Enabling TLS authentication between Tomcat and BMC AMI Manager

Use the procedures in this topic to enable TLS authentication between Tomcat and BMC AMI Manager.

Before you begin

To configure TLS, you need a digital certificate. You should have obtained or generated one before you installed. See TLS Authentication for more details.

To enable TLS

Copy HLQ.BMCSAMP/XXSAMP(SERVXML) to HLQ.UBMCSAMP(SERVXML).
Open HLQ.UBMCSAMP(SERVXML).
Replace the following text:
<Connector port="&httpPort;" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="&sslPort;" />

<!--
<Connector executor="tomcatThreadPool"
           port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
with:
<Connector port="&httpPort;" enableLookups="false"
            redirectPort="&sslPort;" />
Replace the following text so it points to the keystore where you imported your certificates in SSL Certificates:
<Connector port="&sslPort;"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate
             certificateKeyFile="conf/Certificate/sysposa.bmc.com.pem"
             certificateFile="conf/Certificate/sysposa.bmc.com.pem"
             certificateChainFile="conf/localhost-rsa-chain.pem"
             type="RSA" />
    </SSLHostConfig>
</Connector>
-->
with:
<Connector port="&sslPort;"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           clientAuth="false" sslProtocol="TLS"
           keyAlias="<keystore_aliasname>"
           keystoreType="<keystore_Type>"
           keystoreFile="<keystore location>"
           keystorePass="<keystore password>" />
Warning
Important
To enable TLS 1.2, add the following line below the line that starts clientAuth:
sslEnabledProtocols="TLSv1.2"
Select ISPF option 3.17.
Use the EA line command (edit an ASCII file) to edit $AMI_INSTALL_PATH/tomcat9/default/webapps/amimf/WEB-INF/web.xml. Add the following text before the </web_app> tag.</servlet-mapping>
<security-constraint>
        <web-resource-collection>
        <web-resource-name>Automatic Forward to HTTPS/SSL
        </web-resource-name>
        <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>

Import the client certificate of the Tomcat server to your truststore defined in member '&HLQ.UBBSAMP(AMICMNEV)'.
The truststore being used is defined in AMIAPS_TRUSTSTORE_NAME parameter.

Add the following truststore properties in the Tomcat environment member HLQ.BMCSAMP(AMITCEN7):
IJO="$IJO -Djavax.net.ssl.trustStoreType=<TRUSTSTORE_TYPE>"
IJO="$IJO -Djavax.net.ssl.trustStore=<TRUSTSTORE_PATH>"
IJO="$IJO -Djavax.net.ssl.trustStorePassword=<TRUSTSTORE_PWD>"
Replace the placeholders with actual values.
If you are using a certificate from a CA, proceed with the instructions in To change the Tomcat protocol and port. If you are using a self-signed certificate, proceed with the instructions in To enable TLS with a self-signed certificate.

To enable TLS with a self-signed certificate

If you are using a self-signed certificate perform the following steps:

Use the following command to export the certificate from the generated keystore file:
keytool -export -alias <alias_name> -keystore <keystore_filename> -rfc -file <certificate_filename>
Import the client certificate of the Tomcat server to your truststore defined in member '&HLQ.UBBSAMP(AMICMNEV)':
The truststore being used is defined in AMIAPS_TRUSTSTORE_NAME parameter.
Proceed with the instructions in To change the Tomcat protocol and port.

To enable Tomcat to use TLS v1.2 with self-signed RACF certificates

Generate a certificate authority certificate:
Create a user certificate for the Tomcat RACF UserID:
Create a RACF Keyring for the Tomcat RACF UserID:
Connect the certificates to the new Keyring:
Use the following command to refresh the DIGTCERT class:
SETR RACLIST(DIGTCERT) REFRESH
In the Tomcat server SERVXML PDS member, add the following connector to the configuration for the SSL port:
Warning
Important
- keystorePass must be set to literal password.
- Tomcat server started task user must have:
  The correct keyring user name
  Read and Update access to the keyrings
Add the following truststore properties in the Tomcat environment member HLQ.BMCSAMP(AMITCEN7):
IJO="$IJO -Djavax.net.ssl.trustStoreType=<TRUSTSTORE_TYPE>"
IJO="$IJO -Djavax.net.ssl.trustStore=<TRUSTSTORE_PATH>"
IJO="$IJO -Djavax.net.ssl.trustStorePassword=<TRUSTSTORE_PWD>"
Replace the placeholders with actual values.
Restart the Tomcat server.

To change the Tomcat protocol and port

After you complete the previous steps, do the following:

Important

The ports are defined in the &HLQ.UBMCSAMP(SERVVARS), make sure you match the entity with those in the amipdt.properties file.

Open the $AMI_INSTALL_PATH/aoidata/aoiinst/conf/amipdt.properties file.
TOMCAT_PORT=16045
TOMCAT_PROTOCOL=https//
Change the value in TOMCAT_PROTOCOL to https://.
Change the value in TOMCAT_PORT to your SSL port number.
Make sure the Tomcat certificate is imported to the truststore specified in the amipdt.properties file. If there is no truststore defined, follow the instructions in To enable TLS with a self-signed certificate.