Enabling SSL communication with Cisco UCS data sources

The Cisco UCS agent can be configured to securely communicate with its Cisco Unified Computing System (UCS) data sources by using SSL. In this configuration, you must add a data source SSL certificate to the certificate truststore of the agent.

About this task

Important: The following information applies only if the agent is configured to validate SSL certificates.

If SSL certificate validation is turned off, the Cisco UCS agent connects to Cisco UCS data sources even if the SSL certificates are expired, untrusted, or invalid. However, turning off SSL certificate validation is potentially not secure and must be done with care.

If a Cisco UCS data source uses an SSL certificate that is signed by a common certificate authority, then it is not necessary to add certificates to the agent certificate truststore. However, if the data source uses a certificate that is not signed by a common certificate authority, then add the certificate to the truststore. Doing so allows the agent to connect and collect data.

Procedure

  1. Copy the certificate file from your data source to the agent computer.
  2. On the agent computer, place the certificate file in a directory of your choice. Do not overwrite the certificate files. Use a unique file name and label for each certificate that you add.
  3. Use the keytool command to add the data source certificate to the certificate truststore of the agent: 
    keytool -import -noprompt -trustcacerts -alias CertificateAlias -file CertificateFile -keystore Truststore -storepass TruststorePassword
    Where,
    CertificateAlias

    Unique reference for each certificate added to the certificate truststore of the agent. For example, an appropriate alias for the certificate from datasource.example.com is datasource.

    CertificateFile
    Complete path and file name to the Cisco UCS data source certificate to add to the truststore.
    Truststore
    Complete path and file name to the Cisco UCS agent certificate database. Use the following path and file name:
    • Windows (64 bit) install_dir\tmaitm6_x64\kv6.truststore
    • Linux (64 bit) install_dir/lx8266/vm/etc/kv6.truststore
    TruststorePassword

    ITMFORVE is the default password for the Cisco UCS agent truststore. To change the password, refer the Java™ Runtime documentation.

    Important: To use the keytool command, the Java Runtime bin directory must be in your path. Use the following commands:
    • Windows (64 bit) set PATH=%PATH%;install_dir\java\java70_x64\jre\bin
    • Linux (64 bit) PATH="$PATH":/opt/ibm/apm/agent/JRE/lx8266/bin
  4. After you add all the data source certificates, start the monitoring agent.