BMC Atrium SSO SSL Implementation and Best Practices – Part 3

Previous blogs we have discussed about enabling SSO for BMC products, generating and signing SSL certificate. In this section we discuss how to configure tomcat with SSL certificate.

Previous blogs we have discussed about enabling SSO for BMC products, generating and signing SSL certificate. In this section we discuss how to configure tomcat with SSL certificate.

Configure Tomcat with SSL

1.   Stop tomcat services

2.   Go to the installation directory of Tomcat server and copy the back up of server.xml file 

3.   Find the following section and edit as follows.

<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol” SSLEnabled=”true”

              maxThreads=”300″ scheme=”https” secure=”true”

              maxHttpHeaderSize=”32768″

              clientAuth=”false” sslProtocol=”TLS” ciphers=“TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA”

              keystoreFile=”D:\Program Files\BMC Software\AtriumSSO\tomcat\conf\keystore.p12″

              keystorePass=”changeit”

              keyAlias=”AtriumSSO”

              truststoreFile=”D:\Program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12″

              truststorePass=”changeit”

              truststoreType=”PKCS12″ />

 

If you don’t want Tomcat to use the default SSL port, change all instances of the port number “8443” to custom port.

 

4.   Start Tomcat

Note:Due to Logjam vulnerability issue (https://weakdh.org/) modern browsers disabled DH support, you may receive ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error in Chrome (>v45) and Firefox (>v39). You can disable weak ciphers in tomcat server.xml as shown above.

BMC Analytics SSO Agent Manual Deployment

If you use Atrium SSO integration installer with customised tomcat port then installer may not able determine the tomcat port number. Such cases you can follow the below command to deploy the Atrium SSO agent manually. After executing the below command login to SSO Admin console and verify the agents status.

 

C:\Program Files (x86)\BMC

Software\BMCAnalyticsForBSM\BSMAnalytics\jvm\jre\bin\java.exe” -jar deployer.jar –container-type TOMCATv7 –install –atrium-sso-url

https://<Atrium SSO URL>:8443/atriumsso –admin-name amadmin –container-base-dir “D:\Program Files (x86)\SAP BusinessObjects\tomcat”

–admin-name amadmin –admin-pwd <sdsds> –web-app-url  https://<ANALYTICS URL>:8443/BI –web-app-logout-uri https://<Atrium SSO URL>:8443/atriumsso/UI/Logout?realm=BmcRealm

Posted in Blogs.