Enabling security for the Collection Station

You can enable security for the Collection Station in the following way:

  • Enable security for the Payload Service (data flow from the Collection Agent to the Collection Station).
  • Enable security for the Configuration Channel (configuration data flow from the Collection Station to the Collection Agent).

Note

If you want to secure the Collection Station scaled out on separate remote nodes, then after installing the Collection Station on each of the remote nodes, ensure that you copy the KeyStore generated on the server with the first Collection Station instance in your environment.

This topic provides the following instructions for enabling security for the Collection Station.


Related topics

Configuring-a-secured-connection

Security-planning

TLS-considerations-for-IT-Data-Analytics

Security-considerations

Before you begin

  • Ensure that you have generated a KeyStore and a TrustStore (in the JKS format). For more information, see Generating a KeyStore and TrustStore.
  • Ensure that you have generated a self-signed certificate.

Enabling security for the Payload Service

Configure all the Collection Agents (including standalone Collection Agents) and Collection Stations in your environment, as described in the following tabs.

To configure the Collection Agent and the standalone Collection Agent

  1. Navigate to the following directory, as appropriate:
    • Collection Agent (configured by using PATROL for IT Data Analytics):
      • Windows: %PATROL_HOME%\bww\udc\conf 
      • Linux: $PATROL_HOME/bww/udc/conf 
    • Standalone Collection Agent:
      • Windows: %BMC_ITDA_AGENT_PATH%\agent\collection\custom\conf
      • Linux: $BMC_ITDA_AGENT_PATH/agent/collection/custom/conf
  2. Copy the server.jks file obtained while generating the TrustStore.
  3. Locate and open the flume.conf file in a text editor. 

  4. Set the directory path to the TrustStore (that you generated earlier) by adding the following lines:

    a1.sinks.k1.ssl = true

    a1.sinks.k1.truststore = <TrustStoreLocationPath>

    a1.sinks.k1.truststore-password = <TrustStorePassword>

    a1.sinks.k1.truststore-type = JKS

    where,

    <TrustStoreLocationPath> refers to the absolute path of the TrustStore location. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes). For example, %PATROL_HOME%\bww\udc\conf.

    <TrustStorePassword> refers to the password that you provided while generating the TrustStore.

  5. Save your changes.

  6. Import the self-signed certificate by running the following command:

    Note

    The self-signed certificate imported on the Collection Agent and the Collection Station (optional) must be the same.

    Command syntax

    keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>

     

    Example

    keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/agent/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit

    In the preceding command, the following definitions apply: 

    • <jreLocation> refers to the following JRE location on the Collection Agent or the standalone Collection Agent. See the following location paths:
      • Collection Agent: C:/Program Files/BMC Software/Patrol_Agent_96/Patrol3/jre/lib/security/cacerts
      • Standalone Collection Agent: C:/Program Files/BMC Software/TrueSight/ITDA/agent/jre/lib/security/cacerts
    • <certificateLocation> refers to the directory path where you copied the certificate generated earlier.
    • <aliasName> refers to the alias by which you want to store the certificate during the import.
    • <password> refers to the KeyStore password. 
      Default: changeit
  7. Restart the Collection Agent and the standalone Collection Agent. 
    For more information, see Starting-or-stopping-product-services.

To configure the Collection Station

  1. Navigate to the following directory, as appropriate:
    • Windows: %BMC_ITDA_HOME%\station\collection\custom\conf
    • Linux: $BMC_ITDA_HOME/station/collection/custom/conf/
  2. Locate the flume.conf file and open it in a text editor.

  3. Set the directory path to the KeyStore (that you generated earlier) by adding the following lines:

    a1.sources.r1.ssl=true
    a1.sources.r1.keystore=<KeyStoreLocationPath>
    a1.sources.r1.keystore-password=<KeyStorePassword>
    a1.sources.r1.keystore-type = JKS

    where, 

    KeyStoreLocationPath refers to the absolute path of the KeyStore location. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes). For example, C:/Program Files/BMC Software/TrueSight/ITDA.

    KeyStorePassword refers to the password that you provided while generating the KeyStore.

  4. Save your changes.

  5. (Optional) This step applies only if you are importing a self-signed certificate other than the one imported for securing the Configuration channel.
    Import a self-signed certificate by running the following command:

    Note

    The self-signed certificate imported on the Collection Agent and the Collection Station must be the same.

    Command syntax

    keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>

    Example

    keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit

     

    In the preceding command, the following definitions apply:

    • <jreLocation> refers to the following JRE location on the Collection Station. The value must be as follows:

      C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts

    • <certificateLocation> refers to the directory path where you copied the certificate generated earlier.
    • <aliasName> refers to the alias by which you want to store the certificate during the import.
    • <password> refers to the KeyStore password. 
      Default: changeit
  6. Restart the Collection Station. 
    For more information, see Starting-or-stopping-product-services.

Enabling security for the Configuration Channel

Configure the Collection Agents (including standalone Collection Agents) and Collection Stations in your environment, as described in the following tabs.

To configure the Collection Agent

  1. Navigate to the following directory, as appropriate:
    • Windows: %PATROL_HOME%\bww\udc\conf 
    • Linux: $PATROL_HOME/bww/udc/conf 
  1. Locate the agent.properties file and open it in a text editor.
  2. Add the property, stationprotocol=https.
  3. Save your changes.
  4. Restart the Collection Agent. 
    For more information, see Starting-or-stopping-product-services.

To configure the standalone Collection Agent

  1. Navigate to the following directory, as appropriate: 
    • Windows: %BMC_ITDA_AGENT_PATH%\agent\collection\custom\conf\
    • Linux: $BMC_ITDA_AGENT_PATH/agent/collection/custom/conf/
  1. Locate the agent.properties file and open it in a text editor.
  2. Add the following properties (if not already present) and change the value to 'HTTPS': 
    • stationprotocol=HTTPS

    • station.discovery.identifier=HTTPS;<stationHost>;<stationConfigurationPort>
      In the preceding property value, the following definitions apply:

      • <stationHost> refers to the Collection Station port to which the standalone Collection Agent must be connected. 
      • <stationConfigurationPort> refers to the Configuration channel port, corresponding to the Collection Station host.

      Example:station.discovery.identifier=HTTPS;clm-pun-01;8080

  3. Save your changes.
  4. Restart the standalone Collection Agent. 
    For more information, see Starting-or-stopping-product-services.

To configure the Collection Station

  1. Navigate to the following directory, as appropriate:
    • Windows: %BMC_ITDA_HOME%\station\collection\custom\conf\
    • Linux: $BMC_ITDA_HOME/station/collection/custom/conf/
  2. Locate the agent.properties file and open it in a text editor.
  3. Add the following properties:
    • stationprotocol=https
    • keystoreFilePath=<KeyStoreLocationPath>
    • keystoreFilePassword=<KeyStorePassword>
      In the preceding properties, the following values apply:
      • <KeyStoreLocationPath> refers to the directory path where the KeyStore is located. On Windows, this path must be specified in the UNIX-style syntax (with forward slashes) and with a forward slash at the beginning of the path.
      • <KeyStorePassword> refers to the KeyStore password that you provided while generating the KeyStore.
  4. Save your changes.

  5. Import the self-signed certificate (generated earlier) by running the following command:

    Command syntax

    keytool -importcert -keystore "<jreLocation>" -file "<certificateLocation>" -alias <aliasName> -storepass <password>

     

    Example

    keytool -importcert -keystore "C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts" -file "C:/Program Files/BMC Software/TrueSight/ITDA/agent/collection/custom/conf/server.cert" -alias bmcitda -storepass changeit

    In the preceding command, the following definitions apply:

    • <jreLocation> refers to the following JRE location on the Collection Station. The value must be as follows:

      C:/Program Files/BMC Software/TrueSight/ITDA/station/jre/lib/security/cacerts

    • <certificateLocation> refers to the directory path where you copied the certificate generated earlier.
    • <aliasName> refers to the alias by which you want to store the certificate during the import.
    • <password>refers to the KeyStore password. 
      Default: changeit
  6. Restart the Collection Station. 
    For more information, see Starting-or-stopping-product-services.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*