Configuring the system for SSL/TLS connections
You can set or change the system SSL connection setting from not secure (HTTP) to secure (HTTPS).
Before you begin
To enable secure communication with SSL/TLS, you must create or obtain client certificates, or create a RACF keyring.
To set HTTPS connections
Set the following properties in the AMICMNEV member of the &HLQ.UBBSAMP data set:
SSL_ENABLE=true
AMIDSC_PORT_TYPE=https
AMIDSC_SECURED=true
AMIDSC_UNSECURED=falseSet the following keystore details. The values are the same as those you entered during installation and as you determined in the Planning topic.
Property
Description
AMIAPS_KEYSTORE_TYPE=keystoreType
Type of keystore
Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
AMIAPS_KEYSTORE_NAME=<keystoreName>
Name of the BMC AMI Ops UI Server keystore
Enter one of the following information:
- USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore )
- RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
AMIMON_KEYSTORE_NAME=<monitorKeystoreName>
Name of the BMC AMI Ops Monitor server keystore
Enter one of the following information:
- USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore )
- RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
AMIAPS_KEYSTORE_LABEL=<certificateAlias> 2
Enter the Keystore alias
AMIAPS_KEYSTORE_PASSWORD=<keystorePassword>
Keystore password
For a RACF Keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
AMIDSC_KEYSTORE_TYPE=<keystoreType>
Type of Keystore
Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
AMIMON_KEYSTORE_TYPE=<keystoreType>
Type of Keystore
Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
AMIDSC_KEYSTORE_PASSWORD=<keystorePassword>
Keystore password
For a RACF keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
AMIDSC_KEYSTORE_LABEL=<certificateAlias>2
Enter the Keystore alias
AMIMON_KEYSTORE_LABEL=<certificateAlias>2
Enter the Keystore alias
AMIMON_KEYSTORE_PASSWORD=<keystorePassword>
Keystore password
For a RACF keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
AMIDSC_KEYSTORE_NAME=serviceregistryKeystoreName
Name of the BMC AMI Ops UI Discovery server server keystore
Enter one of the following information:
- USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore )
- RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
AMIMGR_KEYSTORE_TYPE=<keystoreType>
Type of keystore
Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
AMIMGR_KEYSTORE_ALIAS=<certificateAlias>
Enter the Keystore alias
AMIMGR_KEYSTORE_PASSWORD=<keystorePassword>
Keystore password
For a RACF keyring (JCERACFKS or JCECCARACFKS type), the value must be password.
AMIMGR_KEYSTORE_NAME=amiManagerKeystoreName
Name of the BMC AMI Managerserver keystore
Enter one of the following information:
- USS path where the Keystore is located (for example, /u/MAINVIEW/opsui/amiops.keystore )
- RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
Set the following Truststore details. The values are the same as those you entered during installation and as you determined in the Planning topic.
Property
Description
AMIAPS_TRUSTSTORE_TYPE=truststoreType1
Type of truststore
Enter one of the following values: JKS, PKCS12, JCERACFKS, or JCECCARACFKS.
AMIAPS_TRUSTSTORE_NAME=truststoreName
Name of the BMC AMI Ops UI Server truststore
Enter one of the following information:
- USS path where the Truststore is located (for example, /u/MAINVIEW/opsui/amiops.jks)
- RACF keyring path created using any mainframe SAF mechanism (for example, safkeyring://USER/Keyring_name)
AMIAPS_TRUSTSTORE_PASSWORD=<truststorepassword>
Truststore password
For a RACF keyring (JCERACFKS or JCECCARACFKS type) the value must be password.
Validate the JCL script for SSL communication by confirming that the following lines are present and uncommented in the AMIAPSEV and AMIDSCEV environment members that are located in the &HLQ.BMCPCNFG data set, and the MUXMONEV member that is located in the &HLQ.BMCSAMP data set:
IJO="$IJO -Djavax.net.ssl.trustStorePassword=${AMIAPS_TRUSTSTORE_PASSWORD}"
IJO="$IJO -Djavax.net.ssl.trustStore=${AMIAPS_TRUSTSTORE_NAME}"
IJO="$IJO -Djavax.net.ssl.trustStoreType=${AMIAPS_TRUSTSTORE_TYPE}"
Updating client certificate settings
You can enable or disable client certificate authentication and update the client certificate details.
Client certificate should be added to RACF against a user.
To enable or disable client certificate authentication
Set the following properties in the AMICMNEV member of the &HLQ.UBBSAMP data set. The values are the same as those you entered during installation and as you determined in the Planning topic.
Property | Description |
---|---|
AMIAPS_CLIENT_AUTH | Whether to enable client authentication Enter one of the following values:
|
AMIAPS_ALLOW_CLIENT_CERT | Whether to allow authentication of credentials when the digital certificate are configured Enter one of the following values:
|
To update User role settings when using client certificate
(Use this option only for BMC AMI Ops Insight.)
Set the following properties in AMIAPSEV environment member that is located in the &HLQ.BMCPCNFG data set.
User role global settings when using client certificate:
Properties
Description
export APS_CLT_CRT_ID_MAPPING=true
Set to true
If client certificate is created with hostIdMapping, which is the host and user id mapping, the user roles (none, user or admin) are fetched from RACF definitions for mapped user id.
Set to false
If client certificate is not created with hostIdMapping or if you want to define user's role, you must follow the User role manual settings.
The following is a sample config file to create a certificate having hostIdMapping using OpenSSL:
User role manual settings:
Properties
Description
export APS_CLT_CRT_ROLE=USER
Default role for all client certificates
You can use ADMIN, USER, or NONE role as the value.
export APS_CLT_CRT_NONELIST=/
export APS_CLT_CRT_USERLIST=/
export APS_CLT_CRT_ADMINLIST=/
Comma separated CN field value from the certificate for respective role
For more information, see Security section of the BMC AMI Ops Insight documentation.
Creating or obtaining certificates
Use the keytool utility to create a self-signed or acquire a CA-signed certificate for the product.
The keystore will be the same for the following services and servers:
- BMC AMI Ops UI Server (Application server)
- BMC AMI Ops UI Discovery server (Eureka server)
- BMC AMI Ops Insight service
- BMC AMI Ops Monitor service (Ops monitor)
To create a self-signed certificate
Run the following command to create a self-signed certificate and add it to the keystore. Make sure that the keytool is in the JAVA_HOME/bin directory. The supported version is Java 17.
Replace the following placeholders:
- <pathToKeystore>
- <keystorePassword>
- <storeType>
- <aliasName>
- <hostName>
To acquire a CA certificate
Run the following command to generate a key by using the keytool utility. Make sure the keytool is in the JAVA_HOME\bin directory.
keytool -genkeypair -alias <aliasName> -keypass <keyPassword> -keystore <keystoreName> -storepass <keystorePassword> -validity <numberOfDays> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -deststoretype <storeType>Replace the following placeholders:
- <aliasName>
- <keyPassword>
- <keystoreName>
- <keystorePassword>
- <numberOfDays>
- <storeType>
Enter the information for the following prompts:
What is your first and last name? [Unknown]: <fully qualified domain name>
What is the name of your organizational unit? [Unknown]: <company name>
What is the name of your organization? [Unknown]: <organization name>
What is the name of your City or Locality? [Unknown]: <your city>
What is the name of your State or Province? [Unknown]: <your state>
What is the two-letter country code for this unit? [Unknown]: <your 2 letter country code>
Is CN=<FQDN>, OU=<company name>, O=<organization name>, L=<your city>, ST=<your state>, C=<your country> correct? [no]: yUse the key you generated in the previous step to create a certificate signing request (.csr):
keytool -certreq -alias <aliasName> -file <fileName>.csr -keystore <keystoreFileName> -ext san=dns:<FQDN> -storepass <keystorePassword>Replace the following placeholders:
- <aliasName>
- <keystoreFileName>
- <FQDN>
- <keystorePassword> —This is the same keystore password as defined in the earlier -storepass <keystorePassword>.
- Approach a CA provider with the key and .csr file to obtain a CA certificate.
After you receive the CA certificate, use the following command to create a keystore, using the key and certificate files that you created:
keytool -importcert -alias <aliasName> -file <certificateFileName> -keystore <keystoreFileName> -storetype <storeType> -trustcacertsReplace the following placeholders:
- <aliasName>
- <certificateFileName>
- <keystoreFileName>
- <storeType>
Where to go from here
To sign in to BMC AMI Ops User Interface and start using its features, see Signing-in-to-BMC-AMI-Ops-User-Interface.
If you are not seeing the data you expect, see Troubleshooting.