Enabling SSL connections with external servers

Before you begin

The certificate chain represents the list of certificates required to authenticate an external entity. The chain starts with the entity certificate and each certificate is signed by the next certificate in the chain (intermediate certificates). This signed chain terminates with the certificate of the root certificate authority (CA).

When establishing a SSL connection, Impact will verify the remote server's SSL certificate by searching its trust store for a matching certificate chain. To authenticate an entity certificate, you must have either the root CA certificate or the full certificate chain in the trust store. If no match is found, the connection attempt will fail with either a javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated or unable to find valid certification path to requested target error.

Use your web browser, or a tool such as openssl, to download the SSL certificate(s). For signed certificates, you only need to install the root CA certificate. For a self-signed certificate, the entity certificate itself is sufficient.

Importing the certificate chain into the trust store

Use the keytool command to import the certificate chain:

IMPACT_HOME/sdk/bin/keytool -importcert -alias aliasname -file certfile -keystore keystorefile -storepass storepass

Where:

-alias aliasname is the alias under which the certificate is to be stored. Each alias should be unique.

-file certfile is the path to the X509 certificate file.

-keystore keystorefile is the key ring into which the certificate is to be imported.

On Fix Pack 36 and earlier the trust store for Impact can be found under IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.jks

On Fix Pack 37 and later the trust store for Impact can be found under IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.p12

-storepass password is the password used to protect the trust store. This password should match the impact administrator's password.

Repeat this command for each certificate your want to trust. Restart the Impact server after importing the certificate(s).

Example

Using the keytool command to import a certificate on Netcool/Impact on Fix Pack 36 and earlier:

/opt/IBM/tivoli/impact/sdk/bin/keytool -importcert -alias test1 -file ./test.crt -keystore /opt/IBM/tivoli/impact/wlp/usr/servers/NCI/resources/security/trust.jks -storepass password

Using the keytool command to import a certificate on Netcool/Impact on Fix Pack 37 and later:

/opt/IBM/tivoli/impact/sdk/bin/keytool -importcert -alias test1 -file ./test.crt -keystore /opt/IBM/tivoli/impact/wlp/usr/servers/NCI/resources/security/trust.p12 -storepass password

Displaying the list of certificates in the trust store

Use the keytool command with the -list option to display the certificates in a trust store. You can also use the -v option for more verbose output.

IMPACT_HOME/sdk/bin/keytool -list -v -keystore keystorefile -storepass storepass

Where:

-keystore keystorefile is the key ring into which the certificate is to be imported.

On Fix Pack 36 and earlier the trust store for Impact can be found under IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.jks

On Fix Pack 37 and later the trust store for Impact can be found under IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.p12

-storepass password is the password used to protect the trust store. This password should match the impact administrator's password.

Example

Using the keytool command to import a certificate on Netcool/Impact on Fix Pack 36 and earlier:

/opt/IBM/tivoli/impact/sdk/bin/keytool -list -v -keystore /opt/IBM/tivoli/impact/wlp/usr/servers/NCI/resources/security/trust.jks -storepass password

Using the keytool command to import a certificate on Netcool/Impact on Fix Pack 37 and later:

/opt/IBM/tivoli/impact/sdk/bin/keytool -list -v -keystore /opt/IBM/tivoli/impact/wlp/usr/servers/NCI/resources/security/trust.p12 -storepass password