Configuring IT Data Analytics communication to enable TLS 1.2

TrueSight IT Data Analytics communicates with TrueSight Presentation Server to perform the following:

• Get events from the Presentation Server.
• Send events to the Presentation Server when the notification is triggered and criteria is met.
• Cross-launch from the Presentation Server into IT Data Analytics.

TrueSight IT Data Analytics communicates with TrueSight Infrastructure Management to perform the following:

• Get events from the Infrastructure Management server.
• Send events to the Infrastructure Management Server when the notification is triggered and criteria is met. 
• Cross-launch from Infrastructure Management Server into IT Data Analytics.

Perform the following steps to configure TrueSight Presentation Server, TrueSight Infrastructure Management, and TrueSight IT Data Analytics to enable TLS 1.2:

• Step 1: To configure the IT Data Analytics Server
• Step 2: To configure the Presentation Server
• Step 3: To configure the Infrastructure Management Server
• Step 4: To start the servers
• Step 5: To register IT Data Analytics with the Presentation Server

To configure the Presentation Server

1. Navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory, and run the following command to check whether the TrueSight Presentation Server is running.

   tssh server status

   Note

   Ensure that the TrueSight Presentation Server is running before proceeding further.

2. Log on to the TrueSight console and select Administration> Components.

   Displays the components that are registered with the Presentation Server. Ensure that no TrueSight Infrastructure Management Server is registered with the TrueSight Presentation Server. If a TrueSight Infrastructure Management Server is registered delete the same. For more information, see To delete a component

3. Set the property in the database by running the following command:

   tssh properties set tsps.cell.conntype ssl
   tssh properties set pronet.jms.conntype ssl
4. Using a text editor, open the mcell.dir file located in <Presentation Server Install Directory>\conf directory.

5. Comment out the instances of the code lines having the encryption key value as mc as shown in the following code block:

   #Type                            <name>             encryption key         <host>/<port>
   #gateway.gateway_subtype   ts_event_gateway         mc             tsps_server1.bmc.com:1900
   #cell                         pncell_tsim_server1        mc              tsim_server1.bmc.com:1828    

6. Set the encryption key value to *TLS as shown in the following code block:

   #Type                            <name>             encryption key         <host>/<port>
   gateway.gateway_subtype     ts_event_gateway        *TLS          tsps_server1.bmc.com:1900
   cell                         pncell_tsim_server1        *TLS              tsim_server1.bmc.com:1828   

   Parameter description

   The following notes describe the key parameters used in the preceding command:
   

   • tsps_server1 is the name of the computer where the TrueSight Presentation Server is installed.
   • tsim_server1 is the name of TrueSight Infrastructure Management Server registered with the TrueSight Presentation Server. If there are multiple Infrastructure Management Server entries in the mcell.dir file, change the encryption key to *TLS for all such entries.
7. Save and close the file.

8. Stop the Presentation Server by running the following command:

   tssh server stop

To configure the Infrastructure Management Server cell

1. Access the IT Data Analytics console.
2. Go to Administration > External Configurations.
3. From the list at the top-left of your screen, select TSIM Cell Configuration.

4. Provide the following details:

   Field	Instruction
   External Configuration Name	Provide a name to identify this external configuration.
   Cell Name	Provide the name of the cell defined in the Infrastructure Management server with which you want to connect and collect event data. For example, the cell name can be pncell_hostName.
   Cell Host	Provide the host name of the server on which the cell is located. Note: If you provide a fully-qualified domain name or host name, ensure that it resolves to the same IP as that of the computer that hosts the Infrastructure Management server.
   Cell Port	Provide the port number of the server on which the cell is located.
   Cell Encryption Key	Set the cell's encryption key as *TLS. Tip: You can find the preceding details such as the cell name, its encryption key, host name, and port number in the mcell.dir file. To access the mcell.dir file, navigate to the computer on which your cell exists, by using one of the following paths: Windows: %MCELL_HOME%\etc\ Linux: $MCELL_HOME/etc/
   Enable HA	(Optional) If you are operating in a High Availability environment, select this check box, and then provide the host name and port number of the server on which the secondary cell is located.
   Secondary Cell Host	Providing this information is applicable only if you select the Enable HA check box. Enter the host name of the server on which the secondary cell is located.
   Secondary Cell Port	Providing this information is applicable only if you select the Enable HA check box. Enter the port number corresponding to the server on which the secondary cell is located.

