Managing TLS security certificates


In BMC TrueSight Infrastructure Management environment, there are various components which will communicate with each other in a secure manner using TLS. These components are as listed below:

  • TrueSight Presentation Server
  • TrueSight Infrastructure Management server
  • PATROL Agent
  • TrueSight Integration Service
  • TrueSight Operations Management Reporting
  • TrueSight Impact Integration Web Services

These components might act like a client or a server based on the context of communication. To achieve TLS mode of communication, the security certificates need to be authenticated between a client and a server. If a component is operating as a client, it requires a truststore to verify a server's credentials. If a component is operating as a server, it requires a keystore that provides credentials to the client to verify. You must procure these certificate files from your organization's security administrator.

There are two types of certificate files that are used for authentication. 

  • A public certificate file which is a Certificate Authority (CA) signed certificate in .crt format. 
  • A private key file which is in Public-Key Cryptography Standards (PKCS) that is .p12 format.

Before you configure the BMC TrueSight Infrastructure Management components to enable TLS 1.2, you must perform the following steps to import the security certificates into the truststore or keystore files.

To procure the security certificates from the security system administrator

  1. Procure the Certificate Authority (CA) signed certificate in .crt format, and the private key in the .p12 format from your organization's security system administrator, and place it in the following locations:

    Component

    Location

    TrueSight Infrastructure Management Server

    <Infrastructure Management Server Installation Directory>\pw\pronto\conf

    Default Infrastructure Management server cell

    <Infrastructure Management Server Installation Directory>\pw\server\etc

    Remote cell

    <Remote cell Installation directory>\Agent\server\etc

    TrueSight Presentation Server

    <Presentation Server Installation Directory>\truesightpserver\conf\secure

    TrueSight Integration Service

    <Infrastructure Management Installation Directory>\pw\pronto\conf

    TrueSight remote Integration Service

    <Integration Service Installation Directory>\Agent\pronto\conf

    BMC Impact Integration Web Services

    <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc

    BMC TrueSight Operations Management Reporting

    <BMC TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security

  2. If you want to configure the Infrastructure Management server to Oracle database communication in TLS 1.2 mode, procure the oracle wallet from the oracle database administrator, and place it to the <Infrastructure Management Server Installation Directory>\pw\pronto\conf

  3. Procure the Certificate Authority (CA) signed certificate in .crt format from the Atrium SSO system security administrator and place it in the following locations:

    Component

    Location

    TrueSight Infrastructure Management Server

    <Infrastructure Management Server Installation Directory>\pw\jre\lib\security

    TrueSight Presentation Server

    <Presentation Server Installation Directory>\jre\lib\security

  4. Procure the Certificate Authority (CA) signed certificate in .crt format from the BMC BladeLogic system security administrator and place it in the <Presentation Server Installation Directory>\jre\lib\security directory location.
  5. Procure the Certificate Authority (CA) signed certificate in .crt format from the BMC Remedy Application Request Change Management System security administrator and place it in the <Presentation Server Installation Directory>\jre\lib\security directory location.

To extract the certificates for the cell component

The cell expects the security certificates in the .crt and .key format for the authentication process. Perform the following steps to extract these certificates in the required format.

  1. Logon to the computer where the Infrastructure Management server is installed, and navigate to the <Infrastructure Management Server Installation Directory>\pw\server\etc directory.

    Note

    If you are using a remote cell, logon to the computer where the remote cell is installed, and navigate to the <Remote cell Installation directory>\Agent\server\etc directory.

  2. Extract the private key from the .p12 format by running the following command:

    openssl pkcs12 -nocerts -in server.p12 -out mcell.key -nodes

    Notes

    The following notes describe the key parameters used in the preceding commands:

    • OpenSSL utility is available by default with the Unix operating system.
    • server.p12 is the name of private key file procured from your system administrator. If the file name is different, use the relevant file name in the preceding command.
    • mcell.key is the name of the private key extracted from the server.p12 file.

