BCM - How can I Replace current BCM Certificate Authority with my Authority

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Client Management


    APPLIES TO:

    BCM All Versions since 12.8



    QUESTION:

    How can I Replace current BCM Certificate Authority with my Authority ?


    ANSWER:

    - First step is to verify that your current security configuration correspond to following screenshot :
    "Secure Communication" is set to "Yes" .
    Both "Authority Certificate" and Trusted Authority" parameters are set to "bcm"

    User-added image


    - Then verify if BCM Certificate package and rules are available on your BMC Client Management Console, we are going to modify them in order to deploy your Authority files and set BCM to use them.

    User-added imageUser-added image

    They should be present if your Security Checklist first line is Red in BMC Client Management Console Home Dashboard:

    User-added image

    In case BCM Certificate package and rules are not available you can create them with this procedure.

    - Now, BCM Certificate package and rules are available, here are modifications you have to do in them :
     
    Find the "bcmcertificate" package in your Console > Packages > Package Factory > Your Master > Custom Packages node. Copy and paste it, then rename the newly created "bcmcertificate(1)" package into "mycertificate":

    User-added image

    For next package modification you need to create a directory on your hard disk in which you put your Authority Certificate files. :
    On your hard disk create a "certs" directory that contains both "auth" and "trusted" directories.
    Then in \certs\trusted directory you have to place your Authority .crt file.
     

      Note if your Authority is not a Root Authority, you have then to put .crt files for all Authorities from the Root up to the Authority you want to use in BCM.  
    For example let's say we have RootAuth  -> InterAuth1  ->  InterAuth2  
    Then you have to put both RootAuth.crt, InterAuth1.crt and InterAuth2.crt files.  
    Please also note that your .crt name have to be named like your Authority : a certificate file named notgoodname.crt for an myauthority Authority is ignored. 
      
    Then in \certs\auth directory you have to put .crt, .kef, .kep and .key files for the Authority you want to use in BCM.  
      If your Authority is not a Root Authority, you have then to only put the Authority .crt you want to use in BCM.  
    For example let's say we have RootAuth  -> InterAuth1  ->  InterAuth2  
    Then you have to put InterAuth2.crt, InterAuth2.kef, InterAuth2.kep and InterAuth2.key files in \certs\auth directory.  
    Note that .key file is encrypted once received per BCM agent. 
      
    Then from the Console > Packages > Package Factory > Your Master > Custom Packages > mycertificate > Contents > Files node, remove the current "certs" folder and then add the "certs" directory you have created on your hard disk : 

    User-added image User-added image

    Then publish your "mycertificate" package to BCM Master: 

    User-added image

    You have now to replace the "bcmcertificate" package with the "mycertificate" package in rule "Step 1 - Trust BCM Certificate". 
    In order to do so go to Console >  Operational Rules > BCM Certificate > Step 1 - Trust BCM Certificate > Packages node then remove "bcmcertificate" package and add "mycertificate" package : 

    User-added image User-added image

    Then  from Console >  Operational Rules > BCM Certificate > Step 1 - Trust BCM Certificate > Steps node, move the "Install Package" step from line 3 up to line 2 : 

    User-added image User-added image

    Edit Rule "Step 1 - Trust BCM Certificate" in order to deactivate step 1 

    User-added image
    Also modify step 3 of rule "Step 1 - Trust BCM Certificate" in order to set parameter "Trusted Authorities"  with "bcm" and your authority name: 

    User-added image
    User-added image User-added image

    Note if your Authority is not a Root Authority, you have then to set all the Authority chain from the Root up to the Authority you want to use in BCM. 
    For example let's say we have RootAuth  -> InterAuth1  ->  InterAuth2 
    Then "Trusted Authorities" parameter must be set with "bcm,RootAuth,InterAuth1,InterAuth2" 


    Edit Rule "Step 2 - Activate BCM Certificate" in order to set "Authority Certificate" parameter with your Authority Certificate name : 

    User-added image User-added image

    Note If your Authority is a Root Authority then set "Authority Certificate" parameter with your Authority name. 
    But if your Authority is not a Root Authority, you have then to only set the Authority name you want to use in BCM. 
    For example let's say we have RootAuth  -> InterAuth1  ->  InterAuth2 
    Then "Authority Certificate" parameter must be set with "InterAuth2" 


    Edit Rule "Step 3 - Trust BCM Certificate" in order to set parameter "Trusted Authorities"  with your authority name only : 

    User-added image User-added image

    Note if your Authority is not a Root Authority, you have then to set all the Authority chain from the Root up to the Authority you want to use in BCM. 
    For example let's say we have RootAuth  -> InterAuth1  ->  InterAuth2 
    Then "Trusted Authorities" parameter must be set with "RootAuth,InterAuth1,InterAuth2". 


    - You can then assign rule "Step 1 - Deploy BCM Certificate" to all your devices. 
    Once rule "Step 1 - Deploy BCM Certificate" is successfully executed on all devices you can assign rule "Step 2 - Activate BCM Certificate" on all devices. 
    Same way rule "Step 3" must be successfully executed on all devices before assigning rule "Step 3 - Trust BCM Certificate" to all devices. 

    Notes that if rules 3 is executed on some devices while rules 1 or 2 are not executed yet on some other devices, communication is broken between these two different groups of devices. 
    This is why we strongly recommend that you test this procedure on few devices before implementing it on all devices. 

     


    Article Number:

    000166684


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles