Milestone 4a: Configuring BMC AMI Common Enterprise Services after a fresh installation

After installing , there are a few additional configuration considerations required to allow full functionality of the application. Start  and launch the  application from a browser using the URL specified in the installation. For example:

http://<hostname>:48226/bmc

Once in the  application, navigate to the Administration page. To access this page, you are required to provide the default password. See Database Setup. Select each of the following configuration items:

Database setup 

Although  installs out of the box with a fully functional Apache Derby database, you can either switch databases or migrate that database to one of the following supported databases:

  • Apache Derby (default)
  • Microsoft SQL Server
  • Oracle
  • IBM Db2 for LUW
  • IBM Db2 for z/OS

Further  database setup details are provided in both the online help for , as well as Appendix B:  Database Configuration of this installation space.

Important

Due to performance issues, Apache Derby is not a recommended DBMS when collecting SMF data.

Host connections 

Host Connection settings are used to specify port connections to the Host Communications Interface (HCI). There must be at least one HCI port configured per LPAR.

For  features requiring  to manage leased-licensing, the Host Connection setting needs to point to the HCI connected to the BMC AMI License Management System (LMS) holding those license files. That HCI and LMS must be on the same LPAR. For more information on  licensing, see Appendix A of the  Installation space.

Optionally, autoconfiguration may be enabled in the CMSC. Information such as the accessible HCI host/port combinations are automatically sent and will automatically populate within .  users may enter the  URL in their  preferences. This will synchronize the configured HCI connections to their own environment, eliminating the need for manual entry.

Further details for host connections setup are provided in the  Help.

Update Center 

The Update Center provides a means for centrally administering updates to BMC AMI Products for Web and . Updates are provided by obtaining an update repository, either online or manually.

Installed tab

Displays those BMC AMI Products for Web that are currently installed.

Updates tab

  • Set Check for updates online to On -- On page load, a list of available updates is retrieved from a cloud-based BMC update server. Check with your network administrator to be sure you can issue HTTPS requests to update.bmc.com on port 443. A secure proxy may be required.

  • Set Check for updates online to Off -- This option allows you to manually upload  and  updates downloaded from the BMC Support or obtained from a BMC representative.

Security 

 (beginning with  18.2.1) provides the ability to secure access to administrative functions within the  application.

If a default password was enabled in the prior release, the upgraded  will automatically create the user ID “cesadmin” with the password “cesadministration”.

The “cesrecovery” user function allows an administrator to login when there is no connection to the database in order to reconfigure the database. The default password is “cesadministration”, or a previous  administration password. This can be changed on the Users tab.

Change the default auto-fill user ID

To change the default auto-fill user ID, specify a user ID by using the following entry in the security.properties file:

security.display.username=<insert user ID>

If you don't want the default auto-fill user ID to be populated, use the following entry without specifying a user ID:

security.display.username=

This parameter allows the user to control the default auto-fill user ID displayed in the  login dialog. If the user has added one to their browser cache, the cache will override the default. So, the user would have to clear their browser cache of our  URL to see the security.display.username property. If the parameter does not exist in the security.properties file the default cesadmin user name is displayed.

Default location of the security.properties file is:

C:\ProgramData\BMC\CES\data\ces\config

Further details for security configuration are provided in the  Help.

Web server 

Web Server Settings allow you to configure and manage settings for the following:

  • HTTPS - requires keystore information. The default port is: 48443
  • Proxy - allows for HTTP Proxy and Secure Proxy.

Further details for Web Server settings are provided in the  Help. 

HTTPS and Client Server Certificate Authentication 

Use the following steps to set up HTTPS and Client Server Certificate Authentication.

Important

These steps guide you through the process of setting up certificate security on . You must have already generated client certificates and a keystore. If you do not have them, contact your system administrator.

  1. Navigate to the  Web Server page.
  2. On the tab that allows control of HTTP and HTTPS, toggle HTTP to the Off position, and toggle HTTPS to the On position.
    Note: Turning HTTP off is an essential step in the process.
  3. With the toggle for HTTPS turned on, you must also do the following:
    1. In the Location section, enter the full file path of the .jks keystore you created.
    2. In the password section, enter the password tied to the .jks keystore file.
    3. In the certificate alias section, enter the alias of the certificate you intend to use. Normally this is your machine name.
    4. Change Client Certificate Authentication from None to Keystore.
    5. Change the toggle for Require Client Certification Auth to On.
    6. Click Apply.

