Enabling HTTPS/SSL on existing instance

Note

The instructions in this topic apply only to 5.0.03.003 or earlier versions of BMC Release Process Management (RPM).

If you already have an existing BMC Release Process Management instance configured via HTTP and you want to switch to HTTPS/SSL, do the following:

To generate a keystore, run the following commands:
Windows
cd <RLM>/bin
setenv.bat
keytool -genkey -alias <ALIAS_NAME> -keyalg RSA -keystore <KEYSTORE_NAME>.keystore
(Linux/Oracle)
cd <RLM>/bin
../setenv.sh
keytool -genkey -alias <ALIAS_NAME> -keyalg RSA -keystore <KEYSTORE_NAME>.keystore
Answer the questions that appear at the command prompt.
Generating a keystore for UNIX:
cd /opt/bmc/RLM/bin
. ./setenv.sh
keytool -genkey -alias brpm_ssl -keyalg RSA -keystore /tmp/certs/brpm.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]: BMC Support
What is the name of your organizational unit?
  [Unknown]: CustomerSupport
What is the name of your organization?
  [Unknown]: BMC
What is the name of your City or Locality?
  [Unknown]: Houston
What is the name of your State or Province?
  [Unknown]: TX
What is the two-letter country code for this unit?
  [Unknown]: US
Is CN=BMC Support, OU=CustomerSupport, O=BMC, L=Houston, ST=TX, C=US correct?
  [no]: yes
Enter key password for <brpm_ssl>
        (RETURN if same as keystore password):
The brpm.keystore file is generated to the location specified in the command, which in our case, is /tmp/certs/. You can move the file to the desired location.
To configure the BMC Release Process Management JBoss instance, stop the BMC Release Process Management service:
1. In the standalone.xml file (for cluster installation, standalone-ha.xml) located at RLMhome/server/jboss/standalone/configuration/, disable the HTTP container by changing:
  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
  to
  <connector enabled="false" name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
2. After the virtual-server tag, add the following connectortag:
  
  new in 5.0.03.001BMC Release Process Management 5.0.03 Patch 1 includes TLS 1.2 by default. You must specify the cipher_suites and the following information in the connector tag:
  For RPM Classic UI 5.0.03.001
  <connector enable-lookups="false" name="https" protocol="HTTP/1.1" scheme="https" secure="true" socket-binding="https">
  <ssl certificate-key-file="C:\Program Files\BMC Software\RLM\server\jboss\standalone\configuration\.keystore"
  cipher-suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,
  TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
  key-alias="brpm_ssl" name="ssl" password="ynakon" protocol="TLSv1.2" verify-client="false"/>
  For versions earlier than 5.0.03.001, add the following tag:
  <connector enable-lookups="false" name="https" protocol="HTTP/1.1" scheme="https" secure="true" socket-binding="https">
  <ssl certificate-key-file="<keystore created in step1>" key-alias="brpm_ssl" name="ssl" password="<put your keystore password here>" protocol="TLSv1" verify-client="false"/>
  </connector>
3. Under <socket-binding name="https" port="8443"/>, check the HTTPS port.
Configuration of the BMC Release Process Management JBoss instance:
<subsystem xmlns="urn:jboss:domain:web:1.4"
default-virtual-server="default-host" native="false">
   <connector enabled="false" name="http" protocol="HTTP/1.1"
    scheme="http" socket-binding="http"/>
          <virtual-server name="default-host">
              <alias name="localhost"/>
              <alias name="example.com"/>
          </virtual-server>
      <connector enable-lookups="false" name="https" protocol="HTTP/1.1"
       scheme="https" secure="true" socket-binding="https">
      <ssl certificate-key-file="/tmp/certs/brpm.keystore" key-alias="brpm_ssl"
       name="ssl" password=”secret" protocol="TLSv1" verify-client="false"/>
   </connector>
</subsystem>
Start BMC Release Process Management and access it with the HTTPS port.
(Optional) To generate the public certificate from the keystore, run the following command:
keytool -export -alias <ALIAS_NAME> -file <CERTIFICATE_NAME>.cer -keystore <KEYSTORE_NAME>.keystore
(Optional) To generate the certificate signing request (CSR), run the following command:
keytool -certreq -keyalg RSA -alias <ALIAS_NAME> -file < CERTIFICATE_NAME>.csr -keystore <KEYSTORE_NAME>.keystore
(Optional) Import the certification authority (CA) signed certificate to the keystore by doing the following:
1. To download a chain or root certificates, go to the website of a CA where you obtained your certificates.
  Note
  The requirements and usage of chain or root certificates can differ for every CA. Refer to the corresponding CA documentation for more details.
2. To import the chain or root certificate into the keystore, run the following command:
  keytool -import -alias root -keystore <KEYSTORE_NAME> -trustcacerts -file <FILENAME_FOR CHAIN_CERTIFICATE>
3. To import the new certificate, run the command:
  keytool -import -alias <ALIAS_NAME> -keystore <KEYSTORE_NAME> -file <CERTICIATE_RECEIVED_FROM_CA>
  Note
  The keytool commands need to be modified properly to match your environment specific values such as path, names, and so on.

Enabling HTTPS/SSL on existing instance

Related topic

On this page