This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
TrueSight Capacity Optimization
Looking for the documentation to install a signed TLS certificate to TrueSight Capacity Optimization using built in Apache
This Solution was created for TrueSight Capacity Optimization version 10.x, for TrueSight Capacity Optimization 11.x or newer please check the product documentation.
In Administration documentation under "Installing a CA-signed certificate into the embedded web server" the information it is getting published.
1. Verify that TSCO is using the build in Apache and not use a different HTTP Server as the frontend.
If the environment was not explicitly configured to use a different web frontend, the build in Apache is used.
2. Verify that TSCO console is configured in HTTPS mode and listen on port 8433, if only port 8000 is used the TSCO environment needs to be reconfigured.
To do this you need to stop the services and run the product installer, instead of reinstalling the product you can chose to reconfigure the product.
3. Verify that TSCO is listen on port 8443 and access it with your browser. You get a certificate warning because the product is using a self signed certificate.
4. Create a private key and the certificate request with the openssl command example:
This command example below is using openssl.cnf file as input file which must be supported by the CA which is signing the request. If your CA doesn’t support this ciphers, evaluate with the enterprise CA administrator the supported opensssl cipher parameter. You can run the openssl command also on a different server, it must not be the TSCO server.
The most important answer you need to give is the Common Name attribute, it must match the URL you use in your browser. It is strongly recommended to use the FQDN and not the Hostname or a DNA Alias Hostname, not everyone can access the server with the hostname, therefore it is better to use the FQDN in the certificate request file. Also in relatation with TrueSight Capacity Optimization 11 and Remedy Single Sign On, it is required to use a FQDN for proper single sign on feature function.
In the given example for the Common Name the access to the TSCO console is used by this URL:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout myhost.key -out myhost.csr
Generating a 2048 bit RSA private key
writing new private key to 'myhost.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) :New York
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default Company Ltd]: Domain
Organizational Unit Name (eg, section) :Support
Common Name (eg, your name or your server's hostname) :myhost.mydomain.com
Email Address :email@example.com
This example only creates a certificate for a single hostname, if a certificate for multiple hostnames is required, please refer to the TrueSight Capacity Optimization 11.x Administration documentation under "Installing a CA-signed certificate into the embedded web server". A openssl command example is published by using subject alternate names.
5. Open the myhost.csr file with text editor and forward the text including the --- comment to the CA administrator.
The example below is a typical csr request file, it must look exactly like this format, with the line breaks. and comments ---. Request a certificate for a Webserver, the certificate must be Base 64 Encoded.
A DER encoded certificate is not working with the TSCO Apache server on Linux.
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
6. The CA Administrator has to provide you the certificate, this is used together with the myhost.key file created by the opensssl command.
- Store the myhost.key in the $BCO_HOME/3rd_party/apache2/pki/tls/private directory.
Rename the existing hostname.key and rename the newhost.key, backup the "new "hostname.key
This process should keep a backup and should cause less trouble when doing product updates.
mv hostname.key hostname.key.old mv myhost.key hostname.key cp hostname.key hostname.key.back
- Store the certificate with file extension crt received from the CA administrator in the
$BCO_HOME /3rd_party/apache2/pki/tls/certs/ directory.
Rename the existing hostname.crt file, rename certificate.cer to certificate crt, backup new hostname.crt
mv hostname.crt hostname.crt.old mv certificate.crt hostname.crt cp hostname.crt hostname.crt.back
8. Save the file and restart the services
Typos in the path and invalid certificate created with an in not correct format from the certificate request file, also check for file permission on the certificate and key file. An error will cause that the Apache server is not staring correctly.
9. Product updates to future versions will overwrite the
$BCO_HOME/3rd_party/apache2/conf/ssl.conf file, you need to change after an update again the location of new certificate and private key.
10. Restart the httpd component to launch Apache with the new certificate
$BCO_HOME/cpit restart httpd
If pb7 certificate was provided this typically does not contain a private key, somebody has created the certificate request file which was used to create the certificate, but along with a certificate request file a private key was created. Apache hosting the web component required the private key and the certificate.
This pb7 certificates has to be converted to PEM format with openssl for example:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
If unsure where the private key is located, it might be better to create a new certificate request file and the private key, as explained in this Solution to create a new certificate.