Enabling security for the Console Server and Search components

Use this topic to enable security for the actions performed via the product interface and CLI and for communication between the Console Server and Search components.

If you want to additionally disable the HTTP port, ensure that you navigate to the computers hosting the Console Server and Search components, and navigate to %BMC_ITDA_HOME%\tomcat\conf\. In the server.xml file, comment out the following tag and then restart the Console Server and Search components. For more information, see Starting-or-stopping-product-services.

<Connector connectionTimeout="20000" port="9797" protocol="HTTP/1.1" redirectPort="9443"/>

Enabling security for the Console Server

By enabling security for the Console Server, you can secure the actions performed by using the product interface and by using the CLI.  

Related topics

Enabling-security-for-the-Collection-StationSecurity planning for IT Data AnalyticsTLS considerations for IT Data AnalyticsSecurity considerations

To enable security for actions performed by using the product interface, you need to perform a set of steps as described in the following sections. These steps vary based on whether you want to use the default self-signed certificate available with TrueSight IT Data Analytics or whether you want to use a custom self-signed certificate for enabling security.

To enable security for actions performed by using the CLI, type -s in the command syntax. This applies even if you use a custom self-signed certificate. For more information about the individual CLI commands, see Managing-the-product-from-the-command-line-interface.

To enable security for the Console Server with default certificate

  1. Navigate to the following location to locate the olaengineCustomConfig.properties file and the searchserviceCustomConfig.properties file.
    • Windows: %BMC_ITDA_HOME%\custom\conf\server
    • Linux: $BMC_ITDA_HOME/custom/conf/server
  2. In the olaengineCustomConfig.properties file, add the following properties:
    • consoleserver.protocol=https
    • consoleserver.port=9443

  3. In the searchserviceCustomConfig.properties file, add the following properties:

    • consoleserver.protocol=https
    • searchservice.port=9443
    • protocol=https

    Note

    If you are operating in an environment with Deploying multiple Search components, ensure that you make this change on all the computers hosting the Search component.

  4. Restart the Console Server and Search components.
    For more information, see Starting-or-stopping-product-services.

  5. Log on to the product in a supported browsersby replacing "http" with "https" and port 9797 with port 9443.
    For example,     https://Host1:9443/console/.

To enable security for the Console Server with custom self-signed certificate

Before you begin enabling security for the Console Server with a custom self-signed certificate, ensure that you have generated a KeyStore in the JKS format. For more information, see Generating-a-KeyStore-and-TrustStore.

  1. Generate a custom self-signed certificate.
  2. Locate the server.xml file at one of the following locations:
    • Windows: %BMC_ITDA_HOME%\tomcat\conf
    • Linux: $BMC_ITDA_HOME/tomcat/conf

  3. In the server.xml file, add the following properties with appropriate values, depending on the KeyStore that you generated earlier (see the following example).

    • keystoreFile="keystoreFilePath"
    • keystorePass="keystorePassword"

    • keyAlias="AliasofKeystore"

    Example
    <Connector
    SSLEnabled="true"
    ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
    clientAuth="false" keyAlias="truesightserver"
    keystoreFile="conf/bmcitda2.jks" keystorePass="changeit"
    maxThreads="150" port="9443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    scheme="https" secure="true" sslProtocol="TLS"/>
  4. Navigate to the following location to locate the olaengineCustomConfig.properties file and the searchserviceCustomConfig.properties file.
    • Windows: %BMC_ITDA_HOME%\custom\conf\server
    • Linux: $BMC_ITDA_HOME/custom/conf/server
  5. In the olaengineCustomConfig.properties file, add the following properties:
    • consoleserver.protocol=https
    • consoleserver.port=9443

  6. In the searchserviceCustomConfig.properties file, add the following properties:

    • consoleserver.protocol=https
    • searchservice.port=9443
    • protocol=https

    Note

    If you are operating in an environment with Deploying multiple Search components, ensure that you make this change on all the computers hosting the Search component.

  7. Import the self-signed certificate into the Console Server's Java Runtime Environment (JRE) by using the following command:

    keytool -import -trustcacerts -alias <HostName-or-IP> -keystore $BMC_ITDA_HOME/jre/lib/security/cacerts -file <Certificate-Path>
    In this command, the following variables apply:

    • <HostName-or-IP> refers to the host name or IP address of the computer on which the Console Server is located.
    • <Certificate-Path> refers to the absolute path to the self-signed certificate of the Console Server.
  8. Restart the Console Server and Search components. 
    For more information, see Starting-or-stopping-product-services.

  9. Log on to the product in a supported browsers.
    Example for accessing the console: https://Host1:9443/console/.

Enabling security for the Search components

By enabling security for the Search components, you can secure the communication between the Console Server and Search components, as follows:

  1. Navigate to the following location on each of the Search components:
    • Windows: %BMC_ITDA_HOME%\custom\conf\server
    • Linux: $BMC_ITDA_HOME/custom/conf/server
  2. In the the searchserviceCustomConfig.properties file, add the following properties:
    • searchservice.port=9443
    • protocol=https
  3. Restart the Search components.
    For more information, see Starting-or-stopping-product-services.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*