Enable transport layer security (TLS) in the SEM reports application

The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between the SEM reports application and the SEM database.

  • By default, TLS is disabled on versions of SEM that have been upgraded from SEM version 6.0.1 or earlier.

  • The procedure to enable TLS differs depending on your SEM configuration (standalone or with a dedicated database appliance).

  • When enabling TLS, the SEM certificate for accessing the web or AIR console needs to be rebuilt. Machines used to access SEM web or AIR console must re-import their certificates.

Enable TLS on a standalone SEM VM or appliance

Use these steps if the SEM database is located on the same VM or appliance as the SEM Manager. This is the most common arrangement.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.

    Steps 2 – 6 below are required to upgrade older versions of SEM. If you have SEM version 6.0.1 or later, go to step 7. The default hostname is swi-sem.

  1. At the cmc> prompt, type appliance.

  2. At the cmc::appliance> prompt, type hostname.

  3. Enter the name of the SEM Manager at the Please enter the new hostname prompt.

    Enter the currently-used hostname if you do not want the SEM Manager name to change.

  4. At the cmc::appliance> prompt, type exit.

  5. At the cmc> prompt, type manager.

  6. At the cmc::manager> prompt, type exportcert.

  7. Follow the prompts to export the SEM Manager CA certificate.

    An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success.

  8. At the cmc::manager> prompt, enter enabletls.
  9. At the cmc::manager> prompt, enter restart.

Set up a dedicated SEM user for accessing reports

Starting with SEM 6.0.1, a user account with the Reports role is required to access SEM from the SEM reports application.

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Users.

  3. To create a new SEM user, click .

  4. Complete the fields as required.

  5. From the SEM Role drop-down list, select Reports.

    The Administrator and Auditor roles can also query SEM using the SEM reports application.

  6. Save the new user.

Configure the Reports application to use TLS

  1. Start the SEM reports application. See Open the SEM reports application for steps.

  2. From the Configure drop-down list, select Managers > Credentials and Certificates.

  3. Click the green button.

  4. Enter the Manager IP or hostname.

  5. Fill in the credentials of the user created previously in the SEM web console.

  6. Select the Use TLS connection option.

    You can also ping the address you specified by clicking Test Connection. This option does not perform credentials validation or TLS availability check.

  7. To add a new Manager, click the green button again.

  8. Click the Certificates tab.

  9. Click Import Certificate.

  10. Browse and Open SEM certificate (the network share folder specified during the certificate export).

  11. Use the certificate from the Database Appliance in case you have SEM configured with a dedicated database.

  12. Close the Manager Configuration window.

    If SEM changed its host name, importing the SEM CA certificate again is not required.

Enable TLS on a SEM Manager with a separate database appliance

Typically, the SEM database is located on the same VM or appliance as the SEM Manager. If your SEM deployment has a separate SEM database, follow these steps.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
  2. At the cmc> prompt, type appliance.

  3. At the cmc::appliance> prompt, type hostname.

  4. At the Please enter the new hostname prompt, enter a name for the SEM Manager.

    If you do not want your SEM Manager name to change, enter the currently-used hostname.

  5. At the cmc::appliance> prompt, type exit.

  6. At the cmc> prompt, type manager.

  7. At the cmc::manager> prompt, type exportcert.

  8. Follow the prompts to export SEM CA certificate.

    An accessible network share is required. Once the export is successful, the following message appears:

    Exporting CA Cert to \\server\share\SWICAert-hostname.crt ... Success.

  9. At the cmc::manager> prompt, type enabletls.

  10. To use the custom CA to sign a database or SEM Manager certificate, generate and sign the certificate after you change the hostname.

Import certificates into the SEM Manager and database

SEM Manager and database nodes need to trust each other’s certificates. This can be done by importing certificates from both sides.

This procedure is not required if you upgraded from SEM 6.0.0 or earlier, or if version 6.0.1 or later was deployed and the CA was used to sign both SEM certificates.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
  2. At the cmc> prompt, type manager.

  3. At the cmc::manager> prompt, type importl4ca.

  4. Choose the network share location specified during certificate export of Database.

  5. When prompted for a file name, specify the name of a Database certificate.

    Enter the full file name, including the file extension.

  6. Open the cmc prompt on the SEM database machine.

  7. At the cmc> prompt, type manager.

  8. At the cmc::manager> prompt, enter importl4ca.

  9. Choose the network share location specified during certificate export of Manager.

  10. When prompted for a file name, specify the name of the SEM Manager certificate.

Next steps:

Import a self-signed certificate into the SEM Manager

Use the importcert command in the CMC to import a signed certificate by any CA into the manager.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
  2. At the prompt, enter manager.

  3. At the cmc::manager> prompt, type importcert.

  4. Choose the network share path.

  5. When prompted, confirm the share name.

  6. When prompted for a file name, enter the full name of the certificate, including the CER extension.

  7. When completed, the following message appears:

    Certificate successfully imported.