SSL between Alcatel5620SamSoapFindToFile Collector and AlcatelLucent 5620 SAM

Body

Background
By default, Alcatel5620SamSoapFindToFile Collector in 3.9 FP 4 doesn't verify SSL certificate during SSL communication with AlcatelLucent 5620 SAM. This is due to SSL handshake failure between Alcatel5620SamSoapFindToFile Collector and AlcatelLucent 5620 SAM R11.0 and R12.0 if SSL certificate check is enabled. The cause of the issue is identified during recent AlcatelLucent SAM 5620 12.0 Certification Test and it is due to Crypt::SSLeay CPAN library limitation in IBM Tivoli Network Manager 3.9 FixPack 4 which only supports SSL certificate in SHA1 algorithm.  5620 SAM R11.0 and R12.0 are bundled with Java 7 and the keytool generates SSL certificate in SHA256 algorithm by default. This issue is not observed when the collector is run against AlcatelLucent 5620 SAM 10 as it is bundled with Java 6 and the keytool generates SSL certificate in SHA1 algorithm by default. Due to this limitation, the right keytool command needs to be run in order for SSL communication to work between collector and AlcatelLucent 5620 SAM.

Impact
SSL certificate is not verified during SSL communication between Alcatel5620SamSoapFindToFile Collector and AlcatelLucent 5620 SAM.

Workaround
To enable SSL certificate verification, user needs to perform these steps in the following order:

1) On IBM Tivoli Network Manager server,  enable SSL certificate check in $NCHOME/precision/collectors/perlCollectors/Alcatel5620SamSoapFindToFile/Alcatel5620SamSoapFindToFileCollector.pm by un-commenting these two lines:

$ENV{HTTPS_CA_FILE}   = $config->{SSLCertFile};
$ENV{HTTPS_CA_DIR}    = 'certs/';

2) On AlcatelLucent 5620 SAM server,

a) Run the following command to generate a keystore file:

keytool -genkey -alias alias -keyalg RSA -sigalg SHA1withRSA -keypass password -storepass password -keystore keystore_file -validity days -dname “CN=common_name, OU=org_unit, O=org_name, L=locality, S=state, C=country”

Note that –sigalg is set to ‘SHA1WithRSA’ as the format is supported by Alcatel5620SamSoapFindToFile Collector. Refer to 5620 SAM installation and Upgrade  guide on how to export and import the certificate into the truststore and how to re-install the configuration to update the new keystore and truststore files.

b) Alcatel5620SamSoapFindToFile Collector reads SSL certificate in BASE64/HEX format. Run the following command on AlcatelLucent 5620 SAM server to extract      BASE64/HEX certificate:
        
keytool -export -alias alias -file hex_file -rfc -keystore keystore_file -storepass password

 Example of BASE64/HEX certificate:

3) On IBM Tivoli Network Manager server, copy the certificate generated in step 2 b) into $NCHOME/precision/collectors/perlCollectors/Alcatel5620SamSoapFindToFile/certs. The following output from Alcatel5620SamSoapFindToFile Collector shows successful SSL handshake message between  the collector and AlcatelLucent SAM 5620

 Starting collector...
 Using extraInfo extensions from ExtraInfo.cfg
 EMS URL: https://<EMS host>:8443/xmlapi/invoke
 Alcatel5620SamSoapFindToFileCollector GetEmsVersion() @ 2014-06-17 19:19:53
 SSL_connect:before/connect initialization
 SSL_connect:SSLv3 write client hello A
 SSL_connect:SSLv3 read server hello A
 SSL_connect:SSLv3 read server certificate A
 SSL_connect:SSLv3 read server key exchange A
 SSL_connect:SSLv3 read server done A
 SSL_connect:SSLv3 write client key exchange A
 SSL_connect:SSLv3 write change cipher spec A
 SSL_connect:SSLv3 write finished A
 SSL_connect:SSLv3 flush data
 SSL_connect:SSLv3 read finished A    
 SAM Version: 5620 SAM Version 12.0.R1.0