Modifying the security configuration

You can modify the security configuration so that BMC Impact Integration Web Services is accessible only through HTTPS, and you can modify the keystore file.

Setting the HTTPS-only connector element

By default, Tomcat enables both HTTP and HTTPS connections. However, you can configure security settings so that the BMC II Web Services is accessible only through HTTPS.

  1. Open the server.xml file under the $IIWS_HOME/Tomcat/conf in a text editor.

  2. In the server.xml file, locate the connector element by searching for the following string:
    Define a SSL HTTP/1.1 Connector

    The connector element looks similar to the following example:

    <Connector port="9080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="9443" />

  3. Comment out the connector element by enclosing it in comment signs, as in the following example:

    <!-
    <Connector port="9080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="9443" />
    -->
  4. Save and Close the file.
  5. Restart the BMC Impact Integration Web Services Tomcat server.

    BMC Impact Integration Web Services is now accessible only through HTTPS.

Changing the keystore file

BMC Impact Integration Web Services uses the default keystore file. However, you can replace the default keystore file with a keystore file that you want to use as follows:

  1. Open the server.xml file under the $IIWS_HOME/Tomcat/conf in a text editor.

  2. In the server.xml file, locate the connector element by searching for the following string:
    Define a SSL HTTP/1.1 Connector

    The connector element looks similar to the following example:

     <Connector port="9943" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" maxThreads="200" acceptCount="100" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" keystoreFile="C:\Program Files (x86)\BMC Software\Impact Web Services\Tomcat\webapps\imws\WEB-INF\security\iiwsssl.jks" keystorePass="bmciiws"/>
  3. Replace the iiwsssl.jks file with the keystore file that you want to use instead.
  4. Save and Close the file.
  5. Restart the BMC Impact Integration Web Services Tomcat server.

 Configuring a web service client to support SSL/HTTPS

To support SSL/HTTPS communication for your web service client, you must consider the details:

  • Web service framework on which you built the client code
  • Security certificate that the server and client uses

BMC Impact Integration Web Services server provides a default keystore and a security certificate, both of which you can use with the HTTPS server.

The following process demonstrates how to configure the client site to connect to the BMC Impact Integration Web Services through HTTPS by using the BMC Impact Integration Web Services default keystore files.

Note

These instructions are based on a client that is built on the Axis Java framework. If your client was built on another framework, refer to the documentation for your framework for information about building a secure client.

  1. Import the keystore certificate from the BMC Impact Integration Web Services server. To import the keystore certificate, you can perform one of the following actions:
    • Use the web service tool to import the Java Keystore files from the  BMC Impact Integration Web Services server web services URL.
    • Copy the following directory and all its files from the server to the client system:

      $IIWS_HOME\Tomcat\webapps\imws\WEB-INF\security

  2. Pass the trustStore and trustStorePassword environment variable values to the web service client on its startup.
     The trustStore environment variable stores the location of the Java Key Store file. The trustStorePassword environment variable is the password of the BMC Impact Integration Web Services server keystore. (The default password value is bmciiws.)
     In the Axis Java framework, you can define these two environment variables in the client startup script as in the following example:

    : "java \-Djavax.net.ssl.trustStore=C:\IIWS_client\security\ iiwscacerts.jks \- Djavax.net.sll.trustStorePassword=bmciiws" 
  3. Launch the client on the correct BMC Impact Integration Web Services server endpoint according to the HTTP server configuration. For example, for the HTTPS server, the client must communicate with the server through the following endpoint: https://hostname:port/imws/services/ImpactManager

Disabling weak Apache Tomcat ciphers

Apache Tomcat has several weak ciphers that are enabled by default. If your security scan (for example, McAfee Foundstone security scans) displays a message about weak encryption vulnerability, you must disable weak ciphers as follows:

  1. Open the server.xml file and add the cipher and modify the SSL protocol as follows:

    <Connector port="9443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" maxThreads="200" acceptCount="100" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" keystoreFile="/opt/bmc/bppm/ImpactWebServices/Tomcat/webapps/imws/WEB-INF/security/iiwsssl.jks" keystorePass="bmciiws"/>
  2. Save and close the file.
  3. Restart BMC Impact Integration Web Services.

 

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*