This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers. Configure Developer studio to use SSL In order to get DevStudio to work with an SSL version of BAO (which is the default in more recent versions), it is necessary to add the public key of the BAO CDP server into the AR DevStudio Java Runtime Environment These instructions are based on BAO 78 running on Linux and AR DevStudio on Windows, but can be adapted for other use cases: 1. First find the conf directory for your CDP, e.g. [root]# cd /opt/bmc/BAO/CDP/tomcat/conf [root]# pwd /opt/bmc/BAO/CDP/tomcat/conf 2. Now run the keytool command to view the certificates (Default keystore password is changeit): [root]# /opt/bmc/BAO/CDP/jvm/bin/keytool -list -keystore .keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Jun 14, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 4B:D1:6A:C6:7C:8B:8D:00:9D:64:64:0C:26:8D:E5:C8:2C:7A:90:78 [root@t2 conf]# 3. Now export the certificate: [root@t2 conf]# /opt/bmc/BAO/CDP/jvm/bin/keytool -export -keystore .keystore -alias tomcat -file tomcat.crt Enter keystore password: Certificate stored in file <tomcat.crt> 4. Copy the tomcat.crt to the AR DevStudio server via scp or whatever means are available On the DevStudio server, find the Java instance used by DevStudio (you will need to look in the DevStudio.ini file) e.g. -vm C:/Program Files/Java/jre1.8.0_91/bin/javaw.exe -startup plugins/org.eclipse.equinox.launcher_1.3.100.v20150511-1540.jar --launcher.library plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.300.v20150602-1417 -vmargs -Xms512m -Xmx2048m -XX:MaxMetaspaceSize=128m So JVM is in the C:/Program Files/Java/jre1.8.0_91 directory Start a command prompt with Administrator rights - otherwise you will not be able to update the cacerts file and then you must import the certificate (this assumes that you have copied the tomcat.crt to the d:\temp directory on this machine: C:\> cd C:\Program Files\Java\jre1.8.0_91\lib\security keytool -import -trustcacerts -alias tomcat -file d:\temp\tomcat.crt -keystore cacerts 5. Now check that it has loaded: C:\Program Files\Java\jre1.8.0_91\lib\security>keytool -list -keystore cacerts | findstr tomcat Enter keystore password: changeit tomcat, 15-Jun-2016, trustedCertEntry, For Dev studio
Configure ARS to use SSLGo to the devstudio.ini file and add the following lines at the end of it: -Djavax.net.ssl.trustStore=C:\temp\cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStoreType=JKS For ARS Modify arserverd.conf file (ARSystem installation directory/bin) for JVM parameters jvm.option.XX=-Djavax.net.ssl.trustStore=/home/remedy/cacerts jvm.option.XX=-Djavax.net.ssl.keyStorePassword=changeit jvm.option.XX=-Djavax.net.ssl.keyStoreType=JKS Note: jvm.option.XX will be in continuetion of existing parameter number. e.g If last is jvm.option.19, add new option as jvm.option.20 and so on If you want to add the same public certificate to the AR server. For AR 9.x this needs to be added into the Java cacerts file in a similar way to the above instructions for AR DevStudio. You can use the same tomcat.crt file exported for DevStudio This example is for an AR server on Linux: 1. Copy the export certificate file (e.g. tomcat.crt) to the AR Server, e.g. in the root folder for root (/root/tomcat.crt) Then find the Java used for ARS: [root@t2 ~]# ps -ef | fgrep -i ars root 2432 1 0 Jun30 ? 00:03:46 /usr/java/default/bin/java -Xmx512m -Djava.lib.path=. -classpath .:/opt/bmc/ARSystem/bin/arapi-91_build001.jar:/opt/bmc/ARSystem/bin/log4j-1.2.17.jar:/opt/bmc/ARSystem/bin/armonitor-9.1.00-SNAPSHOT.jar com.bmc.arsys.armonitor.ARMonitorDaemon root 2453 2432 0 Jun30 ? 00:03:32 /usr/java/default/bin/java -jar /opt/bmc/ARSystem/bin/arserver.jar -s t2 -i /opt/bmc/ARSystem -l /etc/arsystem/t2 From this we can see Java is under /usr/java/default. 2. Use keytool to import the certificate. [root@t2 ~]# /usr/java/default/bin/keytool -import -trustcacerts -alias tomcat -file /root/tomcat.crt -keystore cacerts Enter keystore password: Certificate was added to keystore Note: The AR Server must then be restarted for the new public certificate to be loaded. |