Enabling TLS authentication between AMI Manager and the user interface
Use one of these procedures to enable TLS for communication between AMI Manager and the user interface:
Before you begin
To configure TLS, you need a digital certificate. You should have obtained or generated one before you installed. See TLS Authentication for more details.
To implement a certificate issued by a Certificate Authority (CA)
- Use the following command to generate a key.openssl genrsa -out <server>.key 2048
- Use the key you generated in the previous step to request a CA certificate.
- Use one of the following commands to extract the .cer file. Replace < certificate > with the name of your certificate:
- For PKCS #7: openssl pkcs7 -print_certs -in <certificate>.p7b -out <certificate>.cer
For PKCS #12: openssl pkcs12 -in <certificate>.pfx (or .p12) -out <certificate>.cer -nodes
- Use the following command to convert the certificate you created in the previous step (<certificate>.cer)to X.509 format.openssl x509 -in <certificate>.cer -outform PEM -out <certificate>.crt
- Use the following command to create a PKCS #12 store, using the key and certificate files that you created:openssl pkcs12 -export -in <certificate>.crt -inkey <server>.key -name <alias> -out <certificate>.p12 -password pass:<Password>
- Copy the keystore to the <Installation_Folder> /aoidata/aoiinst/keystore folder or any path to which the user running the product has access.
Modify the SSL CONFIGURATION block in the <Installation_Folder>/aoidata/aoiinst/conf/amipdt.properties file with the values used to generate the certificate.
Default Block of Commented Properties in amipdt.propertiesSSL Configuration block before modifying#SSL CONFIGURATION - Uncomment this to apply your certificate to enable SSL
# The type of keystore JKS/PKCS12/JCERACFKS
#KEYSTORE_TYPE=<KEYSTORE_TYPE>
# The path to the JKS/PKCS12/JCERACFKS type keystore containing the certificate
#KEYSTORE_PATH=<KEYSTORE_PATH>
# The password used to generate the certificate
#KEYSTORE_PWD=<KEYSTORE_PWD>
# The alias mapped to the certificate
#KEY_ALIAS=<KEY_ALIAS>Modified SSL Configuration block#SSL CONFIGURATION - Uncomment this if you want to apply a certificate
# The type of keystore JKS/PKCS12/JCERACFKS
#KEYSTORE_TYPE=JKS
# The path to the keystore containing the certificate
KEYSTORE_PATH=<Absolute path of keystore file>
# The password used to generate the certificate
KEYSTORE_PWD=<password>
# The alias mapped to the certificate
KEY_ALIAS=amioi- Start BMC AMI Ops Insight.
To implement a self-signed certificate
Create a self-signed certificate using the keytool command under java/bin or jre/bin and add it to the PKCS12 keystore.
- Copy the generated keystore to the < Installation_Folder > /aoidata/aoiinst/keystore folder.
Modify the SSL CONFIGURATION block in the < Installation_Folder >/ aoidata/aoiinst/conf/amipdt.properties file with the values you used to generate the certificate.
SSL Configuration block before modifying#SSL CONFIGURATION - Uncomment this if you want to apply your certificate
# The path to the keystore containing the certificate
#KEYSTORE_PATH=<KEYSTORE_PATH>
# The password used to generate the certificate
#KEYSTORE_PWD=<KEYSTORE_PWD>
# The alias mapped to the certificate
#KEY_ALIAS=<KEY_ALIAS>Modified SSL Configuration block#SSL CONFIGURATION - Uncomment this if you want to apply a certificate
# The path to the keystore containing the certificate
KEYSTORE_PATH=<Installation_Folder>/aoidata/aoiinst/keystore/ssl-store.p12
# The password used to generate the certificate
KEYSTORE_PWD=<password>
# The alias mapped to the certificate
KEY_ALIAS=selfsigned- Start BMC AMI Ops Insight.