SSL-based connectivity

The Probe for Cisco APIC supports Secure Sockets Layer (SSL) connections between the probe and Cisco APIC. SSL connections provide additional security when the probe retrieves alarms from the target systems.

To enable SSL connections, obtain the required SSL certificates and the Trusted Authority certificate from the Cisco APIC server administrator. Add the certificates to a local Java™ keystore so that they can be referenced by the KeyStore property.

Prerequisites

The following tools are available to create the keystore:

The OpenSSL toolkit.
This is available from http://www.openssl.org/.
The IBM® KeyMan utility.
This is available from http://www.alphaworks.ibm.com/tech/keyman/download.
The Keytool toolkit.
This is available in the JRE package.

Converting the key and certificate into PKCS12 format

If you have a key and a certificate from the server in separate files, you must combine them into a single PKCS12 format file to load into a new keystore. To convert the server certificate into PKCS12 format, use the following OpenSSL toolkit command:

openssl pkcs12 -export -inkey key_file-in cert_file-out cert_pkcs12

Where

key_file is the key file retrieved from the server.

cert_file is the certificate retrieved from the server.

cert_pkcs12 is the combined file in PKCS12 format for loading into the keystore.

Creating the SSL keystore

You can create a Java keystore using either the KeyMan utility or the Keytool utility.

To create a Java keystore using the KeyMan utility, follow these steps:

Start the KeyMan utility.
Click Create New and select the Keystore token option.
Click File > Import and choose the certificate that you retrieved from the server.
This imports the certificate into the keystore.
Click File > Save and enter a password and name for the keystore; for example, trusted_keystore.jks.

To create a Java keystore using the Keytool utility, follow these steps:

Generate a keystore and self-signed certificate using the following command:
keytool -genkey -keyalg RSA -alias alias_name -keystore keystore_file -storepass keystore_password -validity 360 -keysize 2048
Import the SSL certificate from Cisco APIC into the newly created Java keystore file using the following command:
keytool -import -trustcacerts -alias alias_name -file cert_file -keystore keystore_file
Verify that the certificates are in a Java keystore using the following command:
keytool -list -v -keystore keystore_file

Enabling SSL connections

To enable SSL-based connections between the probe and the Element Management System (EMS) server, make the following changes to the probe's properties file:

Set the EnableSSL property to true.
When the EnableSSL property is set to true, the following properties are enabled:
- KeyStore
- KeyStorePassword
Use the KeyStore property to specify the location of the keystore file.
Use the KeyStorePassword property to specify a password for the keystore.
Note: You can encrypt the keystore file password using the nco_aes_crypt utility (for FIPS 104-2 mode security).
Set the Port property to the port that the probe uses for HTTPS connections.