5. Click Save.

To configure the IT Data Analytics console server

To enable security for the Console Server with default certificate

1. Navigate to the following location to locate the olaengineCustomConfig.properties file and the searchserviceCustomConfig.properties file.
   • Windows: %BMC_ITDA_HOME%\custom\conf\server
   • Linux: $BMC_ITDA_HOME/custom/conf/server
2. In the olaengineCustomConfig.properties file, add the following properties:
   
   • consoleserver.protocol=https
   • consoleserver.port=9443

3. In the searchserviceCustomConfig.properties file, add the following properties:

   • consoleserver.protocol=https
   • searchservice.port=9443
   • protocol=https

   Note

   If you are operating in an environment with deploying multiple search components , ensure that you make this change on all the computers hosting the Search component. , ensure that you make this change on all the computers hosting the Search component.

4. Restart the Console Server and Search components.
   For more information, see Starting or stopping product services.

5. Log in to the product by replacing "http" with "https" and port 9797 with port 9443.
   For example, https://Host1:9443/console/.

To enable security for the Console Server with custom self-signed certificate

Before you begin enabling security for the Console Server with a custom self-signed certificate, ensure that you have generated a KeyStore in the JKS format.

1. Generate a custom self-signed certificate.
2. Locate the server.xml file at one of the following locations:
   • Windows: %BMC_ITDA_HOME%\tomcat\conf
   • Linux: $BMC_ITDA_HOME/tomcat/conf

3. In the server.xml file, add the following properties with appropriate values, depending on the KeyStore that you generated earlier (see the following example).

   • keystoreFile="keystoreFilePath"
     
   • keystorePass="keystorePassword"

   • keyAlias="AliasofKeystore"

   <Connector
   SSLEnabled="true"
   ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
   clientAuth="false" keyAlias="truesightserver"
   keystoreFile="conf/bmcitda2.jks" keystorePass="changeit"
   maxThreads="150" port="9443"
   protocol="org.apache.coyote.http11.Http11NioProtocol"
   scheme="https" secure="true" sslProtocol="TLS"/>
4. Navigate to the following location to locate the olaengineCustomConfig.properties file and the searchserviceCustomConfig.properties file.
   • Windows: %BMC_ITDA_HOME%\custom\conf\server
   • Linux: $BMC_ITDA_HOME/custom/conf/server
5. In the olaengineCustomConfig.properties file, add the following properties:
   • consoleserver.protocol=https
   • consoleserver.port=9443

6. In the searchserviceCustomConfig.properties file, add the following properties:

   • consoleserver.protocol=https
   • searchservice.port=9443
   • protocol=https

   If you are operating in an environment with deploying multiple search components , ensure that you make this change on all the computers hosting the Search component.

7. Import the self-signed certificate into the Console Server's Java Runtime Environment (JRE) by using the following command:

   keytool -import -trustcacerts -alias <HostName-or-IP> -keystore $BMC_ITDA_HOME/jre/lib/security/cacerts -file <Certificate-Path>
   In this command, the following variables apply:
   

   • <HostName-or-IP> refers to the host name or IP address of the computer on which the Console Server is located.
   • <Certificate-Path> refers to the absolute path to the self-signed certificate of the Console Server.

8. Restart the Console Server and Search components.  
   For more information, see Starting or stopping product services.

9. Log in to the product.
   Example for accessing the console: https://Host1:9443/console/.

Enabling security for the Search components

By enabling security for the Search components, you can secure the communication between the Console Server and Search components, as follows:

1. Navigate to the following location on each of the Search components:
   
   • Windows: %BMC_ITDA_HOME%\custom\conf\server
   • Linux: $BMC_ITDA_HOME/custom/conf/server
2. In the the searchserviceCustomConfig.properties file, add the following properties:
   • searchservice.port=9443
   • protocol=https

3. Restart the Search components.
   For more information, see Starting or stopping product services.

To start the servers

To register IT Data Analytics with the Presentation Server

Register TrueSight IT Data Analytics with the Presentation Server. For more information, see Registering-the-components-with-the-Presentation-Server.

Where to go from here

For more information about how to configure other communication channels to enable TLS 1.2, see Configuring-TrueSight-Infrastructure-Management-to-enable-TLS-1-2.