Implementing SSL certificates
All communications from the browser to the MainView Middleware Administrator (MVMA) service occur over a secure connection using the https protocol. BMC recommends that you provide a properly trusted certificate to be used by the MVMA service (BMC provides a self-signed certificate for initial use).
Using your own certificate
To configure MVMA to use your own certificate, place that certificate in a key store and provide the associated configuration to the application.
If you have a key store already configured with the intended SSL certificate, follow the steps below.
To use your own certificate
- Open <install_directory>/etc/jetty.xml in a text editor.
- Find the SSL connector configuration, look for the text "<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">".
- Change the "KeyStorePath" property so that it points to your key store file. Note that if you are using an absolute path to your key store, remove the SystemProperty element.
Set the "KeyStorePassword" property to the password of your key store. You may encode this password by running the <install_directory>/bin/encodePassword.bat (Windows) or encodePassword.sh (Linux) utility and pasting the output into this field.
- If required, add a "KeyManagerPassword" property and set it to the password for your certificate. You may encode this password by running the <install_directory>/bin/encodePassword.bat (Windows) or encodePassword.sh (Linux) utility and pasting the output into this field.
Use the keytool utility (create a key store)
If you have a certificate but do not have a key store, use the keytool utility to create a key store. You can then insert your certificate into the key store. MVMA uses this certificate.
Creating a key store can be a very complicated process; the following procedure details the basic steps only.
To create a key store using the keytool utility
- Make sure you have a valid certificate and you know the password for the certificate.
- Run the command <install_directory>/jre/<JRE platform>/ bin/keytool -importcert -keystore mykeystore.jks -file cert.pem
- When prompted, enter a password (and confirm it by re-entering it) for the key store.
- You may now use this key store in the MVMA configuration. Use the encodePassword utility to conceal your passwords if required.
Keytool examples
This section includes examples of listing certificates in a jks key store, and printing a certificate to see the certificate chain.
Listing certificates in a jks key store
Note that this also forces you to verify that the key store is of a supported type.
Run the keytool with the -list parameter and optionally -v to get more verbose output.
For example:
- To get a summary of the certificates and keys currently stored in a key or truststore run the following command:
keytool --list -keystore keystore.jks -storepass bmcsoftware
Example output:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
bmmadminhttps, Sep 7, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D - To get a detailed list of the certificates and keys kept in a key or truststore, use the -v option as in the following command:
keytool --list -keystore keystore.jks -storepass bmcsoftware -v
Example output:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: bmmadminhttps
Creation date: Sep 7, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
Issuer: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: b525bf03a32ba45d Valid from: Thu Sep 07 11:08:02 CEST 2017 until: Sat Oct 07 11:08:02 CEST 2017 Certificate fingerprints:
MD5: 06:CE:D6:DE:0B:60:C3:49:C9:7D:C0:DE:4B:5C:AC:83
SHA1: 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D
SHA256: 71:9B:43:F5:9F:23:93:F4:C8:50:5C:AC:41:1F:26:99:36:C8:73:F0:2B:04:FA:F0:43:25:2C:29:A5:E8:93:60
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
0000: 67 29 98 F8 06 DD EC 03 A4 7A 5E AE 29 A1 E8 89 g).......z^.)...
0010: 02 E1 A4 5A ...Z
]
]
#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
0000: 67 29 98 F8 06 DD EC 03 A4 7A 5E AE 29 A1 E8 89 g).......z^.)...
0010: 02 E1 A4 5A ...Z
]
]
Printing a certificate to see the certificate chain
This functionality requires you to run the keytool with the -printcert switch against a certificate file. Again you can use the -v switch to get verbose output.
For example:
- For a self-signed certificate (Owner and Issuer are the same), use the following command:
$ keytool -printcert -file bmmadminhttps.pem -v
Example output:
Owner: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
Issuer: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: f57e86726ec751a9 Valid from: Fri Sep 08 12:45:31 CEST 2017 until: Sun Oct 08 12:45:31 CEST 2017 Certificate fingerprints:
MD5: A2:EC:62:CD:D0:A5:BB:C9:0D:3B:D8:41:E5:32:3F:87
SHA1: 43:FC:51:47:B3:4A:0D:20:70:69:36:91:68:A6:44:10:CF:1F:18:27
SHA256: BF:44:1B:A7:FB:F2:81:78:71:2D:2F:5D:7B:61:1C:76:4D:6D:53:78:C9:42:98:72:51:0F:55:C7:D8:F7:42:60
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
0000: B9 BD 13 6E 18 AD 92 82 07 F5 FE A2 4F 42 69 31 ...n........OBi1
0010: E9 1B 42 3E ..B>
]
]
#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
0000: B9 BD 13 6E 18 AD 92 82 07 F5 FE A2 4F 42 69 31 ...n........OBi1
0010: E9 1B 42 3E ..B>
]
] - For a certificate not self-signed use the following command example from TIBCO EMS certificates:
keytool -v -printcert -file client.cert.pem
The output refers to the Issuer as part of the cert chain:
Owner: EMAILADDRESS=client@testcompany.com, CN=client, OU=client Unit, O=Test Company, L=us-english, ST=California, C=US
Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: d652375c551d16af Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
MD5: 72:34:D8:B9:2B:DD:AC:96:2B:D2:89:98:F1:2E:E1:E4
SHA1: C0:8D:10:29:8A:14:EC:BF:57:FE:C3:46:45:46:68:4C:A8:77:BC:ED
SHA256: C1:42:40:B7:7C:81:B7:70:01:55:BC:31:9E:45:62:46:B4:D0:4B:62:40:22:F9:5C:39:2E:F8:D7:CB:CC:C6:B3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
CA:false
PathLen: undefined
] - To follow the chain you can typically do so with the same certificate the issuer in the previous certificate was referring to:
keytool -v -printcert -file client_root.cert.pem
Example output:
Owner: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US
Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: fec57ad3cd27746a Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
MD5: 1E:A5:08:A6:86:38:96:11:18:F5:FD:89:8A:53:1F:F3
SHA1: 39:E0:93:76:E2:99:9A:AC:0C:23:B9:5E:61:8A:90:8D:76:48:96:65
SHA256: B9:15:2A:6E:AC:DF:EF:28:9F:A5:3F:17:15:A2:75:87:CB:AB:46:8C:10:41:E4:13:A0:82:7E:8E:18:46:61:CA
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
CA:true
PathLen:0
]