Securing web browser communication

The default BMC AMI Cloud installation procedure provides a self-signed web certificate. This certificate encrypts the web traffic passing between your browser and the BMC AMI Cloud management server.

This topic describes how to replace the default certificate for the BMC AMI Cloud server web UI.

Related topic

Securing-network-communication

Best practice
We strongly recommend that you replace the BMC AMI Cloud self-signed certificate with a site-defined one in order to comply with the site standard security policy.

Perform the following procedure to replace the BMC AMI Cloud self-signed web certificate. Contact your security administrator to make sure the site's standard security policy is met.

  1. Create a personal certificate request and a private/public key pair for the management server.
  2. Sign the personal certificate with your site's standard certificate authority (CA).
  3. Import the personal certificate with its chain and private/public key pair into a PKCS12 file. Make sure to specify the file's password and the alias of the certificate within the p12 file.
  4. Copy the PKCS12 file using binary mode into $MODEL9_HOME/keys/pkcs12_file.p12

  5. Update the keystoreFile, keystorePass and keyAlias settings in the server configuration file by editing the $MODEL9_HOME/conf/connectorHttpsModel9.xml file, as shown in the following example:

    <Connector
        port="443"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150"
        SSLEnabled="true"
        keystoreFile="/model9/keys/pkcs12_file.p12"
        keystoreType="PKCS12"
        keystorePass="keystorePass"
        clientAuth="false"
        sslProtocol="TLS"
        keyAlias="keyAlias"
        secure="true"
    />

Important

Java strictly follows the HTTPS specification for server identity (RFC 2818, Section 3.1) and IP address verification. When using a hostname, it is possible to fall back to the Common Name in the Subject DN of the server certificate instead of using the Subject Alternative Name. However, when using an IP address, there must be a Subject Alternative Name entry - IP address (and not a DNS name) - in the certificate.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*