Steps to Configure BMC Atrium Orchestrator to use HTTPS

Version 3
    Share This:

    Hi All,


    I have configured AO to use HTTPS (Self Signed Certificate) by using following procedure.


    1)     Set JAVA_HOME environment variable

    2)     Set PATH environment variable for Java.

    3)     Create a keystore entry, from a command prompt:

    Using Command:      keytool –genkey –alias tomcat –keyalg RSA

    a)     When prompted, type the keystore password.(default: changeit)

    b)     When prompted, provide user details.

    Ø     What is your first and last name?

    Ø     What is the name of your organizational unit?

    Ø     What is the name of your organization?

    Ø     What is the name of your City or Locality?

    Ø     What is the name of your State or Province?

    Ø     What is the two-letter country code for this unit?

    This information is used for the certificate and is visible only within the certificate.

    Review the information displayed and confirms that the information is correct.

    c)     When prompted to enter the key password for Tomcat, press Enter.


    4)     Copy the newly generated .keystore from C:\Users\Administrator to c:\

    (or any location you prefer)

    5)     Create cert.csr


    Using Command:

    keytool -export –alias tomcat -file c:\cert.csr -keystore c:\.keystore



    6)     Import the certificate & keystore to jvm\lib\security\cacerts of peer/component (i.e. CDP/HACDP/AP/DevStudio etc.)

    Using command:

    keytool -import -alias tomcat -file c:\cert.cer -keystore "c:\Program Files\

    BMC Software\HACDP\jvm\lib\security\cacerts" -keypass changeit

    (i.e. keypass= changeit is default password)


    7)     Go to c:\Program Files\BMC Software\peer(CDP\HACDP\AP)\tomcat\conf\server.xml


    Find & comment <!--    -->  the following element from server.xml to disable HTTP port.

        <Connector executor="tomcatThreadPool"

                   port="8080" protocol="HTTP/1.1"


                   redirectPort="8443" />


    8)     Find & uncomment by removing <!--    -->  of the following element from server.xml to enable HTTPs port to use ssl.


        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

                   maxThreads="150" scheme="https" secure="true"

    clientAuth="want" sslProtocol="TLS" />


    9)     Start/Restart the Service & test the Webservercontext in browser with https port.





    Hope this will be helpful to all....



    Aryan Anantwar




    Signed Certificates


    Many companies require that you install a Signed Certificate (SSL Certificate) from a trusted authority on a Production/UAT environment.  This may be the actual company or an external trusted authority e.g. CA.  This certificate is required to replace the Self Signed Certificate generated in the above process.  Many times these certificates come in a "chain" consisting of Root and Intermediate certificates, all of which are required to be installed.

    Chained certificates can come in a number of forms, one common is a "p7b" file which will contain all the required certificates to be installed in the one file - this is what will be imported into the associated Keystore as all the certificates in the chain will be installed.


    Points to note:


    • To obtain a Signed Certificate you require the generation of a "CSR" (Certificate Signing Request) which is used to create the Signed Certificate
    • You can use a different (recommended) Keystore than the default, however the Signed Certificate is required to be imported into the Keystore used to generate the CSR which also contains the private key required by the Signed Certificate
    • If using a non default Keystore, the "server.xml" file needs to reference the correct Keystore containing the Signed Certificate


    To generate a Signed Certificate from an authority such as CA:


    • Create a CSR file for your server.  It is recommended to use a tool such as OpenSSL CSR Tool, create your CSR faster or Java keytool CSR Helper, create your CSR faster to generate the necessary commands.  The following example shows the generation of a CSR for a server named "BAO_Server", alias for the certificate = "tomcat", Keystore file = "BAO_Server.jks", CSR file = "BAO_Server.csr".  The "BAO_Server.csr" file is what you send to the authority in order for them to generate the Signed Certificate.




    keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore BAO_Server.jks -dname "CN=BAO_Server, O=MPS, L=London, ST=London, C=GB" && keytool -certreq -alias tomcat -file BAO_Server.csr -keystore BAO_Server.jks


    • You will receive your Signed Certificate in with either a "*.cer" or "*.pb7" (or other format) extension or both.  If it is a single certificate with no chain, you would import the "*.cer" file.  If it is a "chained" certificate, you will need to import the full chain or "*.p7b" file (containing Root, Intermediate and the Server certificates).  The Signed Certificate needs to be imported using the same Alias ("tomcat") used to generate the CSR along with it being imported into the correct Keystore ("BAO_Server.jks").  If you receive errors, ensure you are importing to the correct Keystore that you used to generate the CSR - you may need to explicitly path the Keystore location.




    keytool -import -trustcacerts -file BAO_Server.p7b -keystore BAO_Server.jks -storepass changeit -alias "tomcat"


    • Once you have completed the installation of the Certificate or the Chained Certificate, you need to update the Tomcat "server.xml" file with the settings to point to your newly installed certificate and the correct Keystore.




    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/uddi/remedy/BAO_Server.jks" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />


    • Restart the Tomcat for the component to pick up your Signed Certificate.