Reviewing the Java runtime environment

Action Request Systemweb services require the Java runtime environment (JRE) on the system that is running AR System Administrator. You can check the validity of the certificate by using your browser. Browsers indicate errors and warnings in detail while communicating over HTTPS.

The JRE is shipped with a default certificate database in the tuner\lib\jre\lib\security\cacerts directory. By default, the database contains a limited set of trusted root certificates. You can use the Java command line tool, keytool, to import new trusted root certificates. For more information, see https://docs.oracle.com/en/java/javase/11/tools/keytool.html.

You can remove all of the trusted root certificates with the following command from the jre\bin directory:

keytool -list -v -keystore ..\lib\security\cacerts -storetype jks -storepass changeit

Important

The VM's default store password is changeit.

To verify which certificates are issued with your root certificate, make an SSL connection to CMS using your browser. From Microsoft Internet Explorer, double-click the lock icon at the bottom right. The chain of certificates from your SSL certificate to the top-level root certificate appears. Make sure each root is in the cacerts file.

To add a root certificate to the cacerts file, use the following command:

keytool -import -v -file c:\temp\root.b64 -keystore ..\lib\security\cacerts -storetype jks -storepass changeit

This process assumes you have previously exported the root certificate to c:\temp\root.b64. BMC Configuration Management has a channel, Certificate Manager, which allows you to do this. Make sure to remove the cacerts file again to verify that the certificate was added successfully.

If you do not specify the keystore location, the keytool creates a new cacerts file in the $HOME directory.

Reviewing the Java runtime environment

On this page