Configuring TrueSight Operations Management Report Engine to enable TLS

Following installation of the TrueSight Operations Management Report Engine components, you can switch from the default inter-component security configuration to TLS 1.2 configuration.

Notes

  • Configuring the Report Engine to enable TLS is not a mandatory post-installation activity. As per your security requirements, you can enable TLS 1.2 once the TrueSight Operations Management Report Engine is installed and configured completely.
  • The SAP BusinessObjects database does not support a connection over SSL/TLS to the Report Engine database.

 To configure the TrueSight Operations Management Reporting Engine components to enable TLS 1.2

There are different communication channels established between the TrueSight Operations Management Reporting Engine components. Perform the TLS configurations per communication channel. Select the communication channel that you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.

reporting_tls_flowchart.png

 

To enable TLS 1.2, complete the procedures by navigating the following tabs, or select the procedures from documentation links in the flowchart.

TrueSight Operations Management Reporting communicates with various components in a secure manner using TLS. These components might operate like a client or a server based on the context of communication. To achieve TLS mode of communication, the security certificates need to be authenticated between a client and a server. If a component is operating as a client, it requires a truststore to verify the server's credentials. If a component is operating as a server, it requires a keystore that provides credentials to the client to verify. You must procure these certificate files from your organization's security administrator or generate the CA-signed certificates.There are two types of certificate files that are used for authentication.

  • A public certificate file which is a Certificate Authority (CA) signed certificate in .crt format. 
  • A private key file which is in Public-Key Cryptography Standards (PKCS) that is .p12 format.
Before you start the communication between these components, you must complete the task of importing the security certificates into the truststore or keystore files of the respective components. The following diagram indicates the default keystores and truststores used.reporting_ts_ks.png

Step a: To apply TrueSight Infrastructure Management SQL Anywhere database certificate to Reporting Engine

The Report engine uses the following certificate files procured from the Infrastructure Management SQL Anywhere database administrator for its communication.
  • certificate file in .pem format
  • key file in .pem format
  • identity file in .pem format
Perform the following sequence of steps to procure these certificates from Infrastructure Management SQL Anywhere database administrator.
  1. Log on to the computer where the TrueSight Operations Management Report Engine is installed. 
  2. Procure the certificate, key, and identity file in .pem format from the Infrastructure Management SQL Anywhere database administrator and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
    Note
    • You can either procure the SQL Anywhere certificates from the database administrator, or create certificates and get it signed by CA. For step-by-step instructions about how to create a certificate and get it signed by a CA, see Implementing private certificates in the SQL Anywhere database.
    • You can choose to place the procured certificate in any other directory location other than \security directory.

Step b: To apply Infrastructure Management server and cell certificate to Reporting Engine

The Report engine uses the cacerts as the default keystore and truststore for its communication with the Infrastructure Management server cell component. This truststore and keystore file is present along with the TrueSight Operations Management Reporting installation, and is located in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.Perform the following sequence of steps to secure the communication between the Infrastructure Management server cell and the Report engine component.
  1. Log on to the computer where the TrueSight Operations Management Reporting is installed. 
  2. Procure the Infrastructure Management server cell signed certificate, and place it in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory.
    For step-by-step instructions about how to create a CA-signed certificate for TrueSight Infrastructure Management and cell, see Implementing private certificates in the TrueSight Infrastructure Management.
  3. The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
    # Microsoft Windows operating system
    CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin
    #Unix operating system
    $cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
  4. Navigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured certificate from the Infrastructure Management server cell to the default truststore file by running the following command: 
    keytool -import -alias cell -file mcell.crt -keystore cacerts
    Parameter description The following notes describe the key parameters used in the preceding commands:
    • mcell.crt is the name of the public certificate procured from the Infrastructure Management server system administrator. If the name of the procured public certificate is different, use the relevant file name in the preceding command.
    • changeit is the default password for the cacerts keystore. If you want to change this default password, run the following command:
      keytool -storepasswd -keystore cacerts
      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.
     

