How to create a .csr certificate key to install a signed TLS certificate to TrueSight Capacity Optimization?

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Capacity Optimization


    COMPONENT:

    Capacity Optimization


    APPLIES TO:

    TSCO 10.x



    QUESTION:

    Looking for the documentation to install a signed TLS certificate to TrueSight Capacity Optimization using built in Apache

    This Solution was created for TrueSight Capacity Optimization version 10.x, for TrueSight Capacity Optimization 11.x or newer please check the product documentation.
    In Administration documentation under "Installing a CA-signed certificate into the embedded web server" the information it is getting published.
     


    ANSWER:

    1. Verify that TSCO is using the build in Apache and not use a different HTTP Server as the frontend.
    If the environment was not explicitly configured to use a different web frontend, the build in Apache is used.
     
    2. Verify that TSCO console is configured in HTTPS mode and listen on port 8433, if only port 8000 is used the TSCO environment needs to be reconfigured.
      To do this you need to stop the services and run the product installer, instead of reinstalling the product you can chose to reconfigure the product.
      
    3. Verify that TSCO is listen on port 8443 and access it with your browser. You get a certificate warning because the product is using a self signed certificate.
     
    4. Create a private key and the certificate request with the openssl command example:
     
    This command example below is using  openssl.cnf file  as input file which must be supported by the CA which is signing the request. If your CA doesn’t support this ciphers, evaluate with the enterprise CA administrator the supported opensssl cipher parameter. You can run the openssl command also on a different server, it must not be the TSCO server.
     
    The most important answer you need to give is the Common Name attribute, it must match the URL you use in your browser.  It is strongly recommended to use the FQDN and not the Hostname or a DNA Alias Hostname, not everyone can access the server with the hostname, therefore it is better to use the FQDN in the certificate request file. Also  in relatation with TrueSight Capacity Optimization 11 and Remedy Single Sign On, it is required to use a FQDN for proper single sign on feature function.

    In the given example for the Common Name the access to the TSCO console is used by this URL:
     
    https://myhost.mydomain.com:8443/console/
     
    openssl req -newkey rsa:2048 -sha256 -nodes -keyout myhost.key -out myhost.csr
    Generating a 2048 bit RSA private key
    ..................+++
    ..............+++
    writing new private key to 'myhost.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:New York
    Locality Name (eg, city) [Default City]:New York
    Organization Name (eg, company) [Default Company Ltd]: Domain
    Organizational Unit Name (eg, section) []:Support
    Common Name (eg, your name or your server's hostname) []:myhost.mydomain.com
    Email Address []:support@mydomain.com


    This example only creates a certificate for a single hostname, if a certificate  for multiple hostnames is required, please refer to the  TrueSight Capacity Optimization 11.x Administration documentation under "Installing a CA-signed certificate into the embedded web server". A openssl command example is published by using subject alternate names.
     

      
    5. Open the myhost.csr file with text editor and forward the text including the --- comment to the CA administrator. 
      
    The example below is a typical csr request file, it must look exactly like this format, with the line breaks. and comments ---. Request a certificate for a Webserver, the certificate must be Base 64 Encoded. 
    A DER encoded certificate is not working with the TSCO Apache server on Linux. 
      
      
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdHZXJtYW55MQ8w
    DQYDVQQHDAZCZXJsaW4xDzANBgNVBAoMBkJNTVNVUDEQMA4GA1UECwwHU3VwcG9y
    dDEhMB8GA1UEAwwYY2xtLXB1bi0wMTYxNDIuYm1tc3VwLnh5MSAwHgYJKoZIhvcN
    AQkBFhFzdXBwb3J0QGJtbXN1cC54eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBAJlimwinwAV7on/IQcGIbswmUKWDP8T5phXdZMAGg1njs2gapHO160uI
    QZCzGxfbBgFkjayRyTY26klLFDIWVIF97ftsVA621grAr1DDOWtJF1LVOUuLJnDZ
    a2cC1Vtvdwa4JrB/J8yq14/3SX+bzuYOSCxuZ0rsHvt0cZ/udZbeR4UsY53o/yVD
    PvC7dB07RIYMtBlXrWRzb3miBhUUQ6UfPcwRe5cCefaG3Eq5FpvBTegSEtaR8QW5
    zqu616myDz6gE6QkYzrnkSHPa5vFqLHuloxgFcRmgOo7azBOrhDUstwm5t8LEaM8
    WZ5tZD8S5bSTb8ZkxLlGTUW8fZ263xcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
    AQBQ/w2vgNczLmiV2z7zVzD4IGUUb49d4mS7N2+lS620HiIdRaqDdpC/XtjYx8+N
    p7GZ9c1MnBUoxxWhBFC9r0YkivcuA7tj2QNDKZ6zaRJk8VuzpdOzepeqNN8OBuAN
    mtJWST3EezvsTmTbuomO8cBGht1LSrSIe93+Gg3aHLAWjMcNY7OQF/C4GqFVnO0Y
    r8U1GSQo94eM0KK6juR5nGoICdUUHyGq+4o90YyZkvncHRl3pUGTIUWpji7NgOMb
    1Zlr/m6dNhN1JM8hsAXnzkU8d9eE9yJnJDN2RvhgrEMVINCe+6hfgyAlL+gXjDUn
    sVYK8Lo5YDHrnicVXAYDWjM7
    -----END CERTIFICATE REQUEST-----
      
      
      
    6. The CA Administrator has to provide you the certificate, this is used together with the myhost.key file created by the opensssl command. 
      
    - Store the myhost.key in the $BCO_HOME/3rd_party/apache2/pki/tls/private directory. 

    Rename the existing hostname.key and rename the newhost.key, backup  the "new "hostname.key 
    This process should keep a backup and should cause less trouble when doing product updates. 
       
    mv hostname.key hostname.key.old mv myhost.key hostname.key cp hostname.key hostname.key.back
      

      
    - Store the certificate with file extension crt received from the CA administrator in the 

    $BCO_HOME /3rd_party/apache2/pki/tls/certs/ directory. 

    Rename the existing  hostname.crt file, rename certificate.cer to certificate crt, backup new hostname.crt 
       
    mv hostname.crt hostname.crt.old mv certificate.crt hostname.crt cp hostname.crt hostname.crt.back
      


    8. Save the file and restart the services 
    Typos in the path and invalid certificate created with an in not correct format from the certificate request file, also check for file permission on the certificate and key file. An error will cause that the Apache server is not staring correctly. 
      
    9. Product updates to future versions will overwrite the 
    $BCO_HOME/3rd_party/apache2/conf/ssl.conf file, you need to change after an update again the location of new certificate and private key. 
      
    10. Restart the httpd component to launch Apache with the new certificate 
      
    $BCO_HOME/cpit restart httpd


    Caution:
    If pb7 certificate was provided this typically does not contain a private key, somebody has created the certificate request file which was used to create the certificate, but along with a certificate request file a private key was created. Apache hosting the web component required the private key and the certificate.

    This pb7 certificates has to be converted to PEM format with openssl for example:

       
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
      


    If unsure where the private key is located, it might be better to create a new certificate request file and the private key, as explained in this Solution to create a new certificate.

     


    Article Number:

    000135233


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles