Configuring TrueSight Infrastructure Management to enable TLS 1.2

You can upgrade the security in your enterprise environment by using TLS 1.2 to communicate with TrueSight Infrastructure Management components. After the installation of TrueSight Infrastructure Management components, you can switch from the default inter-component security configuration to TLS 1.2 configuration.

Related topics

Rolling back to SSL configuration

TLS-considerations-for-TrueSight-Infrastructure-ManagementConfiguring IT Data Analytics communication to enable TLS 1.2

Before you begin

Ensure to complete the certificate creation and import tasks for the relevant components before you configure TLS 1.2 between them. For more information about how to create and import private certificates, see Implementing-private-certificates-in-TrueSight-Operations-Management

To configure the TrueSight Infrastructure Management components to enable TLS 1.2

There are different communication channels established between the TrueSight Infrastructure Management components. Perform the TLS configurations per communication channel. Select the communication channel which you want to make TLS compliant and perform the tasks accordingly. The flowchart in the following diagram explains the complete TLS configuration workflow.

tls_config_flow.png

Step a: TSIM to TSPS communication

Step 1: To configure the Presentation Server

Step 2: To configure the Infrastructure Management Server

Step 3: To start the servers

Step 4: To register the Infrastructure Management Server with the Presentation Server

Step 1: To configure the Presentation Server

  1. Navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory, and run the following command to check whether the TrueSight Presentation Server is running.
    tssh server status
  2. Ensure that the TrueSight Presentation Server is running before proceeding further.
  3. Log on to the TrueSight console and select Administration> Components.
    Displays the components that are registered with the Presentation Server. Ensure that no TrueSight Infrastructure Management Server is registered with the TrueSight Presentation Server. If a TrueSight Infrastructure Management Server is registered, delete the same.
  4. Set the property in the database by running the following commands:
    tssh properties set tsps.cell.conntype ssl
    tssh properties set pronet.jms.conntype SSL
  5. Using a text editor, open the mcell.dir file located in <Presentation Server Install Directory>\conf directory.
    Comment out the instances of the code lines having the encryption key value as mc as shown below:
    #Type <name> encryption key <host>/<port>
    #gateway.gateway_subtype ts_event_gateway mc
    tsps_server1.bmc.com:1900
    #cell pncell_tsim_server1 mc
    tsim_server1.bmc.com:1828

  6. Set the encryption key value to *TLS as shown below:
    #Type <name> encryption key <host>/<port>
    gateway.gateway_subtype ts_event_gateway *TLS
    tsps_server1.bmc.com:1900
    cell pncell_tsim_server1 *TLS
    tsim_server1.bmc.com:1828
    Parameter description:

    • tsps_server1 is the name of the computer where the TrueSight Presentation Server is installed.

    • tsim_server1 is the name of TrueSight Infrastructure Management Server registered with the TrueSight Presentation Server. If there are multiple Infrastructure Management Server entries in the mcell.dir file, change the encryption key to *TLS for all such entries.

  7. Save and close the file.

Step 2: To configure the Infrastructure Management Server

  1.  Navigate to the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory location.
  2. Open the ssl.activemq-rar.rar file and extract the amq-broker-config.xml file.
  3. Take a backup of the amq-broker-config.xml file. 
  4. (Optional - If using a non-default JMS port) By default, the URI attribute of trasnsportConnector property is set to the port number 8093. If a different JMS port is configured, then update the property in the amq-broker-conf-xml file as shown in the following example:
    tls_amq_port.png
    In the example, trasnsportConnector is set to 8093.
  5. After the change, save the amq-broker-config.xml file and add it to the ssl.activemq-rar.rar file in the <Infrastructure Management Server Install Directory>\pw\wildfly\store directory again.
  6. Navigate to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown below:
    #Syntax perl switchTLSMode.pl -<on/off> -flow <communication channel> -tsps <TrueSight Presentation Server name>

    #Example
    perl switchTLSMode.pl -on -flow event_and_data -tsps myserver.bmc.com
    Parameter description:
    • -on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the default tcp/ssl mode of communication.
    • -flow: If the flow is set to event_and_data, the communication between the Infrastructure Management Server and the Presentation Server is TLS 1.2 enabled.
    • TrueSight Presentation Server name: This is the fully qualified domain name (FQDN) of the computer where the Presentation Server is installed.
    • -h: This is an optional parameter, it displays the help for the the switchTLSMode.pl command

Step 3: To start the servers

  1. Start the Presentation Server by running the following command:
    tssh server start
  2. Start the Infrastructure Management Server by running the following command:
    pw system start

Step 4: To register the Infrastructure Management Server with the Presentation Server

  1. Ensure that all the processes of the Infrastructure Management Server are up by running the following command:
    pw p 1
  2. Register the Infrastructure Management Server with the Presentation Server.