Step c: To apply Oracle/SQL database certificates to Reporting Engine

The Reporting engine uses the cacerts as the default truststore file for its communication with the Reporting database (Oracle/SQL) or the external Oracle database communication. This truststore is present along with the TrueSight Operations Management Reporting installation, and is located in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory. Perform the following sequence of steps to secure the communication between the Reporting database (Oracle) and the Report engine component.
  1. Log on to the computer where the TrueSight Operations Management Reporting is installed. 
  2. Perform the following steps depending on the type of the Reporting database used:
    1. Oracle database: Procure the oracle certificate from the oracle database administrator, and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
    2. SQL database: Procure the SQL certificate from the SQL database administrator, and place it in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security directory.
  1. The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
    #Microsoft windows operating system
    CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin
    #Unix operating system$cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
  2. Navigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured Oracle certificate/SQL certificate into the default truststore file by running the following commands: 
    #Oracle databasekeytool -importcert -trustcacerts -file oracle.crt -keystore cacerts -alias oracleCert   #SQL database
    keytool -importcert -trustcacerts -file sqlcert.crt -keystore cacerts -alias sqlCert
    Note
    • oracle.crt is the name of the Oracle certificate. If the name of the Oracle certificate procured from your oracle database administrator is different, use the relevant file name in the preceding command. 
    • sqlcert.crt is the name of the SQL database certificate. If the name of the SQL certificate procured from your SQL database administrator is different, use the relevant file name in the preceding command.

Step d: To import the private key into the Report Engine keystore

TrueSight Operations Management Report Engine communicates with the Infrastructure Management server cell. In this context of communication the Report Engine operates as a server. To establish this communication the Report Engine has to have a keystore with a private key imported into it.
  1. Log on to the computer where the TrueSight Operations Management Report Engine is installed. 
  2. Procure a private key in the PKCS12 format from the TrueSight Operations Management Report Engine security administrator, and place it in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory. 
  3. The keytool utility that is used to import the certificates is present in the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin directory. Add this directory path to the PATH environment variable by running the following command:
    # Microsoft Windows operating system
    CurrentDirectory>cd <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\bin
    # Unix operating system
    $cd <TrueSight Operations Management Reporting Install Directory>/ReportEngine/tools/jre/bin
  4. Navigate to the <TrueSight Operations Management Reporting Install Directory>\ReportEngine\tools\jre\lib\security directory, and import the procured private key from the Report Engine system administrator to the default keystore file by running the following command: 
    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password
    Parameter description
    • server.p12 is the name of the private key file (PKCS12 format) procured from the Report Engine system administrator. If the name of the procured private key is different, use the relevant file name in the preceding command.
    • changeit is the default password for the cacerts keystore. If you want to change this default password, run the following command:
      keytool -storepasswd -keystore cacerts
      Provide the complete path for the keystore file in the preceding command, if you are running this command outside of the keystore directory location.
    • password is the password for the server.p12 private key.

Step e: To create the signed certificates for SAP Business Objects Web client and secure it

SAP Business Object Central Management Server communicates with the BI Launchpad web client. The SAP BO TOMCAT server uses BIKeystore keystore for its communication with the BI Launchpad web client. The SAP Business Objects 4.1 is installed using the java supported by SAP (sapjvm) SAPJVM. The keytool utility that is used to create certificate files is located in the <SAP Business objects Install directory>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin directory. Perform the following set of steps to generate a CA signed certificate and place it in the BIKeystore keystore file:
NoteTo support TLS 1.2 the java component must be raised to Java 7 or later. The java provided by SAP (sapjvm) shouldn't be updated to Java version 7, but this installation must be done in a different folder.

