Using the WAAPI client with a secure Web GUI server

The WAAPI client supports HTTPS, which provides a secure means of data transmission over the Internet. You can initiate a secure session by using the -secure on command-line option when you start the client.

About this task

Secure WAAPI connections require that either a self-signed or Certificate Authority authenticated certificate resides on your Web GUI server.

Refer to the Dashboard Application Services Hub documentation for instructions on enabling HTTPS.

After creating a certificate on your Netcool/Webtop server, perform the following steps:

Procedure

  1. Create a self-signed SSL certificate for the WAAPI client as well. Open a command prompt and change directory to install_dir/platform/arch/jre_version/bin. Create a keystore file using the keytool utility. Specify a fully-qualified file name using the -keystore parameter. For example: 
    ./keytool -genkey -alias waapiclient -keyalg RSA -keystore /opt/netcool/webtop/waapi/.keystoreWAAPI
  2. When prompted, enter a password for the keystore. The password must be at least six characters in length.
    Attention: Do not forget your password. If you do, you cannot regain access to the keystore. In addition, any signed certificates will be invalid and you will have to generate a new certificate.
  3. Enter data about yourself and your organization. XXXX STEPS 3 & 4 REQUIRE CLARIFICATION. SEE MARKED-UP PAGES! XXXX
    Attention: When you are prompted to enter your first and last name, you must enter the host name of the WAAPI client computer.
  4. Enter your department, organization, location, state, and country. The country must be in the form of a two-letter code. For a complete list of country codes, refer to the Netcool GUI Foundation Administration Guide. XXXX REFERENCE TO THE NGF GUIDE NEEDS TO BE SORTED!!! I.E. WHERE IS THE COUNTRY CODE INFO NOW LOCATED??XXXX

    You are shown a summary of the data that you have entered and are asked if you want to proceed.

  5. Enter yes if you are satisfied that the details are correct.
  6. Enter the key password, which is the password specifically for this certificate (as opposed to any other certificates stored in the same keystore file).
    Attention: You must use the same password for your key as was previously used for the keystore.

    Press Enter. The keystore file now contains a self-signed certificate that can be used by the WAAPI client.

  7. If you want your certificate to be signed by a trusted third-party, refer to the instructions in the Netcool GUI Foundation Administration Guide. XXXX REFERENCE TO THE NGF GUIDE NEEDS TO BE SORTED!!! XXXX
  8. After the keystores for the Web GUI server and WAAPI client are created, you must export the server key, and then import it into the client. Proceed as follows: XXXX THE FOLLOWING SUBSTEPS SHLD BE NESTED/NUMBERED STEPS!!! XXXX
    1. Make sure that you are in NCHOME/platform/arch/jre_version/bin and export the server key by using the keytool utility with the export option. For example: 
      ./keytool -export -alias ngf -file /opt/netcool/etc/guifoundation/ngf.crt -keystore /opt/netcool/etc/guifoundation/.keystore
    2. Enter the password for the keystore.
    3. Import the server key into the client keystore by using the keytool utility with the import option. For example: 
      ./keytool -import -alias ngf -keystore /opt/netcool/webtop/waapi/.keystoreWAAPI -keyalg RSA -trustcacerts -file /opt/netcool/etc/guifoundation/ngf.crt
    4. Enter the password for the keystore.
  9. Uncomment the SSL HTTP/1.1 Connector information in the install_dir/guifoundation/conf/server.xml file in order to enable SSL in the Web GUI server. XXXX WHAT IS THE TIP EQUIVALENT OF THE SERVER.XML FILE & WHERE IS IT STORED?? XXXX For details, refer to the Netcool GUI Foundation Administration Guide. XXXX REFERENCE TO THE NGF GUIDE NEEDS TO BE SORTED!!! XXXX
  10. Set values in the waapi.init properties file so that the WAAPI client sends the WAAPI command file to the Web GUI server by using SSL. For example: 
    waapi.host:ngfserver
waapi.port:8080
waapi.secureport:8443
waapi.user:root
waapi.password:
waapi.file:
waapi.timeoutsecs: 600
waapi.secure:on
    Note: The waapi.host property value must be the same as that set for the Web GUI server keystore when answering the "first and last name" question, that is, it must be the host name of the Netcool® GUI Foundation server. XXXX SHLD THIS NOW BE THE TIP SERVER?? XXXX
  11. Modify the runwaapi command so that the WAAPI client can locate the correct client keystore.

    For example, on UNIX platforms (all in one line):

    ${JAVA} -Djavax.net.ssl.trustStore=/opt/netcool/webtop/waapi/.keystoreWAAPI -cp ${WAAPILIB} com.ibm.wave.client.WAAPIStart -home $WAAPI_HOME $*

    For example, on Windows platforms (all in one line):

    %OMNIJAVA% -Djavax.net.ssl.trustStore=c:\.keystoreWAAPI -cp %WAAPILIB% com.ibm.wave.client.WAAPIStart -home "%WAAPI_HOME%" %*