Enabling TLS authentication between Tomcat and AMI Manager
Use the procedure in this topic to enable TLS authentication between Tomcat and AMI Manager.
Before you begin
To configure TLS, you need a digital certificate. You should have obtained or generated one before you installed. See TLS Authentication for more details.
To enable TLS
- Copy BMCSAMP(SERVXML) to UBMCSAMP(SERVXML).
- Open UBMCSAMP(SERVXML).
Replace the following text:
<Connector port="&httpPort;" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="&sslPort;" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->with:
<Connector port="&httpPort;" enableLookups="false"
redirectPort="&sslPort;" />Replace the following text so it points to the keystore where you imported your certificates in SSL Certificates:
<Connector port="&sslPort;"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate
certificateKeyFile="conf/Certificate/sysposa.bmc.com.pem"
certificateFile="conf/Certificate/sysposa.bmc.com.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->with
<Connector port="&sslPort;"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
clientAuth="false" sslProtocol="TLS"
keyAlias="<keystore_aliasname>" keystoreFile="<keystore location>"
keystorePass="<keystore password>" />- Select ISPF option 3.17.
Use the EA line command (edit an ASCII file) to edit $AMI_INSTALL_PATH/tomcat8/default/webapps/amimf/WEB-INF/web.xml. Add the following text before the </web_app> tag.
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic Forward to HTTPS/SSL
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>- If you are using a certificate from a CA, proceed with the instructions in To change the Tomcat protocol and port. If you are using a self-signed certificate, proceed with the instructions in To enable TLS with a self-signed certificate.
To enable TLS with a self-signed certificate
If you are using a self-signed certificate perform the following steps:
- Use the following command to export the certificate from the generated keystore file:
keytool -export -alias <alias_name> -keystore <keystore_filename> -rfc -file <certificate_filename> Use the following command to import the certificate into the Java keystore:
keytool -import -alias <alias name of certificate> -keystore “<JAVA_HOME>/lib/security/cacerts” -file certificate <certificate_filename>- Enter the default cacerts.jks password when you are prompted. The default password provided by java is changeit.
- When you are prompted Trust this certificate? [no]: enter y.
- Proceed with the instructions in To change the Tomcat protocol and port.
To change the Tomcat protocol and port
After you complete the previous steps, do the following:
- Open the $AMI_INSTALL_PATH/amipdt/bin/amipdt.properties file.
- Change the value in TOMCAT_PROTOCOL to https://.
- Change the value in TOMCAT_PORT to your SSL port number.