  1. To create a keystore, navigate to the <SAP Business objects Install directory>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin directory and run the following command: The command prompts you to enter the details such as name, organization details as shown in the following code block. Enter the details appropriately.
    keytool -genkey -keyalg RSA -keysize 4096 -sigalg sha256withRSA -alias sapservkeystore C:\SSL\BIKeystore.keystore
     ...
     ...
    What is the name of your organizational unit?
     [Unknown]:  <organizational unit>
    What is the name of your organization?
     [Unknown]:  <company>
    What is the name of your City or Locality?
     [Unknown]:  <city>
    What is the name of your State or Province?
     [Unknown]:  <state>
    What is the two-letter country code for this unit?
     [Unknown]:  <country code>
    Is CN=<FQDN of SAP server<organizational unit>, O=<company>, L=<city>, ST=<state>, C=<country code> correct?
     [no]:  yes
    Parameter descriptionThe  various parameters and values used in the genkey command in the preceding example are described here:
    Parameter
    Description
    Value
    alias
    Specifies the alias name.
    sapserv
    keyalg
    Specifies the algorithm to be used to generate the key pair.
    RSA
    keysize
    Specifies the size of each key to be generated.
    4096
    sigalg
    Specifies the algorithm that should be used to sign the self-signed certificate. This algorithm must be compatible with keyalg.
    SHA1withRSA
    keystore
    Specifies the keystore location and name
    C:\SSL\BIKeystore.keystore
    BIKestore.keystore
    In the preceding example the keystore file name is specified as BIKestore.keystore. If you want to specify a different keystore file name, then ensure that you use the keystore name accordingly in the following commands.
    The preceding command generates BIKeystore.keystore file in the C:\SSL directory.
  2. To create a Certificate Signing Request (CSR), navigate to the keytool location where the JAVA 7 or later is installed and run the following command:
    keytool -certreq -keyalg RSA -keysize 4096 -alias sapserv -file C:\SSL\SAPBO.csr -keystore C:\SSL\BIKeystore.keystore -ext SAN=dns:Change by the hostname,dns: Change by the FQDN,dns: Change by the alias 1,dns: Change by the alias 2 and etc...
    Send the SAPBO.csr to the Certifying Authority (CA) to generate a CA signed certificate.
    You can create a self-signed certificate instead of CA signed certificate.
  3. Import the CA signed certificate into the BIKeystore.keystore file by running the following command:
    #Syntax
    keytool -importcert -keystore <path of the keystore file> -alias <alias name>  -file <CA signed certificate name>
     
    #Example
    keytool -importcert -keystore C:\SSL\BIKeystore.keystore -alias sapcert  -file SAPBO.cer
 

Perform the following steps to enable the Infrastructure Management server main cell to Reporting engine communication to be TLS compliant:

Note

If the Reporting Engine is in TLS mode, it cannot communicate with any of the remote cells or Infrastructure Management server cells operating in Non-TLS mode.

 

Infrastructure Management server cells in TLS mode

Infrastructure Management server cells in Non-TLS mode

Remote cellsin TLS mode

Remote cells in Non-TLS mode

Reporting Engine in TLS mode

✅️

❌️

✅️

❌️

 

To configure the Infrastructure Management server cell component

  1. Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.

  2. Check for the instance of the code line having encryption key value as shown in the following code block:

    gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>

    #Example

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783

  3. Modify the existing value of encryption key to *TLS as shown in the following example:

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783
  4. Save and close the file.

  5. Reload the mcell.dir file by entering the following command from a command line:

    #Syntax

    mcontrol -n cellName reload dir

    #Example

    mcontrol -n pncell_vm-w23-rds1016 reload dir

    Note

    pncell_vm-w23-rds1016 is the name of the cell.


To configure the Report Engine component

  1. Navigate to the reportsCLI directory by running the following command:

    # Microsoft Windows operating system

    CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

    # Unix operating system

    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

  2. Initiate the configuration settings by running the following command:

    #Syntax

    tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]

    #Example

    tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin

    When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

    Parameter description

     The following notes describe the key parameters used in the preceding command:

    • cacerts: Name of the keystore and truststore file of the Report Engine.
    • <truststore password>: Password for the keystore/truststore. changeit is the default password for the cacerts keystore. If you have changed this password, use the current password.
    • <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.

  3. Enable the TLS configuration by running the following command:

    tls_config enable -component cell

Perform the following steps to enable the Infrastructure Management server SQL Anywhere database to Report Engine communication to be TLS compliant:

Step 1: To configure the SQL Anywhere database on Windows operating system /To configure the SQL Anywhere database on Unix operating system

Step 2: To configure the Report Engine component 

Before you begin

Ensure that the SQL Anywhere security certificates are procured and placed in the relevant directory paths. For more information, see Importing-security-certificates-for-the-TrueSight-Operations-Management-Report-Engine.

To configure the SQL Anywhere database on Windows operating system

Logon to the Infrastructure Management server computer where the SQL Anywhere database is installed, and perform the following steps:

  1. Stop the database by running the following command: 

    pw p r dbsrv
  2. Using a text editor, open the pndbsrv.conf file located in the <Infrastructure Management server Install Director>\TrueSight\pw\pronto\conf directory.

