How to configure TLS for OBM

Hi Experts,

Can anyone give me detailed steps on how to configure ssl in OBM using CA certificate not self signed and after installation not during it because I can't see enough explanation for it in documentation and this makes some confusion to me at this point

Thanks

Tags:

  • Suggested Answer

    0  

    Hello,

    Please run up the interactive installaton guide (e.g. https://docs.microfocus.com/idoc/Operations_Bridge_Manager/24.2/Install/OBMInstall-245126) and look for "Configure  TLS" (below).

    Thanks.

    Configure the TLS setup

    This section is applicable to data processing servers and gateway servers.
    The TLS Setup page enables you to configure OBM to accept only secure connections to its web server and the JMX consoles. If you don't want to use HTTPS (not recommended), clear the Enable HTTPS option.
     
    • By clearing the Enable TLS check box, you are disabling or bypassing security features, thereby exposing the system to increased security risks. By using this option, you understand and agree to assume all associated risks and hold us harmless for the same. It's recommended to enable TLS.
    • Your TLS setup should be consistent for every server.
    • You must enable TLS if you are using the MS Azure SQL Database.
    If your company uses a certification authority (CA) that can generate certificates for OBM, click the Upload certificates option. Alternatively, click OBM-generated certificates to make OBM generate the certificates required for the configuration.
     For maximum security, we recommend using the certificates that were issued by the certification authority of your company.
    If you choose to use OBM-generated certificates, make sure to establish trust in the web browser from which you will log on to OBM. For instructions on how to do that, see Establish Trust in the Browser.

    Recommended. Upload custom certificates

    Follow the steps below:

    1. Obtain server certificates from your CA. Generally, server certificates must be issued to the name of the external access point (FQDN) of OBM. This is the name that users and data collectors use to access OBM. The SubjectAlternativeName field of the certificate must contain the FQDN of the system for which the certificate is issued and the external access point. For more information on this, see Obtain server certificates from a CA.
    2. Make sure Enable HTTPS is selected.
    3. Click Upload certificates and then click Next.
      If you have configured non-root user, make sure that the non-root user has read access for all the certificates.
    4. In the Certificate Upload page, specify the certificates you received from the CA used by your company:
      1. Specify the server certificate issued for the server you are currently configuring. The uploaded file must include only the certificate and the private key and must be in .p12 or .pfx or .pem format. Enter the password for the .p12 or .pfx file. If you have a .pem file, leave the Password field empty.
      2. Specify the CA root certificate (PEM format).
      3. (Optional) Specify the certificate chain without the root CA if the server certificate was issued by a subordinate CA. The certificate file must be PEM encoded. Click Clear to remove the selected file.
    5. Click Next to continue.

    Use certificates generated by OBM

    Follow the steps below:

    1. Make sure Enable HTTPS is selected.
    2. Make sure OBM-generated certificates is selected and click Next.
    3. (Optional) On the OBM Certificate Generation page, you can customize the key options and contents of the certificates generated by the  CA. You can define certificate settings for the OBM root CA and for the OBM server for which the certificate is issued:
      • Key length: Size of the RSA key.
      • Certificate validity (days): Time period after which the issued certificates will expire.
      • Organization: Legal name of your business or organization.
      • Country: Country where your business is registered with the government.
      • Common name: Name of the  CA that issues the certificates.
    4. Click Next to continue.

    Configure Client Certificate Authentication

    This section is applicable to each gateway server.

    The Client Certificate Authentication page enables you to configure OBM to require a client certificate when users log on to OBM or when web services connect to OBM. Depending on the deployment type, you can configure OBM to authenticate the client on the OBM web server or, if available, on the load balancer.

    Don't enable client certificate authentication if you are configuring OBM for the first time. Before enabling client certificate authentication, OBM must be already configured and the root (Linux) or administrator (Windows) user must exist.

    No client certificate based authentication (default)

    Make sure the No client certificate based authentication option is selected if this type of security isn't required in your environment or if you want to configure client authentication later. 

    Authentication on OBM web server

    1. Click Authentication on OBM web server.
    2. Select the certificate of the CA that issued the client certificate. The certificate file must be PEM encoded.
    3. Choose how OBM checks whether the client certificate has been revoked:
      • None:  doesn't check the revocation status.
      • OCSP URL from certificate: OBM sends an OCSP request to the URL provided in the client certificate and evaluates the OCSP response to determine the revocation status of the certificate.
      • Local CRL file (PEM format):  checks the revocation status in a CRL file local to the gateway server. Make sure the CRL file on the gateway server is the latest one available from your CA.
    4. Specify the certificate data that's used for authentication:
      • Attribute used to identify users: Use the drop-down list to select the attribute that OBM uses to identify users, for example, SubjectDN or SubjectAlternativeName.
      • Relevant element of attribute field (for example, CN): Specify the element of the attribute that OBM uses to identify users, for example, CN.
    5. (Optional) Click Enforce use of smart card certificates to configure OBM to always require a smart card when a user logs on.
    6. Click Next to continue.

    Authentication on load balancer

    1. Click Authentication on load balancer.
    2. Specify the certificate data that's used for authentication:
      • Attribute used to identify users: Use the drop-down list to select the attribute that OBM uses to identify users, for example, SubjectDN or SubjectAlternativeName.
      • Relevant element of attribute field (for example, CN): Specify the element of the attribute that OBM uses to identify users, for example, CN.
    3. (Optional) Click Enforce use of smart card certificates to configure OBM to always require a smart card when a user logs on.
    4. Click Next to continue.

    Configure general OBM connection settings

    On the Connection Settings page, you can configure the URL that users use to access OBM.

    This section is applicable to each gateway server only. The configuration wizard displays the Connection Settings page only during the configuration of a single server or gateway server. The page isn't shown during the configuration of a data processing server.

    Follow the steps below:

    1. In the Web server, in Port, enter the port for the web server that you want to use with your OBM deployment.

      OBM installs Apache HTTP Server on all gateway servers during the installation. By default, OBM runs Apache HTTP Server so that it listens on port 443 (HTTPS). Click Check Port to verify the connection to the web server. If the default port is already in use, specify a different port.

    2. In the OBM URL, update the port number in the OBM URL if the default web server port is changed. An example of the updated URL is obmweb.company.com:8000 to update the value of the URL text box with the fully qualified domain name and the port number of the load balancer.

    3. (Optional) You can update the OBM URL in the URL text box with a short hostname, for example, https://obmweb:443 or http://obmweb:80. If you configure a short hostname, the mandatory domain parameter value in Infrastructure settings is set to false. If you configure a fully qualified domain name, the mandatory domain parameter value is set to true.

    4. To access the OBM with short host name, add the host name and IP address of the OBM in the following file:

      etc/hosts

      You can't change the OBM URL in the configuration wizard after the initial configuration. Instead, change the setting Default Virtual Gateway Server for Data Collectors URL in Infrastructure Settings > Foundations > Platform Administration.
    5. Click Next.




    --
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thank u for your reply but i mean if I want to make this using commands like opessl and keytool beginning from step of creating key pair until creating ssl certificate instead of configuration wizard