Step b-1: IS to TSIM

Step 1: To configure the local Integration Service

Step 2: To configure the remote Integration Service

Step 3: To start the servers

Step 1: To configure the local Integration Service

  1. Stop the Infrastructure Management Server by running the following command:
    pw system stop
  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.
    If it is a local integration service, modify the file present in the pw\custom\conf directory, if it is a local Integration Service.
  3. Comment out the instance of the code line having the conntype value as tcp as shown below:
    #pronet.apps.agent.conntype=tcp
  4. Set the conntype value to ssltcp as shown below:
    #Configuration settings to make the Infrastructure Management Server to Local Integration
    Service TLS 1.2 compliant
    pronet.apps.agent.conntype=ssltcp
  5. Save and close the file.

Step 2: To configure the remote Integration Service

  1. Stop the Infrastructure Management Server by running the following command:
    pw system stop
  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.
  3. Comment out the instance of the code line having the conntype value as tcp as shown below:
    #pronet.apps.agent.conntype=tcp
  4. Set the conntype value to ssltcp as shown below:
    pronet.apps.agent.conntype=ssltcp
  5. Save and close the file.
  6. Log on to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command:
    pw is stop
  7. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight it, and then click Stop.
    3. Click Yes to close the warning message that is displayed.
      The status for the Integration Service changes from Started to (blank).
  8. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.
    If it is a remote Integration Service, modify the file present in the agent\pronto\conf directory.
  9. Comment out the instance of the code line having the conntype value as tcp as shown below:
    #pronet.apps.agent.conntype=tcp
  10. Set the conntype value to ssltcp as shown below:
    pronet.apps.agent.conntype=ssltcp
  11. Save and close the file.

Step 3: To start the servers

  1. Log in to the TrueSight console, and access Configuration > Managed Devices.
    The Managed Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown below:
    managed_devices.png
  2. Click the action menu of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
  3. Select the Edit option.
  4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
  5. Click Save.
  6. Start the Infrastructure Management Server by running the following command:
    pw system start
  7. Start the Integration Service (Unix) by running the following command:
    pw is start
  8. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
  9. Double-click the Services icon to launch the Services dialog box.
  10. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, and then click Restart.
  11. Click Yes to close the warning message that is displayed.
    The status for the Integration Service changes to Started from (blank).
    The Integration Service restart is applicable only to the remote Integration Service. The local Integration
    Service is restarted automatically along with the Infrastructure Management Server.

Step b-2: IS to Cell

Step 1: To configure the local Integration Service

Step 2: To configure the remote Integration Service

Step 3: To configure the local Cell

Step 4: To configure the remote Cell

Step 5: To start the servers

Step 1: To configure the local Integration Service

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Stop the Infrastructure Management Server by running the following command:
    pw system stop
  2. Using a text editor, open pronet.conf file located in <Infrastructure Management Server Install directory>\pw\custom\conf directory.
  3. Comment out the instance of the code line having the encryption key value as mc as shown in the following code block:
    #pronet.apps.is.cell.encryptionkey=mc
  4. Set the encryptionkey value to *TLS as shown in the following code block:
    pronet.apps.is.cell.encryptionkey=*TLS
  5. Save and close the file.
  6. Using a text editor, open mcell.dir file located in <Infrastructure Management Server Install directory>\pw\server\etc directory.
  7. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:
    #Type <name> encryption key <host>/<port>
    #cell cell_1 mc cell_1.bmc.com:1828
    #cell HA_Cell mc
    primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
  8. Set the encryption key value to *TLS as shown in the following code block:
    #Type <name> encryption key <host>/<port>
    cell cell_1 *TLS cell_1.bmc.com:
    1828
    cell HA_Cell *TLS
    primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828
    Parameter description:
    • cell_1 is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
    • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.

