SSL-based connectivity

The Probe for Huawei U2000 3GPP (CORBA) supports Secure Sockets Layer (SSL) connections between the probe and the EMS server. SSL connections provide additional security when the probe retrieves alarms from the EMS.

To enable SSL connections, obtain the required SSL certificates and the Trusted Authority certificate from the EMS vendor, Huawei Technologies. Add the certificates to a local Java™ keystore so that they can be referenced by the KeyStore property.


To create the keystore, ensure you have the following software installed:
You must also obtain the client and server certificates, client_ca.cer and server_ca.cer, and the server key pair, server_key.pem, from Huawei Technologies.
Note: The certificate and key pair files used here are the default files used by the Huawei U2000 EMS. If you replace these files, you must create a keystore containing the new files.

Creating the SSL keystore and truststore

To create a Java keystore, follow these steps:
  1. Convert the server certificate to PKCS12 format using the following OpenSSL toolkit command:

    openssl pkcs12 -export -inkey server_key.pem -in server_ca.cer -out server_ca.pkcs12

  2. Create the keystore using the KeyMan utility:
    1. Start the KeyMan utility.
    2. Click Create New and select the Keystore token option.
    3. Click File > Import and choose the server_ca.pkcs12 file that you created in step 1.

      This imports the keyEntry into the keystore.

    4. Click File > Import and choose the server_ca.cer certificate.

      This imports the server certificate into the keystore.

    5. Click File > Import and choose the client_ca.cer certificate.

      This imports the client certificate into the keystore.

    6. Click File > Save and enter a password and name for the keystore, for example trusted_keystore.jks.

Enabling SSL connections

To enable SSL-based connections between the probe and the EMS server, follow these steps:
  1. Configure the probe connection methods to use the Naming service by configuring the Naming service host and port or Naming service IOR file.
  2. Set the EnableSSL property to true.
    When the EnableSSL property is set to true, the following properties are enabled:
    • KeyStore
    • KeyStorePassword
    • SecurityProtocol
  3. Use the KeyStore property to specify the location of the keystore file trusted_keystore.jks.
  4. Use the KeyStorePassword property to specify a password for the keystore.
  5. Encrypt the keystore file password (if required) using the encryption utility supplied with Netcool/OMNIbus. See Encrypting passwords.