Configuring to consume over SSL or with client certificates

If you want to consume web services over SSL or with client certificates, add the Java keystore options in the arserver.config (arserverd.conf) file.

Self-signed certificates or certificates signed by CAs that are not trusted by clients and servers causes maintenance tasks. Using Well known certificate authorities lowers the number of manual tasks and integration disruptions. If you want to use certificates that are not trusted, check your internal procedures with your organization's security team to prevent importing certificates in the future.

Related topics

Configuring-the-Mid-Tier-web-server-for-SSL-certificate

Ensuring-access-to-WSDL-or-web-services-over-https

Examples

When you create a dedicated keystore without using Java cacerts (jre/lib/security/cacerts), an SSL handshake error might occur while consuming external web services on HTTPS. To overcome this  issue, import all Java cacerts content into the keystore/trustore. Refer to the following example:

keytool -v -importkeystore -srckeystore /opt/jdk1.8.0_112/jre/lib/security/cacerts -srcstoretype JKS -destkeystore /opt/bmc/ars/certificatestore.jks -deststoretype JKS -srcstorepass changeit -deststorepass password

You must add only the signed certificate. Use the truststore parameter to point to your file. 

For one-way SSL, add the following Java keystore options in the arserver.config (arserverd.conf) file:

jvm.option.XX=-Djavax.net.ssl.trustStore=<pathToTrustStore>
jvm.option.XX+1=-Djavax.net.ssl.trustStorePassword=<password>
jvm.option.XX+2=-Djavax.net.ssl.keyStoreType=<keystore Type>

For example:

jvm.option.XX=-Djavax.net.ssl.trustStore=/opt/Java/<Java_Home_Folder>/lib/security/cacerts
jvm.option.XX+1=-Djavax.net.ssl.trustStorePassword=****
jvm.option.XX+2=-Djavax.net.ssl.trustStoreType=JKS

If you are not using Java Cacerts for the AR System server process, refer to the following example:

jvm.option.XX=-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
jvm.option.XX+1=-Djavax.net.ssl.trustStorePassword=****
jvm.option.XX+2=-Djavax.net.ssl.trustStoreType=pkcs12

If you want to use similar certificates for other processes such as JAVA Plug-in server, update the armonitor.conf file. Refer to the following example for Java Plug-in server:

/usr/java/default/<Java_Home_Folder>/bin/java -Djavax.net.ssl.keyStore=/opt/bmc/arsystem/conf/certificates.jks -Djavax.net.ssl.keyStorePassword=*** -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12 -Djavax.net.ssl.trustStorePassword=*** -Djavax.net.ssl.trustStoreType=pkcs12 -Xmx512m -classpath /opt/bmc/arsystem/pluginsvr:/opt/bmc/arsystem/pluginsvr/arpluginsvr91_build001.jar:/opt/bmc/arsystem/approval/bin/armaskingImpl91_build001.jar:/opt/bmc/arsystem/api/lib/arcmnapp91_build001.jar com.bmc.arsys.pluginsvr.ARPluginServerMain -x onbmc-s -i /opt/bmc/arsystem -alias javapluginserver

Refer to the following example for the developerstudio.ini file:

-vmargs
-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
-Djavax.net.ssl.trustStorePassword=****
-Djavax.net.ssl.trustStoreType=pkcs12

For two-way SSL, add the following Java keystore options in the arserver.config (arserverd.conf) file:

jvm.option.XX=-Djavax.net.ssl.keyStore=<path to keyStoreType file>
jvm.option.XX+1=-Djavax.net.ssl.keyStorePassword=*****
jvm.option.XX+2=-Djavax.net.ssl.trustStore=<pathToTrustStore>  
jvm.option.XX+3=-Djavax.net.ssl.trustStorePassword=<password>
jvm.option.XX+4=-Djavax.net.ssl.keyStoreType=<keyStore Type>
jvm.option.XX+5=-Djavax.net.ssl.trustStoreType=<TrustStore Type>

For example:

jvm.option.XX=-Djavax.net.ssl.keyStore=/opt/bmc/arsystem/conf/certificates.jks
jvm.option.XX+1=-Djavax.net.ssl.keyStorePassword=*****
jvm.option.XX+2=-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
jvm.option.XX+3=-Djavax.net.ssl.trustStorePassword=****
jvm.option.XX+4=-Djavax.net.ssl.keyStoreType=JKS
jvm.option.XX+5=-Djavax.net.ssl.trustStoreType=pkcs12

You must start the jvm.option.XX sequence after the last jvm.option in the arserver.config (arserverd.conf) file.

If the arserver.config(arserverd.config) file has jvm.option.19 as last jvm option, add the jvm options starting from jvm.option.20.

The following sample code illustrates jvm.option example:

jvm.option.1=-javaagent:../lib/spring-instrument-4.1.9.RELEASE.jar
jvm.option.2=-Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl
jvm.option.3=-Dlogback.configurationFile=file:../conf/logback_server.xml
jvm.option.4=-Xss2M
jvm.option.5=-XX:MetaspaceSize=256M
jvm.option.6=-XX:MaxMetaspaceSize=512M
jvm.option.7=-Dcom.sun.management.jmxremote
jvm.option.8=-Dcom.bmc.arsys.boot.flavor=server
jvm.option.9=-XX:OnOutOfMemoryError=./kill-server
jvm.option.10=-Djetty.home=../jetty
jvm.option.11=-Dorg.eclipse.equinox.http.jetty.autostart=false
jvm.option.12=-XX:ErrorFile=file:../db/arserverjvmcrash_PID%p.log
jvm.option.13=-XX:+HeapDumpOnOutOfMemoryError
jvm.option.14=-XX:HeapDumpPath=../Logs
jvm.option.15=-XX:+UseCompressedOops
jvm.option.16=-XX:+UseConcMarkSweepGC
jvm.option.17=-XX:+UseParNewGC
jvm.option.18=-XX:NewRatio=2

For SSL support, you must add the jvm options starting from 19 (any other number in the sequence is not initiated on the actual service) as shown in the following example code snippet:

jvm.option.19=-Djavax.net.ssl.keyStore=/opt/bmc/arsystem/conf/certificates.jks
jvm.option.20=-Djavax.net.ssl.keyStorePassword=*****
jvm.option.21=-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
jvm.option.22=-Djavax.net.ssl.trustStorePassword=****
jvm.option.23=-Djavax.net.ssl.keyStoreType=JKS
jvm.option.24=-Djavax.net.ssl.trustStoreType=pkcs12

Restart the AR System server after all the configurations are complete. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*