_TSISCertImplement

The following section guides you to create self-signed certificates and get it verified by CA for the TrueSight Integration Service.

Note

For the Integration Service the certificate store is in Mozilla NSS DB store format. 

  1. Logon to the host computer where the TrueSight Integration Service is installed, and navigate to the <Infrastructure Management server Installation Directory>\pw\Agent\patrol\common\security\config_v3.0 directory, and take a back up of all the files located in this folder.

  2. Create a Mozilla certificate store on the Integration Service by running the following command:

    #On Microsoft Windows $mkdir <Infrastructure Management server Installation Directory>\pw\Agent\patrol\common\security\config_v3.0\ISAsServer_DB $certutil -N -d sql:<installationdirectory>\Agent\patrol\common\security\config_v3.0\ISAsServer_DB #On Unix $mkdir <Infrastructure Management server Installation Directory>/pw/Agent/patrol/common/security/config_v3.0/ISAsServer_DB $certutil -N -d sql:<installationdirectory>/Agent/patrol/common/security/config_v3.0/ISAsServer_DB

    Note

    ISAsServer_DB is the name of the server certificate store for the Integration Service

  3. Navigate to the <Infrastructure Management server Installation Directory>\pw\Agent\patrol\common\security\config_v3.0\ISAsServer_DB directory location and generate a private key by running the following command:

    openssl genrsa -des3 -out private.key 2048

    You are prompted to type a password for this key. Type an appropriate password for this private key.

     

  4. Copy the openssl.cnf file from the <Infrastructure Management server Installation Directory>\pw\apache\conf directory to the <Infrastructure Management server Installation Directory>\pw\apache\bin directory location.

    On Unix operating system, the openssl.cnf is located in the /opt/bmc/TrueSightr/pw/apache/ssl directory.

  5. Create a new certificate signing request by running the following command. The command prompts you to enter the details such as name, organization details as shown in the following code block. Enter the details appropriately.

    openssl req -new -key private.key -out tsimalias.csr -config openssl.cnf
    Enter pass phrase private.key:

    Country Name (2 letter code) [AU]:<country code>

    State or Province Name (full name) [Some-State]:<state> Locality Name (eg, city) []:<city> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company> Organizational Unit Name (eg, section) []:<organisational unit> Common Name (e.g. server FQDN or YOUR name) []:<FQDN of TSIM> Email Address []:<e-mail address> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <ENTER> An optional company name []:

    Note

    If the Infrastructure Management server is configured in disaster recovery mode, the preceding command needs to be modified as shown below

    -extensions SAN=dns:<primary TSIM FQDN>,dns:<secondary TSIM FQDN>,dns:<TSIM alias FQDN>, dns:<primary TSIM>,dns:<secondary TSIM>,dns:<TSIM alias>

  6. Send the CSR to the certificate authority (CA) of your organisation for signing.

  7. Remove the password for the private key by exporting the key to a new key without a password as shown in the following code block:

    openssl rsa -in private.key -out <TS_ISN>.key
  8. Rename the signed certificate received from a CA to <TS_ISN>.cer.
  9. Copy the <TS_ISN>.key and the <TS_ISN>.cer files to the <Infrastructure Management server Installation Directory>\pw\apache\conf folder, and take a back up of the default files: my_server.key and my_sesrver.cer.

  10. Restart the Infrastructure Management Server by running the following command:

    pw system start

Where to go from here

Role-of-private-certificates-in-TrueSight-Operations-Management

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*