Note: When doing this for the first time, it may be a good idea to first turn on HTTPS without turning off HTTP, check that HTTPS works, and then turn off HTTP. If HTTP is off and HTTPS is set incorrectly, you will be locked out of your , completing the process in two steps rather than one is slower but safer.

If you are locked out of CES:
If, during Step 3 above, you turned off HTTP and your HTTPS was not properly set, you must follow these steps to get  up and running again:


    1. Shut down .
    2. Go into the properties files (normally contained within data/ces/config) and find ces.properties. Open it.
    3. Find the line "jetty.port.enabled=" and change false to *true*.
    4. Find the line "jetty.secure.port.enabled=" and change true to *false*.
    5. Find the line "jetty.port=" and change "0" to whatever port no. you want HTTP to use.
    6. Find the line "jetty.secure.port=" and change the port no. there to 0.
    7. Save and close the file.
    8. Start up .

After following these steps, you'll be back in your previous state, with HTTP enabled and HTTPS disabled. Troubleshoot your certificates, then try turning on HTTPS once more. Then, continue with Step 4 below.

4. Once  has restarted, enter the new  URL in the address bar and navigate to the secure .

Important

The URL must include the https://, and must be in the full, unshortened form unless defined otherwise by your administrator. Most often this takes the form: https://machinename.domainname:url.

5. Navigate to the "Security" page on .

6. Go into the Security tab.

7. Choose the Security option labeled Client Certificate. Here, you should see two input fields.

8. Change the client certificate mask field as you wish using Regex.

Note: However, make sure before you hit Apply that your choice will not lock out any users you wish to have access. If you are unsure, the default client certificate mask is a safe choice to start with.

9. Add the name you defined your certificate with when creating your client cert to the Administrator(s) field. Most commonly, this will be either your company-defined ID or your Firstname + Lastname, with a space in between the two names--check with the person or organization who created your client certificate if you are unsure what value to use.
10. Click Apply, and restart .

If you are getting an unauthorized user error:
If you are not able to access  after turning on Client Certificate Security and need to remove and reapply security, follow these steps:



      1. Shut down .
      2. Go into the properties files (normally contained within data/ces/config) and find security.properties. Open it.
      3. Find the line "auth.mode=" and change X509 to NONE. (the all-caps is important!)
      4. Save and close the file.
      5. Start .
        Having performed these steps,  should now be in a state in which HTTPS is on, but without Client Certificate security, allowing you to change your settings and retry.

11. Once you've restarted, you should see a prompt from the browser itself asking you to choose a certificate. Choose the browser certificate you created.

You should now have access to  X509/Client Certificate security.

Smart Card authentication

Smart Card authentication can be set up on . With Smart Card authentication, users are able to log on to  by inserting a physical card into their machine, without having to manually enter credentials.

Complete the following steps on the Web Server Settings page to establish Smart Card authentication:

  1. Disable the HTTP port and enable the HTTPS port.
  2. Within the KeyStore settings:
    • Be sure the KeyStore chosen to enable HTTPS matches the authentication established on users' Smart Cards.
    • Set the Client certificate authentication to an option other than 'None'. Click Apply.  will restart.
  3. Navigate to the Security tab on the Security page, and switch the Authentication Mode to On. Navigate to the Client certificate tab.
  4. Enter the appropriate client certificate mask, and the administrator IDs for the associated admin users. Click Apply.
  5.  will restart with x509 enabled. Authentication by Smart Card is now possible for those users whose certificate within the KeyStore established in the Web Server Settings page matches the certificate established on their Smart Card.

Important

In order to read the card and transmit the information to , the user must have appropriate drivers installed. These drivers are a third-party installation not provided by BMC, and many options exist for installation.

Additional product configuration 

  • (

     only) To configure  web application (manager), see the  Installation and Configuration space.

  • (

     only) To configure , see the  Configuration space.

  • (

    Some content is unavailable due to permissions.

     only) At least one 

    Some content is unavailable due to permissions.

    Agent per LPAR is required to be installed on z/OS UNIX in order initiate measurements. See Installing the Topaz for Java Performance Agent.

  • (

     Web only) To configure  Web, see the  Web online help accessed within .

  • ( Web only) To configure Web, an HCI should be configured in  that has access to a  installation on the desired LPAR.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*