Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

Using KeyStore Explorer to exchange trusted certificates between RUM and APM Servers

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
5 0 3,459

The information in this document is useful when you create HTTPs communication between a RUM Engine server and an APM/BSM server. Detailed steps for generating and exchanging certificates are described in the RUM Hardening Guide. This document showcases the use of an external tool, KeyStore Explorer, to add trusted self-signed certificates to the RUM Engine as well as APM Gateway servers. KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface. This can be used freely under the terms of GNU General Public License version 3. Being a visual tool, KeyStore Explorer enables easy analysis and modifications of TrustStores, thereby simplifying the overall hardening process.


By default, the RUM Engine connects to the APM Gateway server using HTTP connections (and vice versa). This connection can be hardened to use HTTPS. Enabling HTTPS between any client and a server involves the following tasks:

  • Getting the server to work with HTTPS connections and, in the process, serve up its public certificate
  • Getting the client to trust the certificate served by the server

For the first task, refer to the Hardening Guides for APM and RUM:

  • APM 9.31 Hardening Guide (Chapter 4)
  • Real User Monitor 9.31 Hardening Guide (Chapter 7)

The steps listed below explain how the second task (Getting the client to trust the certificate served by the server) can be easily accomplished. 

Exporting APM/BSM Certificate

Step 1

Open the supported browser and browse to the server with HTTPS as shown in the examples below.

https://<hostname>:443/topaz/ (Replace <hostname> with your server name – BSM/APM Server name)

https://<hostname>:8443/rumwebconsole/ (Replace <hostname> with your server name – Data collectors like RUM)

Step 2

a.    Click the Certificate section as shown in the screenshot below. A Certificate window appears.


b.    Click the Details tab.

c.    Click Copy to File.

d.    Click Next.

e.    Select Base 64 encoded x.509 (.CER).


 f.    Click Next.

g.    Click Browse and enter a meaningful name (e.g., APM_cert) to save the file locally.

h.    Click Next.

i.     Click Finish to save the file. The export was successful message appears.


Importing the APM/BSM Certificate into the RUM Engine

Step 3

Copy the saved/downloaded certificate (e.g., APM_cert) to the RUM Engine server.

Step 4

Download KeyStore Explorer from the internet. (The current version is 5.2.2) and install it on the RUM Engine server.

Step 5

Open KeyStore Explorer which is installed in the RUM Engine server and click Open an existing KeyStore. If you are unable to open KeyStore Explorer by double-clicking, issue the following command in a command prompt under c:\Program Files (x86)\KeyStore Explorer 5.2.2:

java -jar kse.jar

Step 6

When you click Open an existing KeyStore, you will be asked to browse to the location of the KeyStore. For RUM, it is in <RUM_HOME>\JRE\lib\security\cacerts.

Step 7

Enter the KeyStore password. For the default KeyStore password, search the APM 9.31 Hardening Guide for the default value of “storepass”.

Step 8

a.    When the KeyStore for the cacerts opens, drag and drop the APM_cert to the KeyStore window and click Import.

b.    Keep the Enter Alias field intact and click OK.



Step 9

a.    Click OK in the Import screen and make sure that the certificate is imported in the KeyStore.

b.    Click Save.



Step 10

Close the KeyStore Explorer window and restart the RUM Engine services.

Step 11

a.    In RUM, click Configuration > APM Configuration Settings. The Application Performance Management Connection Settings page appears.

b.   Click Test RTSM password. A pop-up message appears that confirms a successful HTTPS connection between APM/BSM to RUM Engine.


Exporting the RUM Certificate

To complete the HTTPS settings, you need to export the certificate from the RUM Engine server and import it to APM/BSM server.

Step 12

Download the RUM Engine certificate as described in Step 1 and Step 2. Browse to the RUM Engine server URL using HTTPS.

https://<hostname>:8443/rumwebconsole (Replace ‘hostname’ with RUM Engine Server name)

Importing the RUM Engine Certificate to APM/BSM:

Step 13

Install KeyStore Explorer in the APM/BSM server. In the KeyStore Explorer, open cacerts which is located in the <APM HOME >/JRE/lib/security folder and drag and drop the RUM certificate as described in Step 8 and Step 9.

Step 14

You also need to update the RUM certificate for cacerts which is located in the <APM HOME>/JRE64/lib/security folder. (cacerts file under both JRE and JRE64 should be updated with RUM certificate)

Step 15

Restart the APM/BSM services in the Gateway server. The two way communication for the RUM Engine to APM/BSM is in place.


a.    Step 11 validates a successful HTTPS connection from the RUM Engine to the BSM/APM server.

b.    To validate the connection from BSM/APM to the RUM Engine, on BSM/APM, try to open the RUM Session Analyzer report which is located under Applications > End User Management. The report is displayed if you have populated data. Otherwise you will see a No data message. Either of these outputs indicate that there is successful HTTPS communication between the servers.

c.    If there are problems with the connection, you will see an error as shown below. 


d.    You can refer to the ‘config.manager’ log file under C:\HPRUM\log for RUM and the 'gdeGatewayClient' log file under C:\HPBSM\log for BSM/APM to validate that both servers work seamlessly over HTTPS.

Other Notes:

If you have internal restrictions around installing KeyStore Explorer on the RUM Engine or APM/BSM servers, you can install it on any other server. In that case, you need to download the cacerts file from the RUM and BSM/APM servers, import the relevant certificates, and replace the updated cacerts file in the corresponding file location on each server.

About the Author
Praveen is currently working in HPE RUM (Real User Monitor) product as a QA Engineer from last 1+ year. Prior working with RUM Praveen has experience in testing different products in NMC portfolio like NNM, NA and different iSPIs. Apart from the testing experience Praveen is CCNA (Cisco Certified Network Associate) certified and has expertise in Computer network administration, networking devices setup and configurations.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.