Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..
1919 views

BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Hello community,

I have a couple of questions and wanted get some clarification on the some of instructions in the admin guide.

In BPM Admin Guide, Chapater 18: Configuring BPM to Run Over a Secure Connection; there is a sub-section called "How to Configure TLS Support for BPM with an APM Connection".

#2 Run the following command to establish trust for each certificate:

Windows:
cd C:\HP\BPM\JRE\bin
keytool -import -trustcacerts -alias <your server> -keystore <truststore path> -file <path to certificate>

Note: The default truststore path is:
<BPM installation directory>\HP\BPM\JRE\lib\security\cacerts

I've typed BPM server and BPM certificate path in <your server> and <path to certificate>, but I am getting an error message as "Keystore was tampered with, or password was incorrect"

As far as I know, I am typing correct password info, but I kept getting an error message. I noticed that there is a cacerts file under \HP\BPM\JRE\lib\security\

Does this mean there is a default password associated with that file?

Can someone clarify what I am missing or doing wrong here?

Thanks,

Tags (2)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Hi,

I'm glad it's working!

This Security Settings section is needed if you use any of the following (from page 58 of the BPM 9.30 Admin Guide):

   Basic or NTLM Authentication on APM

   If APM requires client certs for authentication

   Using a different trust store (other than <bpm install path>\JRE\lib\security\cacerts)

If you have any of those "Validate..." options ticked, I would recommend unticking them and restarting BPM one at a time, making sure it's still working.  They should not be left on in a Production environment.

Regards,

Tim

17 Replies
Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Here is additional information:

Completed configuring SSL support for BPM admin
Completed configuring URL for Accessing APM with TLS (creating a java keystore and etc).

The question is how to establish TLS between APM and BPM so that these two communicate securely. As indicated earlier post, I've looked through BPM Admin guide "How to Configure TLS Support for BPM with an APM Connection", However, I wasn't able to get this working.

Any suggestations or ideas will be very helpful.

Thanks,

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Hi,

The default password for the cacerts store is "changeit" (this is a java default).

Regards,

Tim

Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Thanks Tim for response.

Here is the current situation with APM and BPM.

APM is configured to use SSL/TLS with https and I am able to access APM interface portal. In addition, BPM is configured to use SSL with https and I am able to access BPM admin portal. However,  It looks like the secure connection between APM and BPM isnt quite established because BPM admin tree shows a big red sign when using APM information (GW) in the security setting.

I am little confused by the instructions in the BPM admin guide. It says following:

1. Obtain the root CA certificate, and any intermediate authority certificates if applicable. If there are multiple certificate authorities, combine the certificates in a single file.
2. Run the following command to establish trust for each certificate:
cd C:\HP\BPM\JRE\bin
keytool -import -trustcacerts -alias <your server> -keystore <truststore path> -file <path to certificate>

My quesetion is that #1 says combine the certificate in a single file and basically make one file (cert). But #2 says run the command to establish trust for each certificate. This sounds like there are multiple certiicates involved.

Can someone please clarify above statement? I feel like I am either misunderstanding or missing something here.

Thanks,

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Hi,

That does sound strange.  Normally (PKI in general, not BSM/BPM specific), you should only need to add the Root certificate into trust stores.  If a server certificate is signed by a lower level certificate server (e.g. an issuing server), then the certificate path points back to the root anyway.  However, that is based on the client's ability to check the certificate chain.  In a proper PKI environment, there should be a web address available to all where CA certificates can be checked (as well as the Certificate Revocation List, and these are listed as extensions in the signed cert), but if that isn't available for any reason (e.g. firewall or it's down), then it's dependent on the server serving the full certificate chain to the client during the TLS negotiation, not just its own server cert.

Anyway, to be safe, you can manually add the root and any intermediate (such as policy / issuing) separately (e.g. different aliases).

Can you confirm the following?

1) Certs for BSM and BPM are CA signed and not self-signed
2) The CA certs (e.g. root and policy/issuing if they exist) are imported into both 32bit and 64bit instances of Java on the BSM Gateway(s) and the BPM(s) (...\lib\security\cacerts)

There are some certificate validation options in the SSL section of the BPM instance configuration.  I recommend trying these to see if it resolves the situation.  If it does, then see which one (could be more than one) allows the connection to work and troubleshoot from there - as you don't want to leave these on.  The options are:

    Validate host names on the server certificate (this could indicate issues with Subject Alternative Names if using a load balancer, or if the cert's Common Name doesn't match the Gateway server)


    Validate that the server certificates are trusted (this could indicate that your BPM instance is not trusting certs signed by your CA, so check the java trust stores again, and include the java client instance that your browser is using when connecting to BPM)


    Validate that the server certificates are not expired (unlikely if this is new, but the certs could have been issued with a short life by mistake)

As BPM is the client and BSM is the server, it's BPM that will establish a connection to BSM (not the other way round - BPM polls BSM, checking if there are any configuration updates), so any issues are likely to be trusting the BSM Gateway certs (or load balancer if there are separate certs).  However, there's no harm in switching BPM back to http on 2696 and testing again if none of the above works.

Regards,
Tim

Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Thanks Tim for your response.

Please see the below comments:
1) Certs for BSM and BPM are CA signed and not self-signed
=> Yes, certs for APM and BPM are CA signed.

2) The CA certs (e.g. root and policy/Issuing if they exist) are imported into both 32bit and 64bit Instance of Java on the BSM Gateway(s) and the BPM(s) (...\lib\security\cacerts)
=> I am not 100% sure about this, but when I went to the folders and looked at the files, the modified date were the same for both 32 bit and 64 bit instance of Java. Therefore, I believe the CA certs were imported into both. (By the way, where can I find more information about this on the manuals? I would like to know the side effects if there are ones)

As far as the validation, I've validated the following:
=> validated host names on the server certificates (good)
=> validated the server certificates are trusted (good)
=> validated the server certificates are not expired (good)

Thanks,

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Hi,

The 3 'validate' options are actually tick boxes in the BPM instance SSL section in the BPM web console.  You can experiment with them to see if there are any trust issues with the APM Web server certs.  If ticking some of these boxes fixes the problem, then work out which one(s) and you know what the problem is.  These options bypass basic certificate validation so should only be used for testing purposes in a production environment.

I checked the base BPM 9.30 last night and found that it has Open JDK 1.8 update 66 embedded by default.  This instance's trust store will need your root certificate, and you can check if it has been imported by running the following (assuming default install path to C:\HP\BPM, so change as required for your installation):

   cd \hp\bpm\bin

   keytool -list -keystore ..\lib\security\cacerts |findstr 2018

Enter the default java truststore password when prompted and this will list any certs imported this year.  Run it again with 2017 instead of 2018.  I use the findstr option to search for the year part of the imported date because there are loads of public root certs in there by default.  Nothing new will have been added to this version's trust store this year or last year, so if you don't find any entries with the findstr search option, then it doesn't have your root CA imported.  If the root cert has not been imported, then the BPM instance will not trust the APM Gateway certificates as it doesn't trust your PKI environment.  Run the import command from the BPM doc and restart the BPM service for the change to take effect and test again.

You can use the same approach for the JRE instances on the BSM DP and GW servers if needed.  They have 32bit and 64bit JREs in ...HPBSM\JRE and ...\HPBSM\JRE64.

Regards,

Tim

Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Thanks Tim for your inputs.

Here is what I've experimented so far with your suggestations.

I've played with 3 "validate" options in the BPM Instance SSL section in the BPM web console. I've tried different combinations but none of them worked; therefore it was difficult to point out what's causing the issue.

I've also ran the following commands:
keytool -list -keystore HP\BPM\JRE\lib\security\cacerts | findstr 2018 (2017) => BPM
keytool -list -keystore HP\HPBSM\JRE(or JRE64)\lib\security\cacerts | findstr 2018 (2017) => BSM

The outcome is below:
root cert, Sep 8, 2017, trustedCertEntry

I have this time stamp for all of JRE instances on the BSM and BPM. This indicates that the appropriate certs are imported to trust store.

Also, I went in and viewed the keystore for BSM and BPM. All of them showed keystore contains 3 entries which are what I was expected to see since there are root CA, intermediate CA, and generated privateKeyEntry.

Currently, I opened the support case and we are in the process of troubleshooting. If I find more information then I will post the findings on this thread.

Once again, thanks Tim for your insight and guidance. Much appreicate your help!

0 Likes
Highlighted
Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Ok, so this is my finding and I wanted to share.

First, I re-imported CAs and BPM generated cert into truststore.

Second, I restart the BPM service AND all of APM GWs (NOT DPS).

I applied above two steps and it seems like APM/BPM are working at least for now. I can see green lights in BPM treeview and can generate EUM reports.

However, currently, there is no security settings parameters entered in BPM instance's configuration tab. All of keystore, truststore, and BPM cert were done by keytool in windows command prompt.

For some reasons, I have some doubts that if these steps really fixed the issue that I encountered. And of course as I mentioned above, the security settings parameters were left out in the configuration tab as well.

Can someone provide some guidance and insights on this? Or am I on the right path?

Thanks in advance.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Hi,

I'm glad it's working!

This Security Settings section is needed if you use any of the following (from page 58 of the BPM 9.30 Admin Guide):

   Basic or NTLM Authentication on APM

   If APM requires client certs for authentication

   Using a different trust store (other than <bpm install path>\JRE\lib\security\cacerts)

If you have any of those "Validate..." options ticked, I would recommend unticking them and restarting BPM one at a time, making sure it's still working.  They should not be left on in a Production environment.

Regards,

Tim

Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Thanks Tim for your efforts and dedication to help me out as much as possible.

I will closely monitor this TLS settings and will let you know if I find interesting or unexpected behaviors.

Let's hope that it does not acting up in the future.

Once again, thank you very much!

0 Likes
cera721430 Valued Contributor.
Valued Contributor.

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

Hi !!!!!

I am trying to set the same environment and I have been using the command "keytool". I imported the certificate with the tool, bat I have the next error.

ERROR [DefaultQuartzScheduler_Worker-11] [AbstractBsmApi] Failed to register instance Datavision
java.lang.Exception: [registerAgent] Failed to register the agent. hostName=perum0 The thrown message is: (java.lang.Exception) Failed to register BPM Agent. Agent Name: perum0 - Invalid digital signature.
at com.hp.bsm.bpm.bsmAPIs.AbstractBsmApi.handleTMCResponse(AbstractBsmApi.java:344) ~[bpm_server.jar:?]
at com.hp.bsm.bpm.bsmAPIs.AbstractBsmApi.sendTMCRequest(AbstractBsmApi.java:549) ~[bpm_server.jar:?]
at com.hp.bsm.bpm.bsmAPIs.AbstractBsmApi.sendRegister(AbstractBsmApi.java:222) ~[bpm_server.jar:?]
at com.hp.bsm.bpm.bsmAPIs.AbstractBsmApi.registerInstance(AbstractBsmApi.java:367) [bpm_server.jar:?]
at com.hp.bsm.bpm.bsmAPIs.AbstractBsmApi.registerBpmInstance(AbstractBsmApi.java:384) [bpm_server.jar:?]
at com.hp.bsm.bpm.bsmAPIs.BsmApiHelper.registerBpmInstance(BsmApiHelper.java:45) [bpm_server.jar:?]
at com.hp.bsm.bpm.scheduling.jobs.RegisterBpmInstanceJob.execute(RegisterBpmInstanceJob.java:26) [bpm_server.jar:?]
at org.quartz.core.JobRunShell.run(JobRunShell.java:213) [quartz-all-2.1.1.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557) [quartz-all-2.1.1.jar:?]

 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

in APM goto Infrastructure Settings and disable the setting for Digital Signature (I think it is under EUM Admin context).

0 Likes
cera721430 Valued Contributor.
Valued Contributor.

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

I searched this option but I didn't find "setting for Digital Signature". However I have a questions if I have two clients BPM and APM in security mode is possible to have one client BPM to APM by port 80 and the other BPM to APM by the port 443 in the configuration. Thats is, because I have to change my BPM's to the APM to the port 80 to 443, but I donot need to lose the conectivity.

0 Likes
Outstanding Contributor.. yangnigon Outstanding Contributor..
Outstanding Contributor..

Re: BPM Admin Guide: How to Configure TLS Support for BPM with an APM Connection

Jump to solution

I do not believe that you can use both 80/443. Can someone please check if this holds true?

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.