The Probe for Juniper Contrail supports Secure Sockets Layer (SSL) connections between the probe and Juniper Contrail. SSL connections provide additional security when the probe retrieves alarms from the target systems.
To enable SSL connections, obtain the required SSL certificates and the Trusted Authority certificate from the Juniper Contrail server administrator. Add the certificates to a local Java™ keystore so that they can be referenced by the KeyStore property.
- The OpenSSL toolkit.
This is available from http://www.openssl.org/.
- The IBM® KeyMan utility.
This is available from http://www.alphaworks.ibm.com/tech/keyman/download.
- The Keytool toolkit.
This is available in the JRE package.
Converting the key and certificate into PKCS12 format
you have a key and a certificate from the server in separate files,
you must combine them into a single
file to load into a new keystore. To convert the server certificate
PKCS12 format, use the following OpenSSL toolkit
openssl pkcs12 -export -inkey key_file -in
cert_file -out cert_pkcs12
the key file retrieved from the server.
the certificate retrieved from the server.
the combined file in
PKCS12 format for loading into
Creating the SSL keystore
You can create
a Java keystore using either
KeyMan utility or the
KeyManutility, follow these steps:
- Start the
- Click Create New and select the Keystore token option.
This imports the certificate into the keystore.
and choose the certificate that you retrieved from
- Click trusted_keystore.jks. and enter a password and name for the keystore; for example,
Keytoolutility, follow these steps:
- Generate a keystore and self-signed certificate using the following
keytool -genkey -keyalg RSA -alias alias_name -keystore keystore_file -storepass keystore_password -validity 360 -keysize 2048
- Import the SSL certificate into the newly created Java keystore file using the following
keytool -import -trustcacerts -alias alias_name -file cert_file -keystore keystore_file
- Verify that the certificates are in a Java keystore using the
keytool -list -v -keystore keystore_file
Enabling SSL connections
- Set the EnableSSL property to true.When the EnableSSL property is set to true, the following properties are enabled:
- Use the KeyStore property to specify the location of the keystore file.
- Use the KeyStorePassword property to specify a password for the keystore.Note: You can encrypt the keystore file password using the nco_aes_crypt utility (for FIPS 104-2 mode security).
- Set the Port property to the port that the probe uses for SSL connections.