When is a Certificate Authority (CA) certificate required on the App Visibility Proxy?  And how is the CA certificate implemented?

Version 10
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight App Visibility Manager Server


    COMPONENT:

    App Visibility Proxy


    APPLIES TO:

    App Visibility Proxy - All versions



    QUESTION:

    When to use a different or custom security certificate (e.g. CA certificate) on the App Visibility Proxy component?  And how to implement the custom security certificate on the App Visibility Proxy?


    ANSWER:

     

    The App Visibility Proxy will have two different set of certificates.  One certificate is to communicate with the App Visibility components (for example, App Visibility Portal, App Visibility Collector, App Visibility Agent for Java, App Visibility Agent for .NET, and Synthetic TEA Agent).  The other certificate is to be used for JavaScript Injection to gather user and network data from the application's web pages, which will be communicating with the user’s web browsers and vice versa.

    So a CA certificate is required on the App Visibility Proxy when one of the following items apply:

    Item 1) When the App Visibility Manager components are required to communicate with each other on a secure connection

    Item 2) When the App Visibility Proxy is used to perform JavaScript Injection to gather user and network data from the application's web pages

    For Item 1 mentioned above, see the following link for more information about implementing the CA certificate on the App Visibility Manager components:

    https://docs.bmc.com/docs/display/tsavm107/Changing+security+certificates+in+App+Visibility+components

    Note:
    If the customer wants to use their own certificate to communicate between the different App Visibility components then they would need to obtain a certificate and import them into those BMC components.  See the link below for the steps on changing the security certificate on all of the App Visibility Manager components:
     
    https://docs.bmc.com/docs/display/tsavm105/Changing+security+certificates+in+App+Visibility+components

    For Item 2 mentioned above, because the JavaScript injection on end-user browsers requires the dynamic JavaScript insertion and the beacon to be sent in HTTPS, any interim networking equipment must be able to supply a signed certificate to enable the browser to trust the connection. The App Visibility proxy must also support the installation of signed certificates.
     
    The App Visibility Proxy must have a certificate installed for this host name, which will be trusted by end-user browsers.

    •For internal applications, you can use a certificate signed by a local signing authority (with the root preinstalled on employee browsers).
    •For external applications, you must provide a signed certificate.
     
    See the link below for basic deployment options for TrueSight Operations Management (TSOM) components:
    https://docs.bmc.com/docs/display/public/TSOMD105/Basic+deployment+options+for+TrueSight+Operations+Management

    So the App Visibility Proxy uses SSL-encrypted beacons and injection requests and therefore must have a keystore with a certificate that is trusted by end-users’ browsers.

    If the web pages are only HTTP then a CA certificate is not required for JavaScript Injection, but a configuration needs to be set on the App Visibility Proxy properties’ file.  See below for instructions on setting this configuration:
     
    https://docs.bmc.com/docs/display/tsavm105/Changing+App+Visibility+proxy+settings#ChangingAppVisibilityproxysettings-Tosetsecuritypropertiesfortheproxy

    However if the web pages are HTTPS then the steps are:

    Step 1) Customer would need to obtain a certificate approved by a recognized Certificate Authority (CA) or it could be a non-CA certificate (if preferred)

    Step 2) Import the certificate into the App Visibility Proxy so the App Visibility Proxy trusts the user’s web browser and vice versa.  If the certificate is signed and obtained from a CA then the end user web browser automatically trust it.  If the certificate is self-signed (not from a CA) then the end user web browser will need to manually trust that certificate and site.

    To perform Step 2 above, there are two options:

    Option 1) Can import the keystore during the App Visibility Proxy installation.  See the link below for more information:
     
    https://docs.bmc.com/docs/display/public/TSOMD105/Performing+the+App+Visibility+server+installation

    Option 2) Can import the keystore after the App Visibility Proxy installation.  See the link below for steps to import a keystore file on the App Visibility Proxy version 10.5.xx:
     
    https://docs.bmc.com/docs/display/public/TSOMD105/Importing+a+keystore+file+or+replacing+the+certificate+for+the+App+Visibility+proxy
     
    If importing the keystore file on App Visibility Proxy version 11.3.xx then see the following link:

    https://docs.bmc.com/docs/TSOperations/113/importing-a-keystore-file-or-replacing-the-certificate-for-the-app-visibility-proxy-843620477.html

    The CA certificate only needs to imported into the App Visibility Proxy and ensure the user’s web browser trusts it.  There is no need to replace the BMC provided certificate on the App Visibility Proxy because this BMC certificate is used to communicate with the App Visibility Portal.  Also there is no need to import the customer’s CA certificate to the other App Visibility Manager components (e.g. App Visibility Portal, App Visibility Collector, App Visibility Agent for Java, App Visibility Agent for .NET, etc.) for JavaScript Injection.

     


    Article Number:

    000218479


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles