Enabling SSL support

This topic provides an overview for how to configure test SSL certificates for your environment. Refer to the OpenSSL documentation for more details.

• • To generate SSL certificates
  • Example certificate generation process

BMC Database Automation expects three basic types of certificates:

• A Certificate Authority certificate, which is used for issuing and validation of all other certificates
• A server certificate installed on the BMC Database Automation Manager, issued by the previously mentioned Certificate authority
• One or more client certificates that are installed on the hosts on which the command utilities packages are installed and will issue commands to BMC Database Automation. These certificates must also be issued by the Certificate Authority.

To generate SSL certificates

1. Run the script to generate SSL certificates and follow the instructions:
   /app/clarity/manager_scripts/bin/generate_ssl_cert manager.gridapp-dev.comIf you want to customize some certificate properties (for example, the country, city, or organization name), copy the sample file /app/clarity/manager_scripts/etc/caprops.default to /app/clarity/manager_scripts/etc/caprops, modify as required, and then run the script.
2. Install the various certs on the manager:
   cp /app/clarity/var/ssl_cert/manager.gridapp-dev.com/manager/* /app/clarity/dmanager/etc
3. Edit the mtd.conf file to enable SSL and point to the new certs/keys:
   service=static MtdApiSoapAcceptor "-c 2 -s 1 -p 8087 -k /app/clarity/dmanager/etc/api_server.key -x
   /app/clarity/dmanager/etc/apiserver.pem -y /app/clarity/dmanager/etc/apicacert.pem"
4. Copy the client cert and client key to the individual client:
   scp /app/clarity/var/ssl_cert/manager.gridapp-dev.com/client/*  root@manager.gridapp-dev.com:/app/clarity/cmdutils/etc

Example certificate generation process

The following example process demonstrates how certificates under Linux are generated using the standard OpenSSL command line tool. The resulting client certificates can be installed under either Linux or Windows.

1. Create a directory for temporary files:
   mkdir /root/certsetup
   cd /root/certsetup
2. Create the caprops.txt file with the following content:[ req ]default_bits = 2048default_keyfile = cakey.keydefault_md = sha1prompt = nodistinguished_name = testca.bmc.comx509_extensions = v3_ca
   [ testca.bmc.com ]countryName = USstateOrProvinceName = New YorklocalityName = New York0.organizationName = BMC Software Inc.commonName = API Test Certificate AuthorityemailAddress = devin_heitmueller@bmc.com[ v3_ca ]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer:alwaysbasicConstraints = CA:true
3. Generate the CA private key:
   openssl genrsa -out cakey.key 2048
4. Generate the CA Certificate CSR:
   openssl req -new -config caprops.txt -key cakey.key -out api_ca.csr
5. Self-sign the test CA certificate:
   openssl x509 -req -days 3650 -in api_ca.csr -signkey cakey.key -out cacert.pem
6. Generate the self-signed CA certificate:
   openssl req -new -config caprops.txt -days 3650 -x509 -key cakey.key -out cacert.pem
7. Display the properties of the new CA certificate:
   openssl x509 -text -in cacert.pem
8. Generate the server private key:openssl genrsa -out api_server.key 2048

9. Generate the server certificate CSR:openssl req -new -key api_server.key -out api_server.csr

   Note

   The 'Common Name' should match the output of the hostname command on the BDA management server.

10. Sign the server certificate, signed with the CA certificate:
    openssl x509 -req -days 3650 -in api_server.csr -CA cacert.pem -CAkey cakey.key -set_serial 123 -outapiserver.pem
11. Display the properties of the new server certificate:openssl x509 -text -in apiserver.pem
12. Generate a client private key:openssl genrsa -out apiclient.key 2048

13. Generate the client certificate CSR:openssl req -new -key apiclient.key -out api_client.csr

    Note

    The 'Common Name' should match the output of the hostname command on the BDA client server.

14. Generate the client cert, signed with the CA certificate:openssl x509 -req -days 3650 -in api_client.csr -CA cacert.pem -CAkey cakey.key -set_serial 456 -outapiclient.pem
15. Display the properties of the new client certificate:openssl x509 -text -in apiclient.pem
16. Install the various certs on the manager:cp /root/certsetup/cacert.pem /app/clarity/dmanager/etc/apicacert.pemcp /root/certsetup/apiserver.pem /app/clarity/dmanager/etc/cp /root/certsetup/api_server.key /app/clarity/dmanager/etc/
17. Edit the mtd.conf file to enable SSL and point to the new certs/keys:service=static MtdApiSoapAcceptor "-c 2 -s 1 -p 8087 -k /app/clarity/dmanager/etc/api_server.key -x/app/clarity/dmanager/etc/apiserver.pem -y /app/clarity/dmanager/etc/apicacert.pem"
18. Copy the client cert and client key to the individual client:
    scp apiclient.pem root@rh5-ma-130.gridapp-dev.com:/app/clarity/cmdutils/etc/client.pem
    scp cacert.pem root@rh5-ma-130.gridapp-dev.com:/app/clarity/cmdutils/etc/cacert.pem
    scp apiclient.key root@rh5-ma-130.gridapp-dev.com:/app/clarity/cmdutils/etc/client.key

The resulting certificates are installed in the following manner:

• On the BMC Database Automation Manager, the following files must be installed:

/app/clarity/dmanager/etc/api_server.key

/app/clarity/dmanager/etc/apiserver.pem

/app/clarity/dmanager/etc/apicacert.pem

• On the clients running the cmdtools package, the following files must be installed:

/app/clarity/cmdutils/etc/client.pem

/app/clarity/cmdutils/etc/cacert.pem

/app/clarity/cmdutils/etc/client.key