Enabling TLS authentication between BMC AMI Manager and Docker
Before you begin
- To configure TLS, you need a digital certificate. You should have obtained or generated one before you installed. See TLS Authentication for more details.
- If you do not have OpenSSL installed, install it before proceeding.
- If you are want to use the same certificate and key file when running BMC AMI Ops Insight Playback Docker container on your local machine, you must have amioidashboard.com as one of the SAN (Subject Alternative Name) entry.
To implement a certificate issued by a Certificate Authority (CA)
- Use the following command to generate a key.openssl genrsa -out <server>.key 2048
- Use the key you generated in the previous step to request a CA certificate.
- Use one of the following commands to extract the .cer file. Replace < certificate > with the name of your certificate:
- For PKCS #7: openssl pkcs7 -print_certs -in <certificate>.p7b -out <certificate>.cer
For PKCS #12: openssl pkcs12 -in <certificate>.pfx (or .p12) -out <certificate>.cer -nodes
- Use the following command to convert the certificate you created in the previous step (<certificate>.cer)to X.509 format.openssl x509 -in <certificate>.cer -outform PEM -out <certificate>.crt
- Proceed with Importing the certificate to the truststore.
To implement a self-signed certificate
Create a configuration file < openssl > .cnf similar to the following:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = <myCountry>
countryName_default = <myCountry>
stateOrProvinceName = <myProvince>
stateOrProvinceName_default = <myProvince>
localityName = <myLocality>
localityName_default = <myLocality>
organizationName = <Org>
organizationName_default = <Org>
organizationalUnitName = <myOrgUnit>
organizationalUnitName_default =<myOrgUnit>
commonName = <hostName>
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <hostname>
DNS.2 = *
DNS.3 = *.com
DNS.4 = *.*.com
DNS.5 = *.*.*.com
DNS.6 = *.*.*.*.com
DNS.7 = amioidashboard.com- Use the following command to generate a key:openssl genrsa -out <server>.key 2048
- Use the following command to create a Certificate Signing Request (CSR).openssl req -new -out <server>.csr -key <server>.key -config <openssl>.cnf
- Use the following command to create a certificate using the key and CSR that you created in the previous steps.openssl x509 -req -days 3650 -in <server>.csr -signkey <server>.key -out <server>.crt -extensions v3_req -extfile <openssl>.cnf
- Proceed with Importing the certificate to the truststore.
Importing the certificate to the truststore
Copy your X.509 certificate file to the system where BMC AMI Manager is installed.
- If you are using a RACF keyring as a truststore, import the ceftificate to the keyring.
If you are using a USS file based truststore, run the following command on the system where BMC AMI Manager is installed:
Starting Docker with a new certificate for optional graph component
- If the docker container was already running, run the following commands to stop and remove the Docker container.
docker stop <my_container>
For example: docker stop amioi-server
docker rm <my_container>For example: docker rm amioi-server - Use one of the following commands to start Docker using your certificate.
On Linux, run the following command:./container-shell-lpqmb2.5.00.sh u=< EPD_Username > crt=< crtFilePath > key=< keyFilePath >
For example: ./container-shell-lpqmb2.5.00.sh u=somebody crt=certificate.crt key=private.key
On zCX/zLinux, run the following command:./run.sh crt=<crtFilePath> key=<keyFilePath>
For example: ./run.sh crt=certificate.crt key=private.key
- Restart BMC AMI Manager.
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*