App Visibility - When is a Certificate Authority (CA) certificate required on the App Visibility Proxy 10.5.00?  And how is the CA certificate implemented?

Version 4
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight App Visibility Manager Server


    APPLIES TO:

    App Visibility Proxy



    QUESTION:

    When is a Certificate Authority (CA) certificate required on the App Visibility Proxy 10.5.00?  And how is the CA certificate implemented?


    ANSWER:

    When is a Certificate Authority (CA) certificate required on the App Visibility Proxy 10.5.00?
     
    If the web pages are only HTTP then a CA certificate is not required, but a configuration needs to be set on the App Visibility Proxy properties’ file.
     
    However if the web pages are HTTPS then the customer would need to obtain a certificate approved by a recognized Certificate Authority (CA) and import it into the App Visibility Proxy 10.5.00 so the App Visibility Proxy trusts the user’s web browser and vice versa.  If the certificate is signed and obtained from a CA then the end user web browser automatically trust it.  If the certificate is self-signed (not from a CA) then the end user web browser will need to manually trust that certificate and site.
     
    Because the JavaScript injection on end-user browsers requires the dynamic JavaScript insertion and the beacon to be sent in HTTPS, any interim networking equipment must be able to supply a signed certificate to enable the browser to trust the connection. The App Visibility proxy must also support the installation of signed certificates.
     
    The App Visibility proxy must have a certificate installed for this host name, which will be trusted by end-user browsers.
    •For internal applications, you can use a certificate signed by a local signing authority (with the root preinstalled on employee browsers).
    •For external applications, you must provide a signed certificate.
     
    See the link below for basic deployment options for TrueSight Operations Management (TSOM) components:
     
    https://docs.bmc.com/docs/display/public/TSOMD105/Basic+deployment+options+for+TrueSight+Operations+Management
     
    The App Visibility proxy uses SSL-encrypted beacons and injection requests and therefore you must have a keystore with a certificate that is trusted by end-users’ browsers. You can import the keystore during proxy installation or after installation.  See the link below for more information:
     
    https://docs.bmc.com/docs/display/public/TSOMD105/Performing+the+App+Visibility+server+installation
     

    How to implement a Certificate Authority (CA) certificate on the App Visibility Proxy 10.5.00?
     
    If the web pages are only HTTP then a CA certificate is not required and a configuration setting is required on the App Visibility Proxy.  See below for instructions on setting this configuration:
     
    https://docs.bmc.com/docs/display/tsavm105/Changing+App+Visibility+proxy+settings#ChangingAppVisibilityproxysettings-Tosetsecuritypropertiesfortheproxy
     
    If the web pages are HTTPS then a CA certificate is required.  Once the customer obtains a CA certificate then it would need to be imported in the App Visibility Proxy.  See the link below for steps to import a keystore file on the App Visibility Proxy:
     
    https://docs.bmc.com/docs/display/public/TSOMD105/Importing+a+keystore+file+or+replacing+the+certificate+for+the+App+Visibility+proxy
     
    The customer only needs to import that CA certificate into the App Visibility Proxy and ensure the user’s web browser trusts it.  They do not need to replace the BMC provided certificate on the App Visibility Proxy because this BMC certificate is used to communicate with the App Visibility Portal.  Also there is no need to import the customer’s CA certificate to the other App Visibility Manager components (e.g. App Visibility Portal, App Visibility Collector, App Visibility Agent for Java, App Visibility Agent for .NET, etc.).
     
    Additional Notes:
    If the customer wants to use their own certificate to communicate between the different App Visibility Manager components (e.g. App Visibility Portal, App Visibility Collector, App Visibility Agent for Java, App Visibility Agent for .NET, etc.) then they would need to obtain a certificate (usually a different certificate) and import them into those BMC components.  See the link below for the steps on changing the security certificate on all of the App Visibility Manager components:
     
    https://docs.bmc.com/docs/display/tsavm105/Changing+security+certificates+in+App+Visibility+components
     
    As a best practice for a production environment, there is a CA certificate on the App Visibility Proxy when the customer wants to perform JavaScript injection into the user’s web browser.  Then if the customer wants the communication for the App Visibility Manager components to have a CA certificate as well then the customer would obtain another certificate for those BMC components.  So basically, the App Visibility Proxy would have two different set of certificates.  One certificate is to communicate to the user’s web browsers and vice versa.  The other certificate is to communicate with the App Visibility Manager components (e.g. App Visibility Portal, App Visibility Collector, App Visibility Agent for Java, App Visibility Agent for .NET, etc.).


    Article Number:

    000129349


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles