Enabling TLS authentication between Tomcat and BMC AMI Manager

Use the procedures in this topic to enable TLS authentication between Tomcat and BMC AMI Manager.

Before you begin

To configure TLS, you need a digital certificate. You should have obtained or generated one before you installed. See TLS Authentication for more details.

Related topic

Configuring-after-installation

To enable TLS

  1. Copy BMCSAMP(SERVXML) to UBMCSAMP(SERVXML).
  2. Open UBMCSAMP(SERVXML).

  3. Replace the following text:

    <Connector port="&httpPort;" protocol="HTTP/1.1"              
               connectionTimeout="20000"                          
               redirectPort="&sslPort;" />                        
    <!-- A "Connector" using the shared thread pool-->            
    <!--                                                           
    <Connector executor="tomcatThreadPool"                        
               port="8080" protocol="HTTP/1.1"                    
               connectionTimeout="20000"                          
               redirectPort="8443" />

    with:

    <Connector port="&httpPort;" enableLookups="false"                      
                redirectPort="&sslPort;" />                                  

  4. Replace the following text so it points to the keystore where you imported your certificates in SSL Certificates:

    <Connector port="&sslPort;"                                                 
              protocol="org.apache.coyote.http11.Http11AprProtocol"            
              maxThreads="150" SSLEnabled="true" >                             
       <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />   
       <SSLHostConfig>                                                         
           <Certificate                                                        
                certificateKeyFile="conf/Certificate/sysposa.bmc.com.pem"      
                certificateFile="conf/Certificate/sysposa.bmc.com.pem"         
                certificateChainFile="conf/localhost-rsa-chain.pem"            
                type="RSA" />                                                   
       </SSLHostConfig>                                                        
    </Connector>                                                                
    -->

    with

    <Connector port="&sslPort;"                                                   
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"    
               protocol="org.apache.coyote.http11.Http11NioProtocol"              
               clientAuth="false" sslProtocol="TLS"                               
               keyAlias="<keystore_aliasname>" keystoreFile="<keystore location>"               
               keystorePass="<keystore password>" />  

    Important

    To enable TLS 1.2, add the following line below the line that starts clientAuth:

    sslEnabledProtocols="TLSv1.2"
  5. Select ISPF option 3.17.

  6. Use the EA line command (edit an ASCII file) to edit $AMI_INSTALL_PATH/tomcat9/default/webapps/amimf/WEB-INF/web.xml. Add the following text before the </web_app> tag.

    </servlet-mapping>                                                  
    <security-constraint>                                               
           <web-resource-collection>                                   
           <web-resource-name>Automatic Forward to HTTPS/SSL           
           </web-resource-name>                                        
           <url-pattern>/*</url-pattern>                               
           </web-resource-collection>                                  
           <user-data-constraint>                                      
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
           </user-data-constraint>    
  7. If you are using a certificate from a CA, proceed with the instructions in To change the Tomcat protocol and port. If you are using a self-signed certificate, proceed with the instructions in To enable TLS with a self-signed certificate.

To enable TLS with a self-signed certificate

If you are using a self-signed certificate perform the following steps:

  1. Use the following command to export the certificate from the generated keystore file:
    keytool -export -alias <alias_name> -keystore <keystore_filename> -rfc -file <certificate_filename>

  2. Use the following command to import the certificate into the BMC AMI Manager truststore. :
    keytool -import -trustcacerts -keystore <truststore_filename> -storepass <yourTruststorePassword> -noprompt -alias <alias name> -file <certificate_filename>

    If the truststore with <truststore_filename> in the above command does not exist, it will get created. You must update the below section in amipdt.properties file located at $AMI_INSTALL_PATH/aoidata/aoiinst/conf:

    #TRUSTSTORE CONFIGURATION - Uncomment this to apply your truststore
    # The type of truststore JKS/PKCS12/JCERACFKS
    #TRUSTSTORE_TYPE=<TRUSTSTORE_TYPE>
    # The path to the JKS/PKCS12/JCERACFKS type store containing the certificate
    #TRUSTSTORE_PATH=<TRUSTSTORE_PATH>
    # The password used to generate the certificate
    #TRUSTSTORE_PWD=<TRUSTSTORE_PWD>


  3. Proceed with the instructions in To change the Tomcat protocol and port.

To enable Tomcat to use TLS v1.2 with self-signed RACF certificates

  1. Generate a certificate authority certificate:
    certauth_job.png
  2. Create a user certificate for the Tomcat RACF UserID:
    RACF_userid_cert.png
  3. Create a RACF Keyring for the Tomcat RACF UserID:
    racf_keyring.png
  4. Connect the certificates to the new Keyring:
    connect_cert_keyring.png
  5. Use the following command to refresh the DIGTCERT class:
    SETR RACLIST(DIGTCERT) REFRESH

  6. In the Tomcat server SERVXML PDS member, add the following connector to the configuration for the SSL port:
    SSL_port_connector.png

    Important

    • keystorePass must be set to literal password.
    • Tomcat server started task user must have:
      • The correct keyring user name
      • Read and Update access to the keyrings 
  7. Restart the Tomcat server.

To change the Tomcat protocol and port

After you complete the previous steps, do the following:

Important

The ports are defined in the SERVVARS, make sure you match the entity with those in the amipdt.properties file.

  1. Open the $AMI_INSTALL_PATH/aoidata/aoiinst/conf/amipdt.properties file.

    TOMCAT_PORT=16045
    TOMCAT_PROTOCOL=https//
  2. Change the value in TOMCAT_PROTOCOL to https://.
  3. Change the value in TOMCAT_PORT to your SSL port number.
  4. Make sure the Tomcat certificate is imported to the truststore specified in the amipdt.properties file. If there is no truststore defined, follow the instructions in To enable TLS with a self-signed certificate.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*