How to create a .csr certificate key to install a signed TLS certificate to TrueSight Capacity Optimization?

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    TrueSight Capacity Optimization


    Capacity Optimization


    TrueSight Capacity Optimization


    How to replace the self signed certificates in TrueSight Capacity Optimization to certificates signed by a trusted certificate authority?


    The process to create a private key and generate a certificate request file is properly documented (see documentation references below) therefore this solution does not cover the commands to run, however it covers additional and background information for better understanding

    The task procedure is basically the same across the version from TrueSight Capacity Optimization 10.x, 11.x and 20.x, however there are a few important in differences in relation to product updates covered at the end of the Article.

    In TrueSight Capacity Optimization the TLS Listener for the web and datahub component is provided by Apache HTTPD Server, for other TrueSight products like TSPS and RSSO these kinds of Listeners are provided by Apache Tomcat Application Server (Java based with keytool).  Please Note that TrueSight Capacity Optimization includes an Apache Tomcat, but for the TLS Listener the Apache HTTPD with private key and certificates  is used.

    Without any additional configuration TrueSight Capacity Optimization skip remote certificate checks which means that any remote certificate is trusted, to change this behavior TLS 1.2 options can be enabled which requires a trusted certificate chain and disables the skip certification check function. Other TrueSight products are doing such certificate checks, it is mandatory to have a proper trusted certificate chain. With TLS enabled the Apache Tomcat Services comes in factor and the cotruststore.ts ( Java trustore file ) is used. Before enable TLS 1.2 it is mandatory import the trusted certificates from the remote technologies which using TSL 1-2 into the cotruststore.ts file,  it is also recommended to replace the certificates in RSSO and TSPS first. 

    The recommended order is:


    1. Create key and certificate request file with java keytool for loginvault.ks ( keystore) and implement trusted certificate chain into cacerts (truststore) file for Remedy Single Sign On.  (Java keytool based process).  and import signed signed certificate  into keystore file (loginvault.ks)
    3. Create key and certificate request file with java keytool for loginvault.ks ( keystore) and implement trusted certificate chain into cacerts (truststore) file for TrueSight Presentation Server.  (Java keytool based process).  and import signed signed certificate  into keystore file (loginvault.ks)
    5. Replace signed certificate in TrueSight Capacity Optimization
    7. Enable TLS 1.2 in TrueSight Capacity Optimization.

    When working on these topics, consider the following points to avoid problems which are not necessary.
    • Run java -version before running keytool. It is important that a Java version 1.7 or higher is used, older version do not support the certificate attribute “subject alternative name dns”
    • The “subject alternative name dns” in the certificate request file is the most important attribute. It must match the FQDN used by the remote application or Browser to access the listing application.
    • Usage multiple “subject alternative name dns” on a single certificate is possible.
    • If the TSCO environment has multiple web component accessed over a load balancer name. It is possible to use a single certificate and private keys, by using a  “subject alternative name dns” attribute with the FQDNs for each host including the load balance name if used.
    • It is also possible to use the same private key keystore file ( loginvault.ks) in TSPS and RSSO if “subject alternative name dns” does exist for each Server FQDN, always include load balancer name or alias names.
    • A single private key and certificate can be used in many servers if the underlaying TLS application is the same. Apache HTTP and Java based Application server as Tomcat are different technologies.
    • If the company policy allows the recommendation is to create 1 private key and certificate request file for RSSO and TSPS using keytool and use it in both application with proper “subject alternative name dns” attributes for each server.  But create another private key and certificate request file for TSCO using openssl and set proper “subject alternative name dns” for all web component and including load balancer names.
    • Stop the application before replacing files , the private keys are only read when the application starts. Replacing the key and certificate while the applications are running may cause that the applications cannot be stopped, and it is required to kill the process.
    • Restart the Browser after the service was started, the Browser reads the certificate when it connects to the site, if the Browser remains running it shows the old certificate even though the certificate was renewed.
    • Prepare the files outside the directory, somewhere in the file system. Do not touch any existing files and keep them for backup, if anything in that certificate request procedure is wrong.
       Documentation References  

    Implementing private certificates in the Remedy Single Sign-On Server
    Implementing private certificates in the TrueSight Presentation Server
    Creating a request for a CA-signed certificate for TrueSight Capacity Optimization
    Installing a CA-signed certificate into the embedded web server in TrueSight Capacity Optimization
    Securing communication between product components in TrueSight Capacity Optimization (TLS 1.2)

    Version differences
    • TrueSight Capacity Optimization 10.x does not support an alternative location of the certificate any private key file as explained  in the 4th documentation reference.
                For this version is is recommended to replace the existing private key and certtificate $BCO_HOME/3rd_party/apache2/pki/tls/private and $BCO_HOME/3rd_party/apache2/pki/tls/certs. It is strongly recommended to stop the services before and to take a backup of the files. An update to version 11.x will overwite this files and replace it with self signed certificates. It is required to restore the signed certificates after the update. 
    • TrueSight Capacity Optimization 11.x does support an alternative location of the certificate any private key file as explained  in the 4th documentation reference, but there is a defect causing that this files are not used.
                The custom_ssl.conf file is not read, to fix this issue is required modification in $BCO_HOME/3rd_party/apache2/conf/3rd_party/apache2/conf/bco-vhost.conf, please backup the file before modification.  On the Top of the file check the the SSL configuration, the requires this content:  
           <IfModule !mod_ssl.c>         #load SSL configuration only if file exists         IncludeOptional conf/ssl.con[f]         IncludeOptional  ../../secure/httpd/conf/custom_ssl.conf        </IfModule> 

            The bco-vhost.conf will get overwritten when installing Service Pack or when updating between 11.x versions, it is recommended to check the file after updates.

    • TrueSight Capacity Optimization 22.00 does support the alternate file location, when it was implemented as documented under doc reference 4 the signed certificate remain active after an update to 20.x



    Article Number:


    Article Type:


      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles