Configuring SSL connections

You can enable Secure Socket Layer (SSL) encryption of data exchanged over HTTP.

To enable SSL encryption, use the following steps:
  1. Use the following Java keytool command to generate a key pair for the probe, along with a keystore file and its associated password:

    keytool -genkey -alias alias_id -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password

  2. When prompted, enter the following details:
    • First and Last Name: MTOSI probe at server_hostname
    • Organizational Unit: Netcool/OMNIbus Organization IBM
    • Organization: IBM
    • City: N/A
    • State: N/A
    • Country: US
    • Enter key password: To use the same password that you specified for the keystore password, press ENTER without entering any characters at this prompt.
  3. For each server where an instance of the probe is installed, generate an X.509 self-signed certificate for the probe using the following command:

    keytool -selfcert -alias alias_id -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password

  4. For each server where an instance of the probe is installed, generate and export a certificate file for the probe (probe_cert_filename.cer) using the following command:

    keytool -export -alias alias_id -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password -file probe_cert_filename.cer

    Use a unique alias_id value and probe_cert_filename value for each certificate file.

  5. Manually transfer each certificate file generated in step 4 to the MTOSI server.
  6. Import each certificate file generated in step 4 to the MTOSI server.
  7. Obtain and export the MTOSI system certificate file (mtosi_cert_filename.cer).
  8. For each server where an instance of the probe is installed, import the MTOSI system certificate (mtosi_cert_filename.cer) using the following command

    keytool -import -alias alias_id -file mtosi_cert_filename.cer -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password

  9. Specify values for the following probe properties, using the same Java keystore file as both a key store and a trusted certificates store, and using the same password for each file:
    • KeyStore: Specify the location of the trusted_keystore.jks file.
    • KeyStorePassword: Specify an unencrypted password for the trusted_keystore.jks file.
    • TrustStore: Specify the location of the trusted_keystore.jks file.
    • TrustedStorePassword: Specify the same unencrypted password you used for the KeyStorePassword property.
    Note: If the keystore file does not require a password, set the KeyStorePassword property to "".
  10. For SSL connections over a HTTP interface, the values that you specify for the HTTPServiceAlarmRetrievalURL and HTTPServiceAlarmUpdateURL properties must begin with https instead of the default http. For example:

    https://127.0.0.1:8081/nmsnbi/mtosi/AlarmRetrieval

  11. For SSL connections over the HTTPServiceNotificationConsumerIP, configure the ServerType with HTTPS.

The probe is now enabled to use SSL connections for exchanging data with the MTOSI server over HTTP.