Step 2: To configure the remote Integration Service

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Log on to the computer where the remote Integration Service is installed, and stop the Integration Service (Unix) by running the following command:
    pw is stop
  2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight,
      then click Stop.
    3. Click Yes to close the warning message that is displayed.
      The status for the Integration Service changes from Started to (blank).
  3. Using a text editor, open pronet.conf file located in <Integration Service Install directory>\agent\pronto\conf directory.
    Modify the file present in the agent\pronto\conf directory, if it is a remote Integration Service.
  4. Comment out the instance of the code line having the encryptionkey value as mc as shown in the following code block:
    #pronet.apps.is.cell.encryptionkey=mc
  5. Set the encryptionkey value to *TLS the following code block:
    pronet.apps.is.cell.encryptionkey=*TLS
  6. Save and close the file.
  7. Using a text editor, open the mcell.dir file located in <Integration Service Install directory>\Agent\server\etc directory.
  8. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:
    #Type <name> encryption key <host>/<port>
    #cell cell_1 mc cell_1.bmc.com:1828
    #cell HA_Cell mc primaryhost.bmc.com:
    1828 secondaryhost.bmc.com:1828
  9. Set the encryption key value to *TLS as shown in the following code block:
    #Type <name> encryption key <host>/<port>
    cell cell_1 *TLS cell_1.bmc.com:1828
    cell HA_Cell *TLS
    primaryhost.bmc.com:1828 secondaryhost.bmc.com:1828

    Parameter description
    Make the cell entries in the mcell.dir file based on the type of communication as explained in the following section:
    • cell_1 is the name of the default Infrastructure Management Cell or a remote cell. This entry indicates that the Integration Service is communicating with the default Infrastructure Management Cell or the remote cell.
    • HA_Cell is the name of the High Availability cell. This entry indicates that the Integration Service is communicating with the High Availability Cell. The primaryhost.bmc.com and secondaryhost.bmc.com are the primary and secondary HA cell host names.
  10. Save and close the file.

Step 3: To configure the local Cell

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Stop the cell service (Unix) by running the following command:
    mkill -n cellname
  2. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list
      of services, highlight, then click Stop.
    3. Click Yes to close the warning message that is displayed.
      The status for the cell service changes from Started to (blank).
  3. Using a text editor, open mcell.conf file located in <Infrastructure Management Server Install Directory>\pw\server\etc\pncell_<TSIM_MACHINE_NAME> directory.
  4. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:
    #ServerTransportProtocol=tcp
  5. Set the properties as shown in the following code block:
    ServerTransportProtocol=tls
    ServerCertificateFileName=mcell.crt
    ServerPrivateKeyFileName=mcell.key
  6. Save and close the file.

Step 4: To configure the remote Cell

CLI commands are TLS compliant. All the CLI commands read the mcell.dir file. If the encryption key is set to *TLS in the mcell.dir file, CLI commands operate in TLS mode, else CLI commands operate in non-TLS mode.

  1. Logon to the computer where the remote cell is installed.
  2. Stop the cell service (Unix) by running the following command:
    mkill -n cellname
  3. To stop the cell service (Microsoft Windows), navigate to Start > Settings > Control Panel.
    1. Double-click the Services icon to launch the Services dialog box.
    2. Locate the BMC TrueSight Event Manager cell_name or BMC TrueSight Event Manager HA_CELL on the list
      of services, highlight, then click Stop.
    3. Click Yes to close the warning message that is displayed.
      The status for the cell service changes from Started to (blank).
  4. Using a text editor, open mcell.conf file located in <Remote Cell Install Directory>\Agent\server\etc\cell_name directory.
  5. Comment out the instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:
    #ServerTransportProtocol=tcp
  6. Set the properties as shown in the following code block:
    ServerTransportProtocol=tls
    ServerCertificateFileName=mcell.crt
    ServerPrivateKeyFileName=mcell.key
  7. Save and close the file.

