Enabling security for third-party certificates

You can enable security for the following actions related to the Console Server:

  • Actions which you perform using the product interface.
  • Actions which you perform using the CLI. 

To enable security for actions that you perform using the product interface, replace "http" with "https" in the console URL. For example, https://Host1:9443/console/.

To enable security for actions that you perform using the CLI, type -s in the command syntax. This applies even if you use a custom self-signed certificate. For more information about the individual CLI commands, see Using-the-command-line-interface.

The IT Data Analytics product already contains a self-signed certificate. Therefore, you do not need any configurations for enabling security for the Console Server. However, if you do not want to use the self-signed certificate provided by the product, you need to generate a custom self-signed certificate and perform the instructions that follow.

Enabling security for the product interface with custom self-signed certificate

Before you begin enabling security for the Console Server with a custom self-signed certificate, ensure that you have generated a KeyStore in the JKS format. For more information, see Generating-a-KeyStore-and-TrustStore.

Related topics

Where to find more information

Enabling-security-for-the-Collection-Station

Security-planning 

To enable security for the Console Server with custom self-signed certificate

  1. Generate a custom self-signed certificate.
  2. Locate the server.xml file at one of the following locations:
    • Windows: %BMC_ITDA_HOME%\tomcat\conf
    • Linux: $BMC_ITDA_HOME/tomcat/conf

  3. In the server.xml file, add the following properties with appropriate values, depending on the KeyStore that you generated earlier (see the following example).

    • keystoreFile="keystoreFilePath"
    • keystorePass="keystorePassword"
    Example
    <Connector port="9443" protocol="HTTP/1.1"
    SSLEnabled="true" keystoreFile="keystore_file_path"
    keystorePass="changeit"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" /> 
  4. Navigate to the following location to locate the olaengineCustomConfig.properties file and the searchserviceCustomConfig.properties file.
    • Windows: %BMC_ITDA_HOME%\custom\conf\server
    • Linux: $BMC_ITDA_HOME/custom/conf/server
  5. In the olaengineCustomConfig.properties file, add the following properties:
    • consoleserver.protocol=https
    • consoleserver.port=9443
  6. In the searchserviceCustomConfig.properties file, add the following properties:
    • consoleserver.protocol=https
    • searchservice.port=9443

  7. Import the self-signed certificate into the Console Server's Java Runtime Environment (JRE) by using the following command:

    keytool -import -trustcacerts -alias <HostName-or-IP> -keystore $BMC_ITDA_HOME/jre/lib/security/cacerts -file <Certificate-Path>
    In this command, the following variables apply:

    • <HostName-or-IP> refers to the host name or IP address of the computer on which the Console Server is located.
    • <Certificate-Path> refers to the absolute path to the self-signed certificate of the Console Server.
  8. Re-start the Console Server. For more information, see Starting-or-stopping-product-services.
  9. Log on to the product in a supported browser.
    Example for accessing the console: https://Host1:9443/console/.