how do you access the appservers to get to the dashboard and the rcp login ? do you use a vip/load balancer or do you connect directly to each appserver w/ its hostname ?
Right now, we connect directly to each appserver (we connect to the console and launch the health dashboard from the console). In the future we probably use a vip (we have 2 conf server / 4 job)
you need to use the same keystore on all systems and to let the browser validate the cert, the name in the cert needs to match the url. you can have a cert w/ multiple names in it w/ Subject Alternate Name (SAN), but i'm not sure if that works w/ the bladelogic.keystore - it looks like you can use the '-ext' option w/ keytool when you generate the csr: https://stackoverflow.com/questions/30755220/how-to-create-csr-with-sans-using-keytool
so for the direct connection I would try something like:
keytool -genkey -alias blade -keyalg RSA -keystore bladelogic.keystore -storepass password -keypass password -dname "CN=blapp894.example.com" -validity 1000 -keysize 2048 -sigalg SHA256withRSA -storetype jks
keytool -certreq -alias blade -keystore bladelogic.keystore -storepass password -keypass password -file myCSR.csr -ext SAN=dns:blapp894.example.com,dns:blapp894-1.example.com,dns:blapp894-2.example.com
get that signed, import that back into the keystore w/ the instructions on the page you mentioned and then copy that keystore to all the appservers. the san will let the cert validate the correct hostname and it will be signed by your ca.
i'm not 100% sure the appserver will work w/ the san stuff in place, so I would try that in a test env w/ a couple appservers to make sure they can still talk to each other w/ the san cert in place, since the cert/key in the keystore is used to encrypt appserver <-> appserver communication.
if you are using a vip, then just use the vip name in the genkey command and you don't need to worry about the san stuff.
If I do a test on my Dev environment, how can I roll back if it does not work?
Before, should i make a backup only of the files "bladelogic.keystore" and "cacerts" and on which server ?
What are the steps and the commands to go back?
make a copy of the existing bladelogic.keystore, and i'm assuming you know the password for it... so if something doesn't work, just put the old file back into place, set the password w/ blasadmin and start the appserver.
We followed the process given in the provided URL to configure CA signed certificate for the health dashboard URL. Configuration is successful for the Application server and client, but for health dashboard it is showing that connection is not secure.
below is the used url for the configuration
Open a case with BMC Support if you can, they help me last time.
To resume, if you have a CA in your company, you should have only one certificat issue from your internal Certificat Authority and register in your main App Server TSSA (probably your main Conf Server) and then, this same Certificat should be copy/register (keytool) on each App Server to allow all App Server communicate together.
After this, if you open health dashboard from your console TSSA connected on your main conf, that work no more error. but you will continue to have the same error when you will be connected in TSSA console from another App server as the certificat used come from your main conf.
look with support BMC, what is the best practice to create a Virtual IP / Cname and generate new certifcate and again registered on all App server.