  3. Extract the public certificate from the .p12 file by running the following command:

    openssl pkcs12  -in server.p12  -out mcell.crt -nokeys

    Notes

    The following notes describe the key parameters used in the preceding command:

    • server.p12 is the name of private key file procured from your system administrator. If the file name is different, use the relevant file name in the preceding command.
    • mcell.crt is the name of the public certificate extracted from the server.p12 file.
  4. Copy the mcell.crt file into the following directories:
    1. <Infrastructure Management Installation Directory>\pw\pronto\conf directory if you are using a local Integration Service, or into the <Integration Service Installation Directory>\Agent\pronto\conf directory if you are using a remote Integration Service.
    2. <PresentationServer Installation Directory>\truesightpserver\conf\secure directory to secure the Presentation Server to cell communication.

To import the procured certificates into the keystore, and the truststore files

Proceed to the following certificate import tasks after you procure these security certificates from your system security administrator and place them in the appropriate locations. Perform the following steps to import the procured security certificates into the truststore, and the keystore files of the respective components:

To import the security certificates into the Presentation Serverkeystore, and thetruststorefiles

Presentation Server uses the tspstruststore.ts truststore, and the loginvault.ks keystore for its communication. These truststore, and the keystore files are bundled along with the Presentation Server installation, and are located in the <PresentationServer Installation Directory>\truesightpserver\conf\secure directory. Perform the following steps to import the security certificates into the respective truststore, and the keystore files:

  1. Log on to the computer where the Presentation Server is installed. The keytoolutility that is used to import the certificates is present in the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Presentation Server Installation Directory>\truesightpserver\modules\jre\bin;%PATH%
     
    #Unix
    export PATH=<Presentation Server Installation Directory>/truesightpserver/modules/jre/bin:$PATH

  2. Navigate to the <PresentationServer Installation Directory>\truesightpserver\conf\secure directory, and import the procured certificates by running the following command:

    keytool -import -alias caserver -file ca.crt -keystore tspstruststore.ts
     
    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore loginvault.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password


    keytool -import -alias cell -file mcell.cer -keystore tspstruststore.ts

    Parameter description

    The following notes describe the key parameters used in the preceding commands:

    • ca.crt is the name of the CA signedcertificate. If the name of the CA signed certificate procured from your system administrator is different, use the relevant file name in the preceding command.
    • If you want to use self-signedcertificate instead of the CA signed certificate, see Creating self-signed certificates.
    • server.p12 is the name of the server's private key file which is in PKCS12 format. If the name of private key procured from your system administrator is different, use the relevant file name in the preceding command.

    • changeit is the default password for the loginvault.ks keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore loginvault.ks

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

    • get2net is the default password for the tspstruststore.ts keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore tspstruststore.ts

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

    • password is the password for the server.p12 private key.

To import the security certificates into the Infrastructure Management Serverkeystore, and thetruststorefiles

Infrastructure Management Server uses the messagebroker.ts truststore, and the pnserver.ks keystore for its communication. These truststore, and the keystore files are bundled along with the Infrastructure Management Server installation, and are located in the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory. Perform the following steps to import the security certificates into the respectivetruststore, and thekeystore files:
  1. Log on to the computer where the Infrastructure Management Server is installed. The keytoolutility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%

    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH
  2. Navigate to the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory, and import the procured certificates by running the following commands:
    keytool -import -alias caserver -file ca.crt -keystore messagebroker.ts
     
    keytool -import -alias caserver -file ca.crt -keystore pnserver.ks
     
    keytool -importkeystore -deststorepass get2net -destkeypass get2net -destkeystore pnserver.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password
    Parameter descriptionThe following notes describe the key parameters used in the preceding commands:
    • ca.crt is the name of the CA signedcertificate. If the name of the CA signed certificate procured from your system administrator is different, use the relevant file name in the preceding command.
    • If you want to use self-signedcertificate instead of the CA signed certificate, see Creating self-signed certificates.
    • server.p12 is the name of the private key file which is in PKCS12 format. If the name of private key procured from your system administrator is different, use the relevant file name in the preceding command.
    • get2net is the default password for the pnserver.ks keystore. If you want to change this password, run the following command:
      keytool -storepasswd -keystore pnserver.ks
      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.
    • password is the password for the server.p12 private key.
 

To import the security certificates into the Infrastructure Management Server truststore

The Infrastructure Management Server uses the messagebroker.ts truststore to cummunicate with the BMC Atrium Single Sign-On. This truststore is bundled along with the Infrastructure Management Server installation, and is located in the <Infrastructure Management Server Installation Directory>\pw\jre\lib\security directory. Perform the following steps to import the security certificates into this truststore:

  1. Log on to the computer where the Infrastructure Management Server is installed. The keytool utility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%

    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH

  2. Navigate to the <Infrastructure Management Server Installation Directory>\pw\jre\lib\security directory, and import the procured certificate by running the following commands:

    keytool -import -alias cassoserver -file casso.crt -keystore messagebroker.ts

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • casso.crt is the name of the CA signed certificate procured from the BMC Atrium Single Sign-On system security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.
    • messagebroker.ts is the Infrastructure Management server truststore file name.

To import the security certificates into the Presentation Server truststore

The Presentation Server uses the tspstruststore.ts truststore to cummunicate with the BMC Atrium Single Sign-On. This truststore is bundled along with the Presentation Server installation, and is located in the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory. Perform the following steps to import the security certificates into this truststore:

  1. Log on to the computer where the Presentation Server is installed. The keytool utility that is used to import the certificates is present in the <Presentation Server Installation Directory>\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Presentation Server Installation Directory>\jre\bin;%PATH%
     
    #Unix
    export PATH=<Presentation Server Installation Directory>/jre/bin:$PATH

  2. Navigate to the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory, and import the procured certificate by running the following commands:

    keytool -import -alias cassoserver -file casso.crt -keystore tspstruststore.ts

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • casso.crt is the name of the CA signed certificate procured from the BMC Atrium Single Sign-On system security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.
    • tspstruststore.ts is the Presentation Server truststore file name.

    • get2net is the default password for the tspstruststore.ts keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore tspstruststore.ts

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

To import the security certificates for the Infrastructure Management Server to Oracle database communication

Infrastructure Management Server uses the messagebroker.ts truststore to communicate with the Oracle database. This truststore is bundled along with the Infrastructure Management Server installation, and are located in the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory. Perform the following steps to import the security certificates into the respective truststore, and the keystore files:
  1. Log on to the computer where the Infrastructure Management Server is installed. The keytool utility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%

    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH
  2. Import the procured certificates by running the following command:
    keytool -importcert -trustcacerts -file oracle.crt -keystore messagebroker.ts -alias oracleCert
    Note
    • oracle.crt is the name of the Oracle certificate. If the name of the Oracle Wallet certificate procured from your oracle database administrator is different, use the relevant file name in the preceding command.
 

Integration Service communicates with the PATROL Agent and the Infrastructure Management Server. Integration Service needs to import certificates for the following types of communication:

To import the certificates for the Integration Service to PATROL Agent communication

Perform the following steps to import the security certificates to the Integration Service certificate store which is in Mozilla NSS DB store format:

  1. Navigate to the directory by running the following command: 

    # Microsoft Windows operating system
    $cd <IS installation directory>\Agent\patrol\common\security\config_v3.0

    # Unix operating system
    $cd <IS installation directory>/Agent/patrol/common/security/config_v3.0

  2. Create a Mozilla certificate store on the Integration Service.

    #On Microsoft Windows
    $mkdir <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB
    $certutil -N -d sql:<installationdirectory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB

    #On Unix
    $mkdir <IS installationdirectory>/Agent/patrol/common/security/config_v3.0/ISAsServer_DB
    $certutil -N -d sql:<installationdirectory>/Agent/patrol/common/security/config_v3.0/ISAsServer_DB

    Note

    ISAsServer_DB is the name of the server certificate store for the Integration Service

  3. Procure the private key from your security administrator, and place them in the <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB>directory.

  4. If the private key is in public-key cryptography standards 12 format (PKCS12) format, import this certificate using the following command: 

    pk12util pk12util -i server.p12 -d sql: <IS installationdirectory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB -W <password>

     

    Note

    ISAsServer_DB is the name of the server certificate store for the Integration Service

  5. Procure the CA signed certificate form your system administrator and place it in the <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB>.

  6. Import the procured CA certificates to the Integration Service's server certificate store by running the following command:

    certutil -d sql: <IS installationdirectory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • ca.crt is the CA certificate file name.
    • <IS installation directory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB is the path to build the Mozilla NSS server certificate Store
    • Trusted IS CA” is the certificate alias name
    • “CT” is the flag to markcertificateas trusted.
    • You need to import the complete chain of CA certificatesuptoroot CA certificate using the same command.

To import the security certificates for the Integration Service to Infrastructure Management Server, and the cell communication

Integration Service uses the pnagent.ks keystore while communicating with the Infrastructure Management Server and the cell. This keystore file is bundled along with the Integration Service installation, and are located in the <Infrastructure Management Install Directory>\pw\pronto\conf directory. Perform the following steps to import the security certificates into thekeystore file:

  1. Log on to the computer where the Integration Service is installed. The keytoolutility that is used to import the certificates is present in the <Infrastructure Management Server Installation Directory>\pw\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%

    #Unix
    export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH

  2. Navigate to the <Infrastructure Management Install Directory>\pw\pronto\conf directory and import the procured certificate by running the following command:

    keytool -importkeystore -deststorepass get2net -destkeypass get2net -destkeystore pnagent.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password
     
    keytool -import -alias cell -file mcell.crt -keystore pnagent.ks

    Parameter description

    The following notes describe the key parameters used in the preceding commands:

    • server.p12 is the name of the private key file which is in PKCS12 format. If the name of private key procured from your system administrator is different, use the relevant file name in the preceding command.
    • mcell.crt is the name of the cell certificate. If the name of the cell certificate is different, use the relevant file name in the preceding command.

    • get2net is the default password for the pnagent.ks keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore pnagent.ks

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

    • password is the password for the server.p12 private key.

To import the security certificates into the PATROL Agent certificate store

PATROL Agent communicates with the Integration Service, PATROL console, and the remote cell.

The PATROL Agent acts as a client or a server based on the components with which it communicates, as explained in the following section:

  • PATROL Agent to Integration Service communication: PATROL Agent acts as a client.
  • PATROL Agent to PATROL console communication: PATROL Agent acts as a server.
  • PATROL Agent to remote cell communication: PATROL Agent acts as a client.

TLS mode of communication requires the client, and the server to have public key infrastructure (PKI) certificates deployed in their respective certificate stores. The authentication process varies depending on the PATROL Agent's role as a server or a client, as explained in the following sections:

  • certutil and pk12util used in the following procedure are the utilities available with the Mozilla NSS binaries to manage PKI certificates.
  • If you do not have these executables in your system environment, use them from the Patrol Agent installation directories as explained in the following section.
    • Windows: %BMC_ROOT%\common\security\bin_v3.0\Windows-x86-64\nss
    • Unix: $BMC_ROOT/common/security/bin_v3.0/Windows-x86-64/nss
  • If you have multiple PATROL Agents in your environment, perform the following steps to simplify the process of importing certificates:
    • Perform the certificate importing tasks on a single PATROL Agent, and then copy PatrolAsServer_DB/ PatrolAsClient_DB to the respective PATROL nodes or keep them on a shared location.

PATROL Agent configured as a client

PATROL Agent operates as a client when it is communicating with the Integration Service, and the remote cell. To enable the TLS handshake, deploy the Mozilla NSS certificates in the DB store format at the PATROL Agent. There are two security options as explained in the following section:

  • Integration Service is authenticated by the PATROL Agent: To enable the PATROL Agent to authenticate the server, import the Certificate Authority (CA) certificates of the Integration Service or remote cell to the PATROL Agent certificate store. This is in continuation to the Security Level 3 implementation of the previous versions of the PATROL Agent communication.
  • Integration Service is not authenticated by the PATROL Agent: In a trusted environment, if the PATROL Agent administrator can ensure the authenticity of the Integration Service Host, or the remote cell the PATROL Agent can be configured to bypass sever authentication. This is in continuation to the Security Level 2 implementation of the previous versions of the PATROL Agent communication.

The following sections explain the procedure to implement the preceding security mechanisms:

Integration Service is not authenticated by the PATROL Agent

In this scenario, the Integration Service certificates are not imported to the PATROL Agent certificate store. You can proceed to configure the PATROL Agent to enable TLS 1.2 mode.

Integration Service is authenticated by the PATROL Agent

Perform the following steps to import the security certificates to the PATROL Agent certificate store.

  1. Create a Mozilla certificate store on the central server for the PATROL Agent.
    Run the following command

    #On Microsoft Windows
    $mkdir <installationdirectory>\common\security\keys\PatrolAsClient_DB
    $certutil -N -d sql:<installationdirectory>\common\security\keys\PatrolAsClient_DB

    #On Unix
    $mkdir <installationdirectory>/common/security/keys/PatrolAsClient_DB
    $certutil -N -d sql:<installationdirectory>/common/security/keys/PatrolAsClient_DB
    • PatrolAsClient_DB is the name of the client certificate store for the PATROL Agent

  2. Procure CA certificates of the Integration Service from your security administrator, and place them in the <installationdirectory>\common\security\keys\PatrolAsClient_DB directory.

    • You can choose the PatrolAsClient_DB path, and create directories as per the defined path.
    • You can generate self-signed certificates by using one of the tools such as: Oracle keytool, OpenSSL, Mozilla NSS. For more information, see Creating self-signed certificates

  3. Import the CA certificate to the PATROL Agent client certificate store.
    Run the following command

    certutil -d sql: <installationdirectory>\common\security\keys\PatrolAsClient_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt
    • ca.crt is the CA certificate file name.
    • <installationdirectory>\common\security\keys\PatrolAsClient_DB is the path to build the Mozilla NSS client certificate Store
    • Trusted IS CA” is the certificate alias name
    • “CT” is the flag to mark certificate as trusted.
    • You need to import the complete chain of CA certificates upto root CA certificate using the same command

  4. If the CA certificates are in public-key cryptography standards 12 (PKCS12) format, import the certificate using the following command.

    $pk12util pk12util -i client.p12 -d sql: <installationdirectory>\common\security\keys\PatrolAsClient_DB -W <password>
    • client.p12 is name of the client certificate in the PKCS12.
    • password is the password string for the client.p12 file
  5. Perform the configuration changes needed to enable TLS 1.2 mode.

PATROL Agent configured as a server

Perform the following steps, when PATROL Agent is communicating with the PATROL console.

  1. Create a Mozilla certificate store on the central server for the PATROL Agent.
    Run the following command

    #On Microsoft Windows
    $mkdir <installationdirectory>\common\security\keys\PatrolAsServer_DB
    $certutil -N -d sql:<installationdirectory>\common\security\keys\PatrolAsServer_DB

    #On Unix
    $mkdir ./<installationdirectory>/common/security/keys/PatrolAsServer_DB
    $certutil -N -d sql:./<installationdirectory>/common/security/keys/PatrolAsServer_DB
    • PatrolAsServer_DB is the name of the server certificate store for the PATROL Agent

  2. Procure the CA certificates from your organisation's security administrator, and place them in the <installationdirectory>\common\security\keys\PatrolAsServer_DB directory.

    • You can choose the PatrolAsServer_DB path, and create directories as per the defined path.
    • You can generate self-signed certificates by using one of the tools such as: Oracle keytool, OpenSSL, Mozilla NSS. For more information, see Creating self-signed certificates

  3. Import the procured CA certificates to the PATROL Agent server certificate store.
    Run the following command

    certutil -d sql: <installationdirectory>\common\security\keys\PatrolAsServer_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt
    • ca.crt is the CA certificate file name.
    • <installationdirectory>\common\security\keys\PatrolAsServer_DB is the path to build the Mozilla NSS server certificate Store
    • Trusted IS CA” is the certificate alias name
    • “CT” is the flag to mark certificate as trusted.
    • You need to import the complete chain of CA certificates upto root CA certificate using the same command

  4. If the CA certificates are in public-key cryptography standards 12 (PKCS12) format, import the certificate using the following command.

    pk12util pk12util -i server.p12 -d sql: <installationdirectory>\common\security\keys\PatrolAsServer_DB -W <password>

    PatrolAsServer_DB is the name of the server certificate store for the PATROL Agent

  5. Perform the configuration changes needed to enable TLS 1.2 mode.

To import the security certificates into the Impact Integration Web Services

Impact Integration Web Services (IIWS) uses the iiws.ks keystore for its communication. This keystore file is bundled along with the IIWS installation, and is located in the <Impact Web Services Install Directory>\Tomcat\webapps\imws\WEB-INF\etc directory. Perform the following steps to import the security certificates into this keystore file:

  1. Log on to the computer where the IIWS is installed. The keytool utility that is used to import the certificates is present in the <Impact Web Services install directory>\BMCIIWSJVM\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Impact Web Services install directory>\BMCIIWSJVM\bin;%PATH%

    #Unix
    export PATH=<Impact Web Services install directory>/BMCIIWSJVM/bin:$PATH


  2. Navigate to the <Impact Web Services Install Directory>\Tomcat\webapps\imws\WEB-INF\etc directory, and import the procured certificate by running the following command:

    keytool -import -alias caserver -file ca.crt -keystore iiws.ks

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • ca.crt is the name of the CA signed certificate. If the name of the CA signed certificate procured from your system administrator is different, use the relevant file name in the preceding command.
    • If you want to use self-signed certificate instead of the CA signed certificate, see Creating self-signed certificates.

Excerpt named Import_reporting_certificates was not found in document xwiki:IT-Operations-Management.Operations-Management.BMC-TrueSight-Infrastructure-Management.tsim105._inclusionsLibrary._imageLibrary._TLS_inclusions.WebHome.

Importing security certificates to communicate with other BMC products

  • BMC TrueSight Presentation Server communicates with the following products over HTTPS, and acts as a client in this context of communication.
    • BMC BladeLogic
    • BMC Atrium Single Sign-On
    • BMC Remedy Application Request Change Management System
  • BMC TrueSight Presentation Server communicates with the following BMC products over HTTPS, and acts as a server in this context of communication.
    • BMC TrueSight IT Data Analytics
    • BMC TrueSight Capacity Optimization
    • BMC TrueSight App Visibility Manager

To import the security certificates into the Presentation Server truststore

The Presentation Server uses the tspstruststore.ts truststore to communicate with the BMC BladeLogic, and BMC Remedy Application Request Change Management System. This truststore is bundled along with the Presentation Server installation, and is located in the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory. Perform the following steps to import the security certificates into this truststore:

  1. Log on to the computer where the Presentation Server is installed. The keytool utility that is used to import the certificates is present in the <Presentation Server Installation Directory>\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:

    #Microsoft Windows
    set PATH=<Presentation Server Installation Directory>\jre\bin;%PATH%
     
    #Unix
    export PATH=<Presentation Server Installation Directory>/jre/bin:$PATH

  2. Navigate to the <Presentation Server Installation Directory>\TruesightPServer\jre\lib\security directory, and import the procured certificate by running the following commands:

    keytool -import -alias cabladeserver -file cablade.crt -keystore tspstruststore.ts
     
    keytool -import -alias caarcms -file caarcms.crt -keystore tspstruststore.ts

    Parameter description

    The following notes describe the key parameters used in the preceding command:

    • cablade.crt is the name of the CA signed certificate procured from the BMC BladeLogic system security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.
    • caarcms.crt is the name of the CA signed certificate procured from the BMC Remedy Application Request Change Management System security administrator. If the name of the procured certificate is different, use the relevant file name in the preceding command.
    • tspstruststore.ts is the Presentation Server truststore file name.

    • get2net is the default password for the tspstruststore.ts keystore. If you want to change this password, run the following command:

      keytool -storepasswd -keystore tspstruststore.ts

      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.

 

Where to go from here

Configuring TrueSight Infrastructure Management to enable TLS 1.2

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*