Atrium SSO

Steps to use the certificate of our CA with Atrium SSO.

  1. Set the PATH variable: set PATH="D:\Program Files\BMC Software\AtriumSSO\jre\bin";%PATH%
  2. Rename the existing key/certificate in the keystore “keystore.p12” located in “D:\Program Files\BMC Software\AtriumSSO\tomcat\conf”
    keytool -changealias -alias tomcat -destaliastomcat_orig -storepass internal4bmc -storetype pkcs12 -keystore keystore.p12
  3. Generate a new key pair within the keystore
    keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore "keystore.p12" -storepass internal4bmc -storetype pkcs12 -providernameJsafeJCE

We have made the following entries – replaced by placeholders in bold - in the following dialogue:
What is your first and last name?

[Unknown]:<FQDN of Atrium SSO server>

What is the name of your organizational unit?

[Unknown]:<organizational unit>

What is the name of your organization?

[Unknown]:<company>

What is the name of your City or Locality?

[Unknown]:<city>

What is the name of your State or Province?

[Unknown]:<state>

What is the two-letter country code for this unit?

[Unknown]:<country code>

Is CN=<FQDN of Atrium SSO server<organizational unit>, O=<company>, L=<city>, ST=<state>, C=<country code> correct?

[no]:yes

  1. Generate the certificate signing request (CSR):
    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providernameJsafeJCE
  2. Send the CSR to the certificate authority (CA)
  1. After receiving the root and server certificate they have to be summarized into one file. Add the server certificate first and then the root.
  1. Import the certificate(s):

keytool -import -alias root -keystore keystore.p12 -trustcacerts -file AllInOne_Cert_4_AtriumSSO.cer -storetype PKCS12 -keypass internal4bmc -storepass internal4bmc

  1. Import the Certificate also to the TrueSight Presentation Server “D:\Program Files\BMC Software\TrueSightPServer\jre\lib\security\cacerts”
  2. Login to the TSPS and open a CMD window
  3. Set the PATH variable: set PATH="D:\Program Files\BMC Software\TrueSightPServer\jre\bin";%PATH%
  4. Change directory: cd “<TSPS HOME>\truesightpserver\modules\jre\lib\security”
  5. keytool -import -alias atriumsso_<servername> -keystorecacerts -trustcacerts -file AllInOne_Cert_4_AtriumSSO.cer -storepasschangeit

TrueSight Presentation Server (TSPS)

We followed the following steps to use the certificate of our CA with TSPS:

  1. Set the PATH variable: set PATH="D:\Program Files\BMC Software\TrueSightPServer\jre\bin";%PATH%
  2. Change directory to “D:\Program Files\BMC Software\TrueSightPServer\truesightpserver\conf\secure”
  3. Open a second CMD window and perform the following steps
  4. Change the directory to: “D:\Program Files\BMC Software\TrueSightPServer\truesightpserver\bin”
  5. Stop the TSPS: tssh server stop
  6. Delet the alias “truesightserver” from the “loginvault.ks”: keytool –delete –alias “truesightserver” -keystoreloginvault.ks -storepasschangeit
  7. Go to the second CMD and start the TSPS with “tssh server start”. You shouldn’t be able to open the TSPS Console from a browser.
  8. In the second CMD stop the TSPS again with “tssh server stop”
  9. Generate a new key pair:
    keytool -genkey -alias truesightserver -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore "loginvault.ks" -storepasschangeit -storetype JKS -providername SUN

Answer the questions:
What is your first and last name?

[Unknown]:<FQDN of TSPS>

What is the name of your organizational unit?

[Unknown]:<organizational unit>

What is the name of your organization?

[Unknown]:<company>

What is the name of your City or Locality?

[Unknown]:<city>

What is the name of your State or Province?

[Unknown]:<state>

What is the two-letter country code for this unit?

[Unknown]:<country code>

Is CN=<FQDN of TSPS>, OU=<organizational unit>, O=<company>, L=<city>, ST=<state>, C=<country code> correct?

[no]:yes

Enter key password for <truesightserver

(RETURN if same as keystore password): <ENTER>

  1. Create the certificate signing request:
    keytool -certreq -keyalg RSA -alias truesightserver -file D:\SSL_Certificate\<TSPS servername>.csr -keystoreloginvault.ks -storepasschangeit -storetype JKS -providername SUN
  1. After receiving the root and server certificate from the CA, first import the root certificate and then the server certificate:
    keytool -import -alias root -keystoreloginvault.ks -trustcacerts -file <root ca cert>.cer -storetype JKS -storepasschangeit

keytool -import -alias truesightserver -keystoreloginvault.ks -file <tpsp server cert>.cer -storetype JKS -storepasschangeit

  1. The TSPS certificate must also be imported into the pnserver.kscertstore on the TSIM servers:
  2. Login to TSIM and open a CMD window
  3. Set the PATH variable: set PATH="D:\Program Files\BMC Software\TrueSight\pw\jre\bin";%PATH%
  4. Change directory to “D:\Program Files\BMC Software\TrueSight\pw\pronto\conf”
  5. Import the root certificate:
    keytool -import -alias <your ca root> -keystorepnserver.ks -trustcacerts -file <root ca cert>.cer -storetype JKS -storepass get2net
  6. Import the TSPS server certificate:
    keytool -import -alias truesightserver -keystorepnserver.ks -file <tpsp server cert>.cer -storetype JKS -storepass get2net
  7. Restart the TSIM Server
  8. In the second CMD start the TSPS again with “tssh server start”. You should now be able to open the TSPS webapplication.

TrueSight Infrastructure Management Server (TSIM)

We followed the following steps to use the certificate of our CA with TSIM:

  1. Set PATH variable: set PATH="D:\Program Files\BMC Software\TrueSight\pw\apache\bin";%PATH%
  2. Generate a private key file:
    opensslgenrsa -des3 - private.key 2048
  3. Generate certificate signing request (CSR):
    opensslreq -new -key private.key-out <tsim server>.csr -config "D:\Program Files\BMC Software\TrueSight\pw\apache\conf\openssl.cnf"

Enter pass phrase private.key:

Loading 'screen' into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:<country code>

State or Province Name (full name) [Some-State]:<state>

Locality Name (eg, city) []:<city>

Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company>

Organizational Unit Name (eg, section) []:<organisational unit>

Common Name (e.g. server FQDN or YOUR name) []:<FQDN of TSIM>

Email Address []:<e-mail address>

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: <ENTER>

An optional company name []:

  1. Send the CSR to the CA
  2. After receiving the root and server certificate we have first to remove the passwort from the private.key file as follows:
    opensslrsa -in private.key -out <tsimservername>.key
  3. Copy the keyfiletsimservername>.key to “D:\Program Files\BMC Software\TrueSight\pw\apache\conf”
  4. Copy the server certificate to “D:\Program Files\BMC Software\TrueSight\pw\apache\conf”
  5. Change the entries in the “D:\Program Files\BMC Software\TrueSight\pw\apache\conf\extra\httpd-ssl.conf”:
    SSLCertificateFile "D:\Program Files\BMC Software\TrueSight\pw\apache\conf\<tsimservername>.cer"

    SSLCertificateKeyFile "D:\Program Files\BMC Software\TrueSight\pw\apache\conf\<tsimservername>.key"