOMM_SSL_ALLOW_EXPIRED_CERTIFICATE

    SECURITY_LEVEL = SOCKCOMM_TLSv1_3  

    END_SSL_CONFIGURATION
  3. Restart all services of the Gateway Server and Agent.
    • (Linux/UNIX) Run the following commands:
      1. (Linux) su root -c "systemctl start bgssd"
        or
        (UNIX) $BEST1_HOME/bgs/bin/bgssd.exe -s
      2. $BEST1_HOME/bgs/bin/bgsagent
      3. $BEST1_HOME/bgs/scripts/startGeneralManager
    • (Windows) To start the Agent, open Task Manager and start the BGS_SDService process.

  4. Verify the status by parsing the service daemon logfiles.
    For details about logfiles, see Working with Gateway Server and Agent logfiles..


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*