Configuring TrueSight Infrastructure Management to enable TLS 1.2


By default, TrueSight Infrastructure Management and its associated components use Transport Layer Security (TLS) versions earlier than TLS 1.2 to communicate with each other. You can upgrade the security in your enterprise environment by using TLS 1.2 to communicate with TrueSight Infrastructure Management components. Following installation of the TrueSight Infrastructure Management components, you can switch from the default inter-component security configuration to TLS 1.2 configuration.

Related topics

Rolling back to SSL configuration

TLS-considerations-for-TrueSight-Infrastructure-Management

Before you begin

Ensure to complete the certificate creation and import tasks for the relevant components before you configure TLS 1.2 between them. For more information about how to create and import private certificates, see Implementing-private-certificates-in-TrueSight-Operations-Management

To configure the TrueSight Infrastructure Management components to enable TLS 1.2

There are different communication channels established between the TrueSight Infrastructure Management components. Perform the TLS configurations per communication channel. Select the communication channel which you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.

tls_config_flow.png

To enable TLS 1.2, complete the procedures by navigating the following tabs, or select the procedures from documentation links in the flowchart.

Failed to execute the [excerpt-include] macro.

Failed to execute the [excerpt-include] macro.

Failed to execute the [excerpt-include] macro.

Failed to execute the [excerpt-include] macro.

Failed to execute the [excerpt-include] macro.

Failed to execute the [excerpt-include] macro.

Perform the following steps to enable the Infrastructure Management server main cell to Reporting engine communication to be TLS compliant:

Note

If the Reporting Engine is in TLS mode, it cannot communicate with any of the remote cells or Infrastructure Management server cells operating in Non-TLS mode.

 

Infrastructure Management server cells in TLS mode

Infrastructure Management server cells in Non-TLS mode

Remote cellsin TLS mode

Remote cells in Non-TLS mode

Reporting Engine in TLS mode

✅️

❌️

✅️

❌️

 

To configure the Infrastructure Management server cell component

  1. Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.

  2. Check for the instance of the code line having encryption key value as shown in the following code block:

    gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>

    #Example

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783

  3. Modify the existing value of encryption key to *TLS as shown in the following example:

    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783
  4. Save and close the file.

  5. Reload the mcell.dir file by entering the following command from a command line:

    #Syntax

    mcontrol -n cellName reload dir

    #Example

    mcontrol -n pncell_vm-w23-rds1016 reload dir

    Note

    pncell_vm-w23-rds1016 is the name of the cell.


To configure the Report Engine component

  1. Navigate to the reportsCLI directory by running the following command:

    # Microsoft Windows operating system

    CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

    # Unix operating system

    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

  2. Initiate the configuration settings by running the following command:

    #Syntax

    tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]

    #Example

    tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin

    When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

    Parameter description

     The following notes describe the key parameters used in the preceding command:

    • cacerts: Name of the keystore and truststore file of the Report Engine.
    • <truststore password>: Password for the keystore/truststore. changeit is the default password for the cacerts keystore. If you have changed this password, use the current password.
    • <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.

  3. Enable the TLS configuration by running the following command:

    tls_config enable -component cell

 Failed to execute the [excerpt-include] macro.

Where to go from here

Securing-communication-among-Infrastructure-Management-components

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*