Configuring TLS access for Capacity Database Web Services database

The Mainframe ETL can use Transport Layer Security (TLS) 1.2 with the server certificate validation to access the Capacity Database Web Services database. To enable TLS, you must procure a signed certificate from your system administrator, then save and import the certificate on the server where the ETL engine is installed and configure the BMC Helix Continuous Optimization for Mainframes components to use the TLS. 

You can configure TLS to access the Capacity Database Web Services database by:

  • Enabling TLS server certificate validation
  • Configuring the BMC Helix Continuous Optimization for Mainframes components to use TLS

Related topic

Configuring

To enable TLS server certificate validation

The local and remote ETL Engine Servers of BMC Helix Continuous Optimization can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between the ETL engine and the Capacity Database Web Services SQL Server database. 

To enable TLS 1.2 with server certificate validation: 

  1. Procure the Certificate Authority (CA) signed certificate from the system administrator of your organization for your Capacity Database Web Services SQL Server database. Ensure that the certificate is in x509 format. 
    For example, extdatabase.crt.

  2. Save the procured certificate file in the following location:

    Component

    Location

    Remote ETL Engine Server

    <Remote ETL Engine Server Installation Directory>/secure

  3. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

    export PATH= <Server Installation Directory>/jre/bin:$PATH

  4. Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

    keytool -importcert -trustcacerts -file <path>/extdb.crt -keystore cotruststore.ts -alias <CertificateName>

    Here

    • <path> is the location where you saved the certificate file in step 2.
    • extdb.crt is the name of the procured SQL Server database certificate. If the name of this certificate is different, use the relevant file name in the keytool command.
    • Replace all instances of <CertificateNameby the appropriate certificate name.
  5. When prompted for password, enter the password to access the keystore. The default password is changeit.
  6. When prompted to trust the certificate, enter Yes.

The communication between the external SQL Server database and the ETL Engine Servers is now TLS 1.2 enabled with server certificate validation.

To configure the BMC Helix Continuous Optimization for Mainframes components to use TLS

Complete the following steps on all the devices that have the Application Server components and ETL Engine Server installed: 

  1. Logon to the server as the cpit user. Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script:

    ./switchTLSmode.pl -on -tspwd -flow externaldb
  2. When prompted for password, enter the password to access the truststore.

The communication channels between the BMC Helix Continuous Optimization for Mainframes internal components are now TLS 1.2 enabled with server certificate validation. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*