SSL-based connectivity
The Probe for Juniper Contrail supports Secure Sockets Layer (SSL) connections between the probe and Juniper Contrail. SSL connections provide additional security when the probe retrieves alarms from the target systems.
To enable SSL connections, obtain the required SSL certificates and the Trusted Authority certificate from the Juniper Contrail server administrator. Add the certificates to a local Java™ keystore so that they can be referenced by the KeyStore property.
Prerequisites
- The OpenSSL toolkit.
This is available from http://www.openssl.org/.
- The IBM® KeyMan utility.
This is available from http://www.alphaworks.ibm.com/tech/keyman/download.
- The Keytool toolkit.
This is available in the JRE package.
Converting the key and certificate into PKCS12 format
If
you have a key and a certificate from the server in separate files,
you must combine them into a single PKCS12
format
file to load into a new keystore. To convert the server certificate
into PKCS12
format, use the following OpenSSL toolkit
command:
openssl pkcs12 -export -inkey key_file -in
cert_file -out cert_pkcs12
Where
key_file
is
the key file retrieved from the server.
cert_file
is
the certificate retrieved from the server.
cert_pkcs12
is
the combined file in PKCS12
format for loading into
the keystore.
Creating the SSL keystore
You can create
a Java keystore using either
the KeyMan
utility or the Keytool
utility.
KeyMan
utility, follow these steps:- Start the
KeyMan
utility. - Click Create New and select the Keystore token option.
- Click
This imports the certificate into the keystore.
and choose the certificate that you retrieved from
the server. - Click trusted_keystore.jks. and enter a password and name for the keystore; for example,
Keytool
utility, follow these steps:- Generate a keystore and self-signed certificate using the following
command:
keytool -genkey -keyalg RSA -alias alias_name -keystore keystore_file -storepass keystore_password -validity 360 -keysize 2048
- Import the SSL certificate into the newly created Java keystore file using the following
command:
keytool -import -trustcacerts -alias alias_name -file cert_file -keystore keystore_file
- Verify that the certificates are in a Java keystore using the
following command:
keytool -list -v -keystore keystore_file
Enabling SSL connections
juniper_contrail.props
file:- Set the EnableSSL property to true.When the EnableSSL property is set to true, the following properties are enabled:
- KeyStore
- KeyStorePassword
- Use the KeyStore property to specify the location of the keystore file.
- Use the KeyStorePassword property to specify a password for the keystore.Note: You can encrypt the keystore file password using the nco_aes_crypt utility (for FIPS 104-2 mode security).
- Set the Port property to the port that the probe uses for SSL connections.