Step 5: To start the servers

  1. Start the cell service (Unix) by running the following command:
    pw is start
  2. To start the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
  3. Double-click the Services icon to launch the Services dialog box.
  4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart.
  5. Click Yes to close the warning message that is displayed.
    The status for the Integration Service changes to Started from (blank).
    The Integration Service restart is applicable only to the remote Integration Service. The local Integration Service is restarted automatically along with the Infrastructure Management Server.

Step c: TSIM to Oracle

To configure the Infrastructure Management Server to Oracle database communication to enable TLS 1.2

Notes:
- Ensure that the Oracle database is configured in TLS 1.2 mode, and then configure the Infrastructure Management server in TLS 1.2 mode as explained in the following section.
- Oracle database version 11G is TLS 1.0 compliant.
- Oracle database version 12.1.0.2 and 19c are TLS 1.2 compliant.
- If the Infrastructure Management server is configured in the high-availability mode, first perform the following sequence of steps on the primary Infrastructure Management server, and then on the secondary Infrastructure Management server.

  1. Stop the Infrastructure Management Server by running the following command:
    pw system stop
  2. Go to the <Infrastructure Management Server Install Directory>\pw\pronto\bin directory, and run the switchTLSMode.pl script as shown in the following code block:
    #Syntax
    perl switchTLSMode.pl -<on/off> -flow <communication channel> -dbport <Oracle Database port>
    -dbver <Oracle Database version>
    #Example
    perl switchTLSMode.pl -on -flow oracle -dbport 2484 -dbver 19C

    Parameter description:
    • on/off: on option enables TLS mode of communication. off option disables TLS mode of communication and enables the default tcp/ssl mode of communication.
    • flow: This variable can have two options: event_and_data, and oracle. If flow is set to oracle, the communication between the Infrastructure Management Server and the Oracle database is TLS 1.2 enabled.
    • dbport: Specify the port number that is configured for the Oracle database communication.
    • dbver: Specify the Oracle database version. There are two compatible Oracle database versions: 12C, 19C
  3. Open the pronet.conf file in the <Infrastructure Management Server Install directory>\pw\custom\conf directory, and verify that the configuration parameters are set as shown in the following code block:
    pronet.api.database.portnum=2484
    #Configuration settings to make TLS compliant
    pronet.api.database.conntype=ssl
  4. Verify that the latest oracle JDBC driver ojdbc8.jar is copied in the <Infrastructure Management Server Install directory>\pw\apps3rdparty\jdbc directory.
  5. Run the following command to verify if the Infrastructure Management server is able to establish a connection with Oracle database in TLS mode:
    #Microsoft Windows
    <Infrastructure Management Server Install directory>\pw\pronto\bin\runjava
    api.database.DbUpCheck
    #Linux
    <Infrastructure Management Server Install directory>/pw/pronto/bin/runjava
    api.database.DbUpCheck
    #Example output
    INFO 06/08 21:14:34 Library 600002 Setting SSL properties for Oracle database connection
    success
  6. Start the Infrastructure Management Server by running the following command:
    pw system start
  7. Run the following command to verify if the Infrastructure Management server is able to establish a connection with Oracle database:
    pw p l
    #Example Output
    BMC TrueSight Infrastructure Management Command Line Interface 2020 version 11.3.04
    Copyright
    1997-2020 BMC Software, Inc. as an unpublished work. All rights reserved.
    Servers/Daemon Processes
    ------------------------
    services 15788
    httpd 9024
    jserver 9812
    pronet_agent 12860
    pronet_cntl 13364
    tunnelproxy 14352
    rate 10292
    Oracle
    Running on test-bmc-setup:2484
    mcell 1788

After restarting, the Infrastructure Management server status must be displayed as connected in the associated Presentation Server.

 

To upgrade the Infrastructure Management server version 10.7 that communicates with the Oracle database in TLS mode:

  1. Disable TLS communication between Infrastructure Management server to Oracle database. For detailed instructions, see Rolling back to SSL configuration.
  2. Upgrade the Infrastructure Management server. For detailed instructions, see Upgrading the Infrastructure Management Server.
  3. Enable TLS communication between Infrastructure Management server to Oracle database.

Step d: PA to IS

By default, the PATROL Agent communicates using either Transmission Control Protocol (TCP) or Secure Sockets Layer (SSL) protocol, but you can configure PATROL Agents to enable TLS 1.2 mode. 

