Enabling TLS authentication between Tomcat and AMI Manager

Use the procedures in this topic to enable TLS authentication between Tomcat and AMI Manager.

Before you begin

To configure TLS, you need a digital certificate. You should have obtained or generated one before you installed. See TLS Authentication for more details.

To enable TLS

  1. Copy BMCSAMP(SERVXML) to UBMCSAMP(SERVXML).
  2. Open UBMCSAMP(SERVXML).

  3. Replace the following text:

    <Connector port="&httpPort;" protocol="HTTP/1.1"              
               connectionTimeout="20000"                          
               redirectPort="&sslPort;" />                        
    <!-- A "Connector" using the shared thread pool-->            
    <!--                                                           
    <Connector executor="tomcatThreadPool"                        
               port="8080" protocol="HTTP/1.1"                    
               connectionTimeout="20000"                          
               redirectPort="8443" />

    with:

    <Connector port="&httpPort;" enableLookups="false"                      
                redirectPort="&sslPort;" />                                  

  4. Replace the following text so it points to the keystore where you imported your certificates in SSL Certificates:

    <Connector port="&sslPort;"                                                 
              protocol="org.apache.coyote.http11.Http11AprProtocol"            
              maxThreads="150" SSLEnabled="true" >                             
       <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />   
       <SSLHostConfig>                                                         
           <Certificate                                                        
                certificateKeyFile="conf/Certificate/sysposa.bmc.com.pem"      
                certificateFile="conf/Certificate/sysposa.bmc.com.pem"         
                certificateChainFile="conf/localhost-rsa-chain.pem"            
                type="RSA" />                                                   
       </SSLHostConfig>                                                        
    </Connector>                                                                
    -->

    with

    <Connector port="&sslPort;"                                                   
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"    
               protocol="org.apache.coyote.http11.Http11NioProtocol"              
               clientAuth="false" sslProtocol="TLS"                               
               keyAlias="<keystore_aliasname>" keystoreFile="<keystore location>"               
               keystorePass="<keystore password>" />  

    Important

    To enable TLS 1.2, add the following line below the line that starts clientAuth:

    sslEnabledProtocols="TLSv1.2"
  5. Select ISPF option 3.17.

  6. Use the EA line command (edit an ASCII file) to edit $AMI_INSTALL_PATH/tomcat8/default/webapps/amimf/WEB-INF/web.xml. Add the following text before the </web_app> tag.

    </servlet-mapping>                                                  
    <security-constraint>                                               
           <web-resource-collection>                                   
           <web-resource-name>Automatic Forward to HTTPS/SSL           
           </web-resource-name>                                        
           <url-pattern>/*</url-pattern>                               
           </web-resource-collection>                                  
           <user-data-constraint>                                      
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
           </user-data-constraint>    
  7. If you are using a certificate from a CA, proceed with the instructions in To change the Tomcat protocol and port. If you are using a self-signed certificate, proceed with the instructions for enabling TLS with a self-signed certificate in .

To enable TLS with a self-signed certificate

If you are using a self-signed certificate perform the following steps:

  1. Use the following command to export the certificate from the generated keystore file:
    keytool -export -alias <alias_name> -keystore <keystore_filename> -rfc -file <certificate_filename>

  2. Use the following command to import the certificate into the AMI Manager truststore:
    keytool -import -trustcacerts -keystore <truststore_filename> -storepass <yourTruststorePassword> -noprompt -alias <alias name> -file <certificate_filename>
    If the truststore with <truststore_filename> in the above command does not exist, it will get created. You must update the below section in amipdt.properties file located at $AMI_INSTALL_PATH/aoidata/aoiinst/conf:

    #TRUSTSTORE CONFIGURATION - Uncomment this to apply your truststore
    # The type of truststore JKS/PKCS12/JCERACFKS
    #TRUSTSTORE_TYPE=<TRUSTSTORE_TYPE>
    # The path to the JKS/PKCS12/JCERACFKS type store containing the certificate
    #TRUSTSTORE_PATH=<TRUSTSTORE_PATH>
    # The password used to generate the certificate
    #TRUSTSTORE_PWD=<TRUSTSTORE_PWD>
  3. Proceed with the instructions about changing the Tomcat protocol and port in .

To enable Tomcat to use TLS v1.2 with self-signed RACF certificates

  1. Generate a certificate authority certificate:
    certauth_job.png
  2. Create a user certificate for the Tomcat RACF UserID:
    RACF_userid_cert.png
  3. Create a RACF Keyring for the Tomcat RACF UserID:
    racf_keyring.png
  4. Connect the certificates to the new Keyring:
    connect_cert_keyring.png
  5. Use the following command to refresh the DIGTCERT class:
    SETR RACLIST(DIGTCERT) REFRESH

  6. In the Tomcat server SERVXML PDS member, add the following connector to the configuration for the SSL port:
    SSL_port_connector.png

    Important

    keystorePass must be set to literal password.

  7. Restart the Tomcat server.

To change the Tomcat protocol and port

After you complete the previous steps, do the following:

  1. Open the $AMI_INSTALL_PATH/aoidata/aoiinst/conf/amipdt.properties file.
  2. Change the value in TOMCAT_PROTOCOL to https://.
  3. Change the value in TOMCAT_PORT to your SSL port number.
  4. Make sure the Tomcat certificate is imported to the truststore specified in the amipdt.properties file. If there is no truststore defined, follow the instructions in To enable TLS with a self-signed certificate.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*