Changing security certificates in App Visibility components

By default, App Visibility uses pregenerated, self-signed certificates for authentication between the components. If you prefer to use your own certificates, you need to edit each of the following files to create new KeyStore files and TrustStore files that point to the correct location for each component.

Notes

After any configuration in the properties files, you must restart the component.
This topic does not include importing a KeyStore file or replacing the certificate for the App Visibility proxy, which enables secure data collection from the end users of your web applications.
If you are changing certificates in a system that includes the BMC Synthetic Transaction Execution Adapter (TEA) Agent for synthetic transaction monitoring, do not change the name or password of the new certificates; otherwise, the TEA Agent cannot communicate with the server.

This topic contains the following sections:

Before you begin

Install and configure App Visibility components.

To replace security files for the App Visibility portal

In the portal.properties file, located on the App Visibility portal computer, make the required changes and restart the portal service.

Replace InstallationDirectory with the full path.
Replace KeystoreFileName with the name of your KeyStore file.
Replace TruststoreFileName with the name of your TrustStore file.
Replace encryptedPassword with your encrypted password.

To replace security files for the App Visibility collector

In the collector.properties file, located on each App Visibility collector computer, make the required changes and restart the collector service.

Replace InstallationDirectory with the full path.
Replace KeystoreFileName with the name of your KeyStore file.
Replace TruststoreFileName with the name of your TrustStore file.
Replace encryptedPassword with your encrypted password.

To replace security files for the App Visibility agent for Java

In the agent.properties file, located on each App Visibility agent computer, make the required changes and restart the agent.

Replace KeystoreFileName with the name of your KeyStore file.
Replace TruststoreFileName with the name of your TrustStore file.
Replace encryptedPassword with your encrypted password.

To replace security files for the App Visibility agent for .NET

In the agent.properties file, located on each App Visibility agent computer, make the required changes and restart the agent.

Replace KeystoreFileName with the name of your KeyStore file.
Replace TruststoreFileName with the name of your TrustStore file.
Replace encryptedPassword with your encrypted password.

Notes

If the paths to the certificate files (KeystoreFileName.p12 or TruststoreFileName.cer or both) are relative, they are treated as relative to the InstallationDirectory\properties directory.
KeystoreFileName .p12 file must be in X.509/PKCS #12 format.
TruststoreFileName .cer file must be in X.509/PKCS #7 format.

To replace security files for the Presentation Server

In the adops_rest.properties file, located on Presentation Server computer, make the required changes and restart the service.

Replace InstallationDirectory with the full path.
Replace KeystoreFileName with the name of your KeyStore file.
Replace encryptedPassword with your encrypted password.

Refer to the Java Keytool documentation on the Oracle website.

To replace security files for the TEA Agent

If you are changing certificates in a system that includes the BMC Synthetic Transaction Execution Adapter (TEA) Agent for synthetic transaction monitoring, do not change the name or password of the new certificates or the TEA Agent cannot communicate with the server.

The TEA Agent requires privateKey.pem and clientCert.pem files. Use the following procedure to convert .pfx files to the required .pem format.

In a command prompt on the computer with the TEA Agent installation, run the following OpenSSL commands:
- To convert the private key:
  openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
- To convert the public key:
  openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out clientCert.pem
Copy the generated privateKey.pem and clientCert.pem files to the InstallationDirectory\TEAAgent\WorkingFolder\Conf directory.
Restart the TEA Agent service or process.

Example

The following command exports privateKey.pem from thekeystore.pfx:

openssl pkcs12 -in .\Cert\thekeystore.pfx -nocerts -out .\Cert\privateKey.pem

Enter the .pfx password, and then enter and verify the PEM pass phrase, qwerty:

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Next, export clientCert.pem from thekeystore.pfx:

openssl pkcs12 -in .\Cert\thekeystore.pfx -nocerts -out .\Cert\privateKey.pem

Enter the .pfx password:

Enter Import Password:
MAC verified OK

Encrypting a new KeyStore password

Use an encrypted password so that the plain text password is not displayed in your property files. After you encrypt the new password, copy the encrypted password to the relevant property file.

To encrypt a new KeyStore password

Windows

Open a command prompt, and run the following command:
InstallationDirectory\portal\bin\passwordEncrypt.bat NewPassword
A message is displayed while the password is encrypted.
When encryption is complete, the encrypted password is displayed.
Copy the encrypted password and paste it in the relevant properties file.

Linux

Run the following command:
InstallationDirectory/portal/bin/passwordEncrypt.sh NewPassword
A message is displayed while the password is encrypted.
When encryption is complete, the encrypted password is displayed.
Copy the encrypted password and paste it in the relevant properties file.