Configuring the system for AT-TLS connections

To set the system for AT-TLS connections, you need to customize the security protocol for the system to make sure the components can send and receive data as expected. Customization involves creating SSL/TLS certificates, updating the common environment variables (AMICMNEV) member of the &HLQ.UBBSAMP data set, and editing the JCL script.

Setting AT-TLS connections

Related topics

Customizing-after-installation

Configuring-the-system-for-SSL-TLS-connections

  1. Set the following properties in the AMICMNEV member of the &HLQ.UBBSAMP data set:

    SSL_ENABLE=false
    AMIDSC_PORT_TYPE=https
    AMIDSC_SECURED=true
    AMIDSC_UNSECURED=false

  2. Set the host names and port numbers in the AMICMNEV member of the &HLQ.UBBSAMP data set. The values are the same as those you entered during installation and as you determined in the Planning topic.

    Property

    Description

    AMIAPS_HOST

    Host name of the BMC AMI Ops UI Server

    AMIAPS_PORT

    Port number of the BMC AMI Ops UI Server

    AMIDSC_HOST

    Host name of the BMC AMI Ops UI Discovery server

    AMIDSC_PORT

    Port number of the BMC AMI Ops UI Discovery server

    AMIMON_HOST

    Host name of the BMC AMI Ops Monitor service 

    AMIMON_PORT

    Port number of the BMC AMI Ops Monitor service 


  3. Set the following truststore details. The values are the same as those you entered during installation and as you determined in the Planning topic.

    Property

    Description

    AMIAPS_TRUSTSTORE_TYPE=truststoreType

    Type of truststore

    Enter one of the following values: JKSPKCS12JCERACFKS, or JCECCARACFKS.

    AMIAPS_TRUSTSTORE_NAME=truststoreName

    Name of the BMC AMI Ops UI Server truststore

    Enter one of the following kinds of information:

    • USS path where the truststore is located (for example, /u/MAINVIEW/opsui20/amiops.truststore)
    • RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)

    AMIAPS_TRUSTSTORE_PASSWORD

    Truststore password

    For a RACF keyring (JCERACFKS type) the value must be password.

  4. Import the AT-TLS client certificate in to the truststore.

  5. Validate the JCL script for AT-TLS communication by confirming that the following lines are present and uncommented in the AMIAPSEV and AMIDSCEV environment members that are located in the &HLQ.BMCPCNFG data set, and the MUXMONEV member that is located in the &HLQ.BMCSAMP data set:

    IJO="$IJO -Djavax.net.ssl.trustStorePassword=${AMIAPS_TRUSTSTORE_PASSWORD}" 
    IJO="$IJO -Djavax.net.ssl.trustStore=${AMIAPS_TRUSTSTORE_NAME}"              
    IJO="$IJO -Djavax.net.ssl.trustStoreType=${AMIAPS_TRUSTSTORE_TYPE}" 

Configure BMC AMI Ops Insight for AT-TLS

  1. Update amipdt.properties, located in the ami_installationDirectory/aoidata/aoiinst/conf directory, as follows:

    AMI_MGR_HOST=localhost
    #Set port for ami manager
    AMI_MGR_PORT=48954
    #Uncomment to set it to true when enabling AT-TLS configuration
    #AMI_MGR_SECURED=true
  2. If you configured the Tomcat servlet to run as HTTPS, import its client certificate in to truststore.
  3. If you chose the optional graph feature, import the certificate used in Docker in to the same truststore.

Where to go from here

To sign in to BMC AMI Ops User Interface and start using its features, see Signing-in-to-BMC-AMI-Ops-user-interface.

If you are not seeing the data you expect, see Troubleshooting.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*