Configuring the system for SSL/TLS connections

You can set or change the system SSL connection setting from not secure (HTTP) to secure (HTTPS).

Before you begin

To enable secure communication with SSL/TLS, you must create or obtain client certificates, or create a RACF keyring.

To set HTTPS connections

1. Set the following properties in the AMICMNEV member of the &HLQ.UBBSAMP data set:

   SSL_ENABLE=true
   AMIDSC_PORT_TYPE=https
   AMIDSC_SECURED=true
   AMIDSC_UNSECURED=false

2. Set the following keystore details. The values are the same as those you entered during installation and as you determined in the Planning topic.

   Property	Description
   AMIAPS_KEYSTORE_TYPE=keystoreType	Type of keystore Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
   AMIAPS_KEYSTORE_NAME=<keystoreName>	Name of the BMC AMI Ops UI Server keystore Enter one of the following information: USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore ) RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
   AMIMON_KEYSTORE_NAME=<monitorKeystoreName>	Name of the BMC AMI Ops Monitor server keystore Enter one of the following information: USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore ) RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
   AMIAPS_KEYSTORE_LABEL=<certificateAlias> 2	Enter the Keystore alias Tip We recommend not to use spaces in the label values.
   AMIAPS_KEYSTORE_PASSWORD=<keystorePassword>	Keystore password For a RACF Keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
   AMIDSC_KEYSTORE_TYPE=<keystoreType>	Type of Keystore Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
   AMIMON_KEYSTORE_TYPE=<keystoreType>	Type of Keystore Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
   AMIDSC_KEYSTORE_PASSWORD=<keystorePassword>	Keystore password For a RACF keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
   AMIDSC_KEYSTORE_LABEL=<certificateAlias>2	Enter the Keystore alias Tip We recommend not to use spaces in the label values.
   AMIMON_KEYSTORE_LABEL=<certificateAlias>2	Enter the Keystore alias Tip We recommend not to use spaces in the label values.
   AMIMON_KEYSTORE_PASSWORD=<keystorePassword>	Keystore password For a RACF keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
   AMIDSC_KEYSTORE_NAME=serviceregistryKeystoreName	Name of the BMC AMI Ops UI Discovery server server keystore Enter one of the following information: USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore ) RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
   AMIMGR_KEYSTORE_TYPE=<keystoreType>	Type of keystore Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
   AMIMGR_KEYSTORE_ALIAS=<certificateAlias>	Enter the Keystore alias Tip We recommend not to use spaces in the label values.
   AMIMGR_KEYSTORE_PASSWORD=<keystorePassword>	Keystore password For a RACF keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
   AMIMGR_KEYSTORE_NAME=amiManagerKeystoreName	Name of the BMC AMI Managerserver keystore Enter one of the following information: USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore ) RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)

3. Set the following Truststore details. The values are the same as those you entered during installation and as you determined in the Planning topic.

   Property	Description
   AMIAPS_TRUSTSTORE_TYPE=truststoreType1	Type of truststore Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
   AMIAPS_TRUSTSTORE_NAME=truststoreName	Name of the BMC AMI Ops UI Server truststore Enter one of the following information: USS path where the Truststore is located (for example, /u/MAINVIEW/opsui/amiops.jks) RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
   AMIAPS_TRUSTSTORE_PASSWORD=<truststorepassword>	Truststore password For a RACF keyring (JCERACFKS or JCECCARACFKS type) the value must be password.

   1. If the keystore type is JCERACFKS or JCECCARACFKS and cannot be used as a truststore, use the JKS type instead, but make sure that the SAF keyring certificate is imported to the JKS truststore.
   2. If the keystore label name contains spaces, enclose the following values in double quotes (") in AMIAPSEV and AMIDSCEV environment members (in the &HLQ.BMCPCNFG data set), and the MUXMONEV member (in the &HLQ.BMCSAMP data set):

   • For BMC AMI Ops UI Server
     export AMIAPS_KEYSTORE_LABEL="$AMIAPS_KEYSTORE_LABEL"
   • For BMC AMI Ops UI Discovery server
     export AMIDSC_KEYSTORE_LABEL="$AMIDSC_KEYSTORE_LABEL"
   • For BMC AMI Ops Monitor server
     export AMIMON_KEYSTORE_LABEL="$AMIMON_KEYSTORE_LABEL"

   1. If the keystore type is JCERACFKS or JCECCARACFKS and cannot be used as a truststore, use the JKS type instead, but make sure that the SAF keyring certificate is imported to the JKS truststore.
   2. If the keystore label name contains spaces, enclose the following values in double quotes (") in AMIAPSEV and AMIDSCEV environment members (in the &HLQ.BMCPCNFG data set), and the MUXMONEV member (in the &HLQ.BMCSAMP data set):

   • For BMC AMI Ops UI Server
     export AMIAPS_KEYSTORE_LABEL="$AMIAPS_KEYSTORE_LABEL"
   • For BMC AMI Ops UI Discovery server
     export AMIDSC_KEYSTORE_LABEL="$AMIDSC_KEYSTORE_LABEL"
   • For BMC AMI Ops Monitor server
     export AMIMON_KEYSTORE_LABEL="$AMIMON_KEYSTORE_LABEL"

    

4. Validate the JCL script for SSL communication by confirming that the following lines are present and uncommented in the AMIAPSEV and AMIDSCEV environment members that are located in the &HLQ.BMCPCNFG data set, and the MUXMONEV member that is located in the &HLQ.BMCSAMP data set:

   IJO="$IJO -Djavax.net.ssl.trustStorePassword=${AMIAPS_TRUSTSTORE_PASSWORD}" 
   IJO="$IJO -Djavax.net.ssl.trustStore=${AMIAPS_TRUSTSTORE_NAME}"              
   IJO="$IJO -Djavax.net.ssl.trustStoreType=${AMIAPS_TRUSTSTORE_TYPE}" 

Updating client certificate settings

You can enable or disable client certificate authentication and update the client certificate details. 

Client certificate should be added to RACF against a user.

To enable or disable client certificate authentication

Set the following properties in the AMICMNEV member of the &HLQ.UBBSAMP data set. The values are the same as those you entered during installation and as you determined in the Planning topic.

To update User role settings when using client certificate

(Use this option only for BMC AMI Ops Insight.)

Set the following properties in AMIAPSEV environment member that is located in the &HLQ.BMCPCNFG data set. 

• User role global settings when using client certificate:

  Properties

  Description

  export APS_CLT_CRT_ID_MAPPING=true

  Set to true If client certificate is created with hostIdMapping, which is the host and user id mapping, the user roles (none, user or admin) are fetched from RACF definitions for mapped user id. Important You need to secure a client certificate with hostIdMapping from your security team. Set to false If client certificate is not created with hostIdMapping or if you want to define user's role, you must follow the User role manual settings. Important If hostIdMapping is not present in the certificate, then common name (CN) of the certificate is picked up as username.

  The following is a sample config file to create a certificate having hostIdMapping using OpenSSL:
   

  Example

  [ req ]

  distinguished_name  = req_distinguished_name
  policy              = policy_anything
  x509_extensions     = v3_req
  req_extensions      = v3_req

  [ req_distinguished_name ]
  countryName                     = Country Name (2 letter code)
  countryName_default             = US
  countryName_min                 = 2
  countryName_max                 = 2
  stateOrProvinceName             = State or Province Name (full name) ## Print this message
  stateOrProvinceName_default     = United States ## This is the default value
  localityName                    = Locality Name (eg, city) ## Print this message
  localityName_default            = Houston ## This is the default value
  0.organizationName              = Organization Name (eg, company) ## Print this message
  0.organizationName_default      = BMC ## This is the default value
  organizationalUnitName          = Organizational Unit Name (eg, section) ## Print this message
  organizationalUnitName_default  = ZOS ## This is the default value
  commonName                      = Common Name (eg, your name or your server hostname) ## Print this message
  commonName_max                  = 64
  emailAddress                    = Email Address ## Print this message
  emailAddress_max                = 64

  [ policy_anything ]
  countryName        = optional
  stateOrProvinceName    = optional
  localityName        = optional
  organizationName    = optional
  organizationalUnitName    = optional
  commonName        = supplied
  emailAddress        = optional

  [ user_crt ]
  nsCertType              = client, server, email
  nsComment               = "OpenSSL Generated Certificate"
  subjectKeyIdentifier    = hash
  authorityKeyIdentifier  = keyid,issuer

  [ v3_req ]
  basicConstraints        = CA:FALSE
  extendedKeyUsage        = serverAuth, clientAuth, codeSigning, emailProtection
  keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

  #############
  1.3.18.0.2.18.1 = critical,ASN1:SET:HostIdMappings 
  
  [HostIdMappings] 
  1 = SEQUENCE:HostIdMapping1

   
  [HostIdMapping1] 
  1 = IA5STRING:<Hostname>
  2 = IA5STRING:<USER-ID>

   

• User role manual settings:

  Properties	Description
  export APS_CLT_CRT_ROLE=USER	Default role for all client certificates You can use ADMIN, USER, or NONE role as the value.
  export APS_CLT_CRT_NONELIST=/      export APS_CLT_CRT_USERLIST=/      export APS_CLT_CRT_ADMINLIST=/	Comma separated CN field value from the certificate for respective role

  For more information, see Security section of the BMC AMI Ops Insight documentation.

Creating or obtaining certificates

Use the keytool utility to create a self-signed or acquire a CA-signed certificate for the product.

The keystore will be the same for the following services and servers:

• BMC AMI Ops UI Server(Application server) 
• BMC AMI Ops UI Discovery server(Eureka server)
• BMC AMI Ops Insightservice
• BMC AMI Ops Monitorservice (Ops monitor)

To create a self-signed certificate

Run the following command to create a self-signed certificate and add it to the keystore. Make sure that the keytool is in the JAVA_HOME/bin directory. The supported version is Java 17.

Replace the following placeholders:

• <pathToKeystore>
• <keystorePassword>
• <storeType>
• <aliasName>
• <hostName>

To acquire a CA certificate

1. Run the following command to generate a key by using the keytool utility. Make sure the keytool is in the JAVA_HOME\bin directory. 

   keytool -genkeypair -alias <aliasName> -keypass <keyPassword> -keystore <keystoreName> -storepass <keystorePassword> -validity <numberOfDays> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -deststoretype <storeType>

   Replace the following placeholders:

   • <aliasName>
   • <keyPassword>
   • <keystoreName>
   • <keystorePassword>
   • <numberOfDays>
   • <storeType>

2. Enter the information for the following prompts:

   What is your first and last name? [Unknown]: <fully qualified domain name>
   
   What is the name of your organizational unit? [Unknown]: <company name>
   
   What is the name of your organization? [Unknown]: <organization name>
   
   What is the name of your City or Locality? [Unknown]: <your city>
   
   What is the name of your State or Province? [Unknown]: <your state>
   
   What is the two-letter country code for this unit? [Unknown]: <your 2 letter country code>
   
   Is CN=<FQDN>, OU=<company name>, O=<organization name>, L=<your city>, ST=<your state>, C=<your country> correct? [no]: y

3. Use the key you generated in the previous step to create a certificate signing request (.csr):

   keytool -certreq -alias <aliasName> -file <fileName>.csr -keystore <keystoreFileName> -ext san=dns:<FQDN> -storepass <keystorePassword>

   Replace the following placeholders:

   • <aliasName>
   • <keystoreFileName>
   • <FQDN>
   • <keystorePassword> —This is the same keystore password as defined in the earlier -storepass <keystorePassword>.
4. Approach a CA provider with the key and .csr file to obtain a CA certificate.

5. After you receive the CA certificate, use the following command to create a keystore, using the key and certificate files that you created:

   keytool -importcert -alias <aliasName> -file <certificateFileName> -keystore <keystoreFileName> -storetype <storeType> -trustcacerts

   Replace the following placeholders:

   • <aliasName>
   • <certificateFileName>
   • <keystoreFileName>
   • <storeType>

Where to go from here

To sign in to BMC AMI Ops User Interface and start using its features, see Signing in to BMC AMI Ops User Interface.

If you are not seeing the data you expect, see Troubleshooting.