Skip to Content

Security

Related topics

Installing and configuring the BMC AMI Datastream for Ops Insight component

Enabling TLS authentication between Tomcat and BMC AMI Manager

Review the following topics for information about the product's security and for recommendations on deploying securely.

To define SAF roles

You must have the BBM.AMIOI.UI.ACCESS SAF role defined with the following permissions:

Warning

Important

(This is applicable only if you have BMC AMI Ops UI PTF level BP00530 or above.)

Generally, the SAF role is defined in FACILITY class of RACF, but if you have to define the role in any other class, then you must update <application server root Directory>/opsappcustom.properties to add ami.racf.classname=<RACF_CLASSNAME>.

(For example, if SAF role is defined in a class named $BBM, then we need to add ami.racf.classname=$BBM to the properties file.

You can find the opsappcustom.properties file in the home directory of the BMC AMI Ops UI Server.

 

Permission

Description

UPDATE

User has admin authority in the UI

READ

User is a regular user in the UI

NONE

User cannot use the UI

Warning

Important

Make sure that the RACF permissions for BMC AMI Ops UI Server are same as described in RACF authorization for the BMC AMI Ops user interface started task.

TLS authentication

The product uses TLS authentication for communicating between the following components:

Components

Reference

BMC AMI Managerand BMC AMI Ops User Interface

(Optional) Tomcat and BMC AMI Manager

BMC AMI Managerand Docker

SSL certificates

  1. Get SSL certificates:
    • For a development environment, follow the instructions in the TLS authentication topics (listed above) for creating self-signed certificates.
    • For a production environment, we recommend that you get certificates from a Certificate Authority (CA).

  2. Import the certificates into a PKCS #12 type keystore.

    Information
    Example

    keytool -import -alias amioi -file myCertificate.crt -keystore ssl-store.p12 -storetype PKCS12 -storepass <password>

Optional Detailed Analysis

The user ID associated with the data preparation address space must have READ access to your BMC AMI Ops Monitors' data. For more information, see ESM resource definitions.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Ops Insight 3.0