  3. Add the following lines into pndbsrv.conf file.

    #Syntax

    COMDefine -es
    COMDefine -ec "TLS(identity=<identify_file_dir_path>\<identity_file>;identity_password=<password provided for protecting the private key>)"

    #Example

    COMDefine -es
    COMDefine -ec "TLS(identity=<Infrastructure Management Server Install Directory>\pw\pronto\conf\id.pem;identity_password=pwd)"

    id.pem : Name of the identity file. If the name of the identity file is different, use the relevant file name in the preceding command.

    <Infrastructure Management Server Install Directory>\pw\pronto\conf : The directory path where the identity file is located. If the identity file is located in a different directory, use the relevant path in the preceding command.

  4. Restart the database by running the following command:

    pw p r dbsrv

To configure the SQL Anywhere database on Unix operating system

  1. Take a backup of the startdbsrv7 file located in the  <Infrastructure Management server Install Directory>/TrueSight/pw/pronto/bin directory.

  2. Create an environment variable for the TLS configuration as shown in the following code block:

    #Syntax

    Setenv TLS_CONFIG -ec "TLS(identity=<identity_file_dir_path>\<identity_file>;identity_password=<password provided for protecting the private key>)"

    #Example

    Setenv TLS_CONFIG -ec "TLS(identity=<Infrastructure Management Server Install Directory>/pw/pronto/conf/id.pem;identity_password=pwd)"

    Parameter description

    <identity_file_dir_path> : The path where the identity file is located

    <identity_file> : The identity file name

  3. Append the newly created environment variable into the startdbsrv7 file as shown in the following code block:

    if ($ip == "" || $ip == "localhost") then
    ${DBINSTALLDIR}/asa/bin/dbsrv -ud -x "tcpip(ServerPort=$port)" ${DBINSTALLDIR}/storm_${DBHOSTNAME}.db -n storm_${DBHOSTNAME} -c ${dbsrvicache}g -ch ${dbsrvhcache}p -cl ${dbsrvlcache}p -gp 4096 -gn 50 -ti 0 -tl 0 -gk all -os 20000000 -o ${SATMP}/storm_${DBHOSTNAME}db.log -ec ${TLS_CONFIG} set count=0
    else
    ${DBINSTALLDIR}/asa/bin/dbsrv -ud -x "tcpip(ServerPort=$port;MyIP=${ip})" ${DBINSTALLDIR}/storm_${DBHOSTNAME}.db -n storm_${DBHOSTNAME} -c ${dbsrvicache}g -ch ${dbsrvhcache}p -cl ${dbsrvlcache}p -gp 4096 -gn 50 -ti 0 -tl 0 -gk all -os 20000000 -o ${SATMP}/storm_${DBHOSTNAME}db.log -ec ${TLS_CONFIG}
    Endif

  4. Restart the database by running the following command:

    pw p r dbsrv
  5.  Verify that the process has started with new TLS_CONFIG option in the logfile located in the <Infrastructure Management server Install Directory>/TrueSight/pw/pronto/logs.

 

To configure the Report Engine component

  1. Navigate to the <TrueSight Operations Management Report Engine Install directory>\bin\reportsCLI directory.

  2. Initialize the configuration settings by running the following command:

    #Syntax

    tls_config init [-SqlAnywhereCert <trust certificate path>]

    #Example

    tls_config init -SqlAnywhereCert "<TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security\cert.pem"

    When you run the tls_config script, you are prompted to confirm the restart of Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

    Parameter description

     The following notes describe the key parameters used in the preceding command:

    • -SqlAnywhereCert: This option indicates that the SQL Anywhere database is been configured
    • cert.pem: Name of the certificate file procured from the SQL Anywhere database administrator. If the name of the procured file is different, use the relevant name in the preceding command.
    • <TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security\cert.pem: The complete directory path for the cert.pem certificate file. If this path different, use the relevant path in the preceding example.

  3. Enable the TLS configuration by running the following command:

    tls_config enable -component TSIMDB [-port <2638>]

Perform the following steps to enable the Infrastructure Management server Oracle database to Reporting Engine communication to be TLS compliant:

Before you begin

  • If the Oracle database is configured in TLS 1.2 mode, then perform the following steps to configure the Infrastructure Management Server in TLS 1.2 mode. 

    Note

    Oracle database version 12.1.0.2 is TLS 1.2 compliant.

  • Ensure that the Oracle database security certificates are procured and placed in the relevant directory paths. For more information, see Importing security certificates for the TrueSight Operations Management Report Engine.

To configure the Reporting Engine component

  1. Navigate to the reportsCLI directory by running the following command:

    # Microsoft Windows operating system

    CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

    # Unix operating system

    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

  2. Initiate the configuration settings by running the following command:

    #Syntax

    tls_config init -truststore <truststore file> -truststorepassword <truststore password>

    #Example

    tls_config init -truststore cacerts -truststorepassword <truststore password>

    When you run the tls_config script, you are prompted to confirm the restart of Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

    Parameter description

     The following notes describe the key parameters used in the preceding command:

    • cacerts: Name of the truststore file.
    • <truststore password>: Password for the truststore. changeit is the default password for the cacerts truststore. If you have changed this password, use the current password.

  3. Enable the TLS configuration by running the following command:

    tls_config enable -componentType REDB -port 2484

There are two types of Reporting databases used in the TrueSight Operations Management Reporting. They are:

  • Oracle database
  • SQL server
  • Oracle database version 12.1.0.2 is TLS 1.2 compliant
  • Microsoft SQL Server 2012 (SP2-CU12) (KB3152637) - 11.0.5649.0 (X64)

Perform the following steps to enable the Reporting Engine to Reporting database communication to be TLS compliant:

To configure the Reporting engine

  1. Ensure that TrueSight Reporting Engine is installed by disabling the encryption switch. For more information, see To disable the encryption switch before installing the Report Engine to support TLS.

  2. Navigate to the reportsCLI directory by running the following command:

    # Microsoft Windows operating system

    CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

    # Unix operating system

    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

  3. Initiate the configuration settings by running the following command:

    #Syntax

    tls_config init -truststore <truststore file> -truststorepassword <truststore password>

    #Example

    tls_config init -truststore cacerts -truststorepassword <truststore password>

    When you run the tls_config script, you are prompted to confirm the restart of Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

    Parameter description

     The following notes describe the key parameters used in the preceding command:

    • cacerts: Name of the truststore file.
    • <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\lib\security: The directory path where the cacerts truststore file is located.

To configure the Reporting database

  1. Navigate to the reportsCLI directory by running the following command:

    # Microsoft Windows operating system
    CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

    # Unix operating system
    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

  2. Enable the TLS configuration by running the following command:

    #Syntax

    tls_config enable -componentType <component> -port <TLS port>

    #For Oracle database

    tls_config enable -componentType REDB -port 2484

    #For SQL server

    tls_config enable -componentType REDB -port 2484

The Central Management Server communicates with the BI launch pad over https connection. Perform the following steps to enable this communication to be TLS compliant: 

To configure the Central Management Server and Repository 

  1. To open the Central Configuration Manager (CCM), from the desktop or Start menu, navigate to Sap Business Intelligence -> SAP BusinessObjects Platform 4 -> Central Configuration Manager.
  2. Stop the Tomcat web server.
  3. Locate the server.xml file located in the <TrueSight Operations Management Report Engine Install directory>\SAP BusinessObjects\Tomcat6\conf directory.
  4. Make a copy of this file and save it as  server.xml.bak
  5. Using a text editor open the server.xml file.

  6. Uncomment  the instance of the code line having the Connector port value as tcp as shown in the following code block:

    <Connector port="8443" ....

  7. Add the attributes to the xml file as shown in the following code block:

    keystorePass="Password1" keystoreFile="C:\SSL\.keystore". <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystorePass="bmcAdm1n" keystoreFile="C:\SSL\.keystore" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2"/>
  8. Save and close the file.

  9. Enable the following environment variables:

    set JAVA_HOME=C:\Java64\jdk1.8.0_60
    set PATH=%PATH%;C:\Java64\jdk1.8.0_60\bin
    set CATALINA_HOME=C:\apache-tomcat-7.0.64-64bit
    set JAVA_OPTS=-Djdk.tls.client.protocols="TLSv1.2" -Dsun.security.ssl.allowUnsafeRenegotiation=false -Dhttps.protocols="TLSv1.2"
  10. Start the Tomcat web server. 

  11. Open the Central Management Server, and the BI launch pad web client using the port that is used to configure the TLS. For example, in the preceding command port number 8443 is used to configure TLS, hence open the server and client as shown below:

    Https://<BO_Hostname>:8443/BOE/BI

    Https://<BO_Hostname>:8443/BOE/CMC

Related topic

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*