Latest_PA_IS.png

  1. Ensure that the signed certificates are generated for the Integration Service and imported into the PATROL Agent's client DB certificate store. 
    To generate signed certificates for the Integration Service, see Implementing-private-certificates-in-the-Integration-Service.
     
  2. Ensure that the PATROL Agent and the TrueSight Integration Service are running at the same security level.
  3. Configure the PATROL Agent to Integration Service communication to enable TLS mode.

  4. Update the PATROL Agent's registry files. 
    For details, see Updating the PATROL Agent registry files

  5. Update the Integration Service's registry files. 
    For details, see Updating the Integration Service registry files.

Step e: TSIM to IIWS

Step 1: To configure the Infrastructure Management Server
Step 2: To configure the BMC Impact Integration Web Services server
Step 3: To start the servers

Step 1: To configure the Infrastructure Management Server

  1. Stop the Infrastructure Management Server by running the following command:
    pw system stop
  2. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\server\etc directory.
  3. Comment out the instance of the code line having encryption key value as mc as shown in the following code block:
    #gateway.imcomm IIWSGatewayServer mc IIWSGatewayServer.bmc.com:1859
  4. Set the encryption key value to *TLS as shown in the following code block:
    gateway.imcomm IIWSGatewayServer *TLS IIWSGatewayServer.bmc.com:1859
    IIWSGatewayServer is the name of the host computer where the BMC Impact Integration Web Services is
    installed.
  5. Save and close the file.

Step 2: To configure the BMC Impact Integration Web Services server

  1. Navigate to the <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc directory by running the following command:
    # Microsoft Windows operating system
    $cd <Impact Web Services installation directory>\tomcat\webapps\imws\WEB-INF\etc
    # Unix operating system
    $cd <Impact Web Services installation directory>/tomcat/webapps/imws/WEB-INF/etc
  2. Using a text editor, open the mcell.dir file.
  3. Comment out the instances of the code lines having encryption key value as mc as shown in the following code block:
    #type Name encryption key
    <Host>:1828
    #gateway.imcomm IIWSGatewayServer mc
    localhost:1859
    #cell pncell_tsim_server mc
    tsim_server.bmc.com:1828
  4. Set the encryption key value to *TLS as shown in the following code block:
    #syntax
    #type Name encryption key
    <Host>:1828
    gateway.imcomm IIWSGatewayServer *TLS
    localhost:1859
    cell pncell_tsim_server *TLS
    tsim_server.bmc.com:1828

    Parameter description:
    • Replace the localhost by the computer name where the IIWS server is installed.
    • tsim_server is the name of the host computer where the Infrastructure Management Server is
      installed.

Step 3: To start the servers

  1. Start the Infrastructure Management Server by running the following command:
    pw system start
  2. Restart the IIWS server by performing the following steps:
    1. From the desktop or Start menu, navigate to Services.
    2. To stop the server, select the BMC Impact Integration Web Services service, and right-click to open the menu. The service name is BMCIWS, and the display name is Impact Integration Web Service.
    3. To stop the application server, select Stop.

Step f: TSIM to Reporting

  • Step 1: To configure the Infrastructure Management server cell component
  • Step 2: To configure the Reporting Engine component

Note

If the Reporting Engine is in TLS mode, it cannot communicate with any of the remote cells or Infrastructure Management server cells operating in Non-TLS mode.

 

Step 1: To configure the Infrastructure Management server cell component

  1. Using a text editor, open the mcell.dir file on the BMC TrueSight Infrastructure Management Server host computer. The file is located in the <Infrastructure Management server Install Directory>\pw\server\etc directory.
  2. Check for the instance of the code line having encryption key value as shown in the following code block:
    gateway.reportengine bpre.<fullyQualifiedHostName> <encryptionKey> <fullyQualifiedHostName>:<3783>
    #Example
    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com mc vs-pun-tsim-bp03.bmc.com:3783
  3. Modify the existing value of encryption key to *TLS as shown in the following example:
    gateway.reportengine bpre.vs-pun-tsim-bp03.bmc.com *TLS vs-pun-tsim-bp03.bmc.com:3783
  4. Save and close the file.
  5. Reload the mcell.dir file by entering the following command from a command line:
    #Syntax
    mcontrol -n cellName reload dir
    #Example
    mcontrol -n pncell_vm-w23-rds1016 reload dir

    where pncell_vm-w23-rds1016 is the name of the cell.

Step 2: To configure the Reporting Engine component

  1. Navigate to the reportsCLI directory by running the following command:
    # Microsoft Windows operating system
    CurrentDirectory>cd <TrueSight Operations Management Reporting Install directory>\bin\reportsCLI

    # Unix operating system
    $cd <TrueSight Operations Management Reporting Install directory>/bin/reportsCLI

  2. Initiate the configuration settings by running the following command:
    #Syntax
    tls_config init -truststore <truststore file> -truststorepassword <truststore password> [-keystore <keystore file> -keystorepassword <keystore password>][-SqlAnywhereCert <trust certificate path>]
    #Example
    tls_config init -truststore cacerts -truststorepassword <truststore password> -keystore cacerts -keystorepassword <keystore password> -SqlAnywhereCert <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin

    When you run the tls_config script, you are prompted to confirm the restart of the Reporting Engine. The TLS configurations are applied only when the Reporting Engine restarts.

    Parameter description

     The following notes describe the key parameters used in the preceding command:

    • cacerts: Name of the keystore and truststore file of the Report Engine.
    • <truststore password>: Password for the keystore/truststore. changeit is the default password for the cacerts keystore. If you have changed this password, use the current password.
    • <BMC TrueSight Operations Management Report Engine Install Directory>\ReportEngine\tools\jre\bin: The directory path where the cacerts truststore file is located.

  3. Enable the TLS configuration by running the following command:
    tls_config enable -component cell

Step g: PS to TSIM

 To configure the Infrastructure Management server

  1. Stop the Infrastructure Management Server by running the following command:
    pw system stop
  2. Using a text editor, open the pronet.conf located in the <Infrastructure Management Server Install Directory>\pw\custom\conf directory.
  3. Add the following properties in pronet.conf as shown in the following code block:
    pronet.jms.passwd.file=pronto/conf/.ks_pass
    pronet.apps.ipc.ssl.context.pserver.truststore.filename=messagebroker.ts
    pronet.apps.ipc.ssl.context.pserver.keystore.filename=pnserver.ks
    pronet.apps.ipc.ssl.context.pserver.enabledsuites=TLS_RSA_WITH_AES_128_CBC_SHA256
    pronet.apps.ipc.ssl.context.pserver.keystore.passwdfile=pronto/conf/.ks_pass
  4. Using a text editor, open the mcell.dir located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.

  5. Comment out any existing instances of the code lines having encryption key value as mc as shown in the following code block:
    #Type <name> encryption key <host>/
    <port>
    #cell pncell_hostname mc
    pncell_hostname.bmc.com:1828
    #gateway.imcomm gw_ps_pncell_hostname mc
    hostname.bmc.com:1839

  6. Add the code lines to set the encryption key value to *TLS as shown in the following code block:
    #Type <name> encryption key <host>/
    <port>
    cell pncell_hostname *TLS
    pncell_hostname.bmc.com:1828
    gateway.imcomm gw_ps_pncell_hostname *TLS
    hostname.bmc.com:1839

  7. Save and close the file.

  8. Using a text editor, open the smmgr.conf located in the <Infrastructure Management Server Install Directory>\pw\server\etc directory.

  9. Comment out any existing instance of the code line having ServerTransportProtocol value as tcp as shown in the following code block:
    #ServerTransportProtocol=tcp

  10. Add the code lines to set the ServerTransportProtocol value to tls, and server certificate file name and key values as shown in the following code block:
    ServerTransportProtocol=tls
    ServerCertificateFileName=mcell.crt
    ServerPrivateKeyFileName=mcell.key

    mcell.crt and mcell.key are the names of the cell key and the certificate. If the cell certificate and key names in your Infrastructure Management server are different then use the relevant names in the preceding settings. For more information about how to create cell key and certificate, see Implementing private certificates in the TrueSight Infrastructure Management.

  11. Save and close the file.

  12. Start the Infrastructure Management Server by running the following command:
    pw system start

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*