Security

Review the following topics for information about the product's security and for recommendations on deploying securely.

To define SAF roles

You must have the BBM.AMIOI.UI.ACCESS SAF role defined with the following permissions:

Important

(This is applicable only if you have BMC AMI Ops UI PTF level BP00530 or above.)

Generally, the SAF role is defined in FACILITY class of RACF, but if you have to define the role in any other class, then you must update <application server root Directory>/opsappcustom.properties to add ami.racf.classname=<RACF_CLASSNAME>.

For example, if SAF role is defined in a class named $BBM, then we need to add ami.racf.classname=$BBM to the properties file.

You can find the opsappcustom.properties file in the home directory of the BMC AMI Ops UI server.

Permission	Description
UPDATE	User has admin authority in the UI
READ	User is a regular user in the UI
NONE	User cannot use the UI

TLS authentication

The product uses TLS authentication for communicating between the following components:

Components	Reference
BMC AMI Manager and BMC AMI Ops User Interface	Configuring the system for SSL/TLS connections
(Optional) Tomcat and BMC AMI Manager	Enabling-TLS-authentication-between-Tomcat-and-BMC-AMI-Manager
BMC AMI Manager and Docker	Enabling-TLS-authentication-between-BMC-AMI-Manager-and-Docker

SSL certificates

Get SSL certificates:
- For a development environment, follow the instructions in the TLS authentication topics (listed above) for creating self-signed certificates.
- For a production environment, we recommend that you get certificates from an Certificate Authority (CA).
Import the certificates into a PKCS #12 type keystore.
Example
keytool -import -alias amioi -file myCertificate.crt -keystore ssl-store.p12 -storetype PKCS12 -storepass <password>

Optional Detailed Analysis

The user ID associated with the data preparation address space must have READ access to your BMC AMI Ops Monitors' data. For more information, see ESM-resource-definitions.