Skip to Content

Implementing SSL certificates

All communications from the browser to the MVMA service occur over a secure connection via the HTTPS protocol. We recommend that you provide a properly trusted certificate for the MVMA service. BMC provides a self-signed certificate for initial use.

Related topic

Starting-services-after-installation

Server Name Indication (SNI)

Proper implementation of SSL certificates is required for being able to access MVMA services from another host in your network after installation. 

Starting with version 9.2.00, MVMA supports the Server Name Indication (SNI) extension to the Transport Layer Security (TLS) protocol by which a client indicates the host name to which it is trying to connect in a request (for example, see RFC 3546). Therefore, you must provide certificates for each host name under which MVMA services should be available to MVMA users in the network. By default, MVMA installs its services with SNI enabled with a self-signed certificate in its keystore that is assigned to localhost as the host name, meaning that MVMA is available only if localhost appears in the host name in the URLs for accessing MVMA. Therefore, by default, MVMA is initially available only from within a browser running on the same system that MVMA is installed on.

To make MVMA in your network available from any browser by using the original host name in the URLs, you must add one or multiple certificates assigned to the name of the host where MVMA was installed. 

We recommend using a multi-host (SAN) certificate with MVMA to make the MVMA server available in the network under multiple host names, domains, or IP addresses using a single certificate. While using multi-host (SAN) certificates is the recommended approach, using certificates addressing the MVMA server's name or address in the CN field of the certificate's subject may still be feasible but generally requires more effort because it allows only one identity per certificate.

For example, to add a self-signed multi-host (SAN) certificate to the MVMA keystore to make MVMA available under the host name mvmahostname, any host name in the mycompany.com domain,  the localhost IP address 127.0.0.1, or an IP address such as  host_ip_address. Open a console to the MVMA installation directory and perform the following step adjusting mvmahostname and host_ip_address as needed.

(Windows platform) Run

.\jre\jdk-21.0.2\bin\keytool -genkey -alias bmmadminhttps_multihost -keyalg RSA -keysize 1024 -validity 3653 -startdate 2022/01/16 -dname "CN=mvmahostname, OU=BMM, O=BMC, L=Minneapolis, ST=MN, C=US" -ext san=dns:mvmahostname,dns:*.mycompany.com,IP:127.0.0.1,IP:host_ip_address -keystore security\keystore.jks -storepass bmcsoftware

(Linux platform) Run

./jre/jdk-21.0.2/bin/keytool -genkey -alias bmmadminhttps_multihost -keyalg RSA -keysize 1024 -validity 3653 -startdate 2022/01/16 -dname "CN=mvmahostname, OU=BMM, O=BMC, L=Minneapolis, ST=MN, C=US" -ext san=dns:mvmahostname,dns:*.mycompany.com,IP:127.0.0.1,IP:host_ip_address -keystore security/keystore.jks -storepass bmcsoftware

For example, to add a self-signed certificate to the MVMA keystore to make MVMA available under the host name mvmahostname from the CN field of the certificate's subject, open a console to the MVMA installation directory and perform the following step:

(Windows platform) Run

.\jre\jdk-21.0.2\bin\keytool -genkey -alias bmmadminhttps_mvmahostname -keyalg RSA -keysize 1024 -validity 3653 -startdate 2022/01/16 -dname "CN=mvmahostname, OU=BMM, O=BMC, L=Minneapolis, ST=MN, C=US" -keystore security\keystore.jks -storepass bmcsoftware

(Linux platform) Run

./jre/jdk-21.0.2/bin/keytool -genkey -alias bmmadminhttps_mvmahostname -keyalg RSA -keysize 1024 -validity 3653 -startdate 2022/01/16 -dname "CN=mvmahostname, OU=BMM, O=BMC, L=Minneapolis, ST=MN, C=US" -keystore security/keystore.jks -storepass bmcsoftware

​​​​​To adjust this example to your network environment, replace mvmahostname with the network host name of the MVMA 9.2 installation system.

Using your own certificate

To configure MVMA to use your own certificate, place that certificate in a keystore and provide the associated configuration to the application.
If you have a keystore already configured with your SSL certificate, follow these steps:

  1. Open <install_directory> /configuration/services/org.apache.felix.http.cfg in a text editor.
  2. Change the value of the key org.apache.felix.https.keystore so that it points to your keystore file.

  3. Set the value of the key org.apache.felix.https.keystore.password to the password of your keystore. You can encode this password by running the following command and pasting the output into this field:
    (Windows) <install_directory>/bin/encodePassword.bat(Linux) <install_directory>/bin/encodePassword.sh

    Warning

    Important 

    You must include the OBF prefix when using an obfuscated password. Do not use the MD5 password.

  4. If required, add a org.apache.felix.https.keystore.key.password property and set as the password for your certificate. You can encode this password by running the following command and pasting the output into this field:
    (Windows) <install_directory>/bin/encodePassword.bat
    (Linux) <install_directory>/bin/encodePassword.sh

Using the keytool utility to create a keystore

If you have a certificate but do not have a keystore, use the keytool utility to create a keystore. You can then insert your certificate into the keystore. MVMA uses this certificate.

Creating a keystore can be a very complicated process; the following procedure details the basic steps only:

  1. Make sure that you have a valid certificate and you know the password for the certificate.
  2. Run the command <install_directory> /jre/<JRE platform>/ bin/keytool -importcert -keystore mykeystore.jks -file cert.pem
  3. When prompted, enter a password for the keystore, and confirm it by re-entering it.
    You can now use this keystore in the MVMA configuration. You can use the encodePassword utility to conceal your passwords.

Keytool examples

This section includes examples of listing certificates in a jks keystore, and printing a certificate to see the certificate chain.

Warning

Important 

MVMA supports Java Keystore files only.

Listing certificates in jks keystore

Run the keytool with the -list parameter. You can use -v to get more verbose output.

Listing certificates in a JKS also forces you to verify that the keystore is of a supported type.

To get a summary of the certificates and keys currently stored in a keystore or truststore run the following command:

keytool --list -keystore keystore.jks -storepass bmcsoftware

Example output
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
bmmadminhttps, Sep 7, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D

To get a detailed list of the certificates and keys kept in a keystore or truststore, use the -v option as in the following command:

keytool --list -keystore keystore.jks -storepass bmcsoftware -v
Example output
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: bmmadminhttps
Creation date: Sep 7, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
Issuer: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: b525bf03a32ba45d Valid from: Thu Sep 07 11:08:02 CEST 2017 until: Sat Oct 07 11:08:02 CEST 2017 Certificate fingerprints:
MD506:CE:D6:DE:0B:60:C3:49:C9:7D:C0:DE:4B:5C:AC:83
SHA1: 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D
SHA256: 71:9B:43:F5:9F:23:93:F4:C8:50:5C:AC:41:1F:26:99:36:C8:73:F0:2B:04:FA:F0:43:25:2C:29:A5:E8:93:60
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
0000: 67 29 98 F8 06 DD EC 03   A4 7A 5E AE 29 A1 E8 89  g).......z^.)...
0010: 02 E1 A4 5A  ...Z
]
]
#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
0000: 67 29 98 F8 06 DD EC 03   A4 7A 5E AE 29 A1 E8 89  g).......z^.)...
0010: 02 E1 A4 5A ...Z
]
]

To print a certificate to see the certificate chain

Run the keytool with the -printcert switch against a certificate file. You can use the -v switch to get more verbose output. 

To print a self-signed certificate (owner and issuer are the same), use the following command:

$ keytool -printcert -file bmmadminhttps.pem -v

Example output
Owner: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
Issuer: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: f57e86726ec751a9 Valid from: Fri Sep 08 12:45:31 CEST 2017 until: Sun Oct 08 12:45:31 CEST 2017 Certificate fingerprints:
MD5A2:EC:62:CD:D0:A5:BB:C9:0D:3B:D8:41:E5:32:3F:87
SHA1: 43:FC:51:47:B3:4A:0D:20:70:69:36:91:68:A6:44:10:CF:1F:18:27
SHA256: BF:44:1B:A7:FB:F2:81:78:71:2D:2F:5D:7B:61:1C:76:4D:6D:53:78:C9:42:98:72:51:0F:55:C7:D8:F7:42:60
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
0000: B9 BD 13 6E 18 AD 92 82   07 F5 FE A2 4F 42 69 31  ...n........OBi1
0010: E9 1B 42 3E    ..B>
]
]
#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
0000: B9 BD 13 6E 18 AD 92 82   07 F5 FE A2 4F 42 69 31  ...n........OBi1
0010: E9 1B 42 3E   ..B>
]
]

To print a certificate not self-signed

Use the following command example ​​​​​referring to a sample certificate file named ‘client.cert.pem’:

keytool -v -printcert -file client.cert.pem

The output refers to the issuer as part of the certificate chain
Owner: EMAILADDRESS=client@testcompany.com, CN=client, OU=client Unit, O=Test Company, L=us-english, ST=California, C=US
Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: d652375c551d16af Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
MD572:34:D8:B9:2B:DD:AC:96:2B:D2:89:98:F1:2E:E1:E4
SHA1: C0:8D:10:29:8A:14:EC:BF:57:FE:C3:46:45:46:68:4C:A8:77:BC:ED
SHA256: C1:42:40:B7:7C:81:B7:70:01:55:BC:31:9E:45:62:46:B4:D0:4B:62:40:22:F9:5C:39:2E:F8:D7:CB:CC:C6:B3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
CA:false
PathLen: undefined
]

To follow the certificate chain, you can typically follow the certificate chain with the same certificate that the issuer in the previous certificate was referring to (assuming the sample root certificate file is named client_root.cert.pem):

keytool -v -printcert -file client_root.cert.pem
Example output
Owner: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US
Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: fec57ad3cd27746a Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
MD51E:A5:08:A6:86:38:96:11:18:F5:FD:89:8A:53:1F:F3
SHA1: 39:E0:93:76:E2:99:9A:AC:0C:23:B9:5E:61:8A:90:8D:76:48:96:65
SHA256: B9:15:2A:6E:AC:DF:EF:28:9F:A5:3F:17:15:A2:75:87:CB:AB:46:8C:10:41:E4:13:A0:82:7E:8E:18:46:61:CA
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
CA:true
PathLen:0
]

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

MainView Middleware Administrator 9.2