SSL-based connectivity

Generic Probe for TMF814 (V2.1, V3.0 and V3.5) (CORBA) supports Secure Sockets Layer (SSL) connections. SSL connections provide additional security when the probe retrieves alarms from the target systems.

To enable SSL connections, obtain the required SSL certificates and the Trusted Authority certificate from the Generic Probe for TMF814 (V2.1, V3.0 and V3.5) (CORBA) server administrator. Add the certificates to a local Java™ keystore so that they can be referenced by the KeyStore property.

Prerequisites

The following tools are available to create the keystore:

The OpenSSL toolkit.
This is available from http://www.openssl.org/.
The IBM® KeyMan utility.
This is available from http://www.alphaworks.ibm.com/tech/keyman/download.
The Keytool toolkit.
This is available in the JRE package.

The keytool can be found at example location:

/opt/IBM/tivoli/netcool/platform/linux2x86/jre64_1.7.0/jre/bin/keytool

Converting the key and certificate into PKCS12 format

If you have a key and a certificate from the server in separate files, you must combine them into a single PKCS12 format file to load into a new keystore. To convert the server certificate into PKCS12 format, use the following OpenSSL toolkit command:

openssl pkcs12 -export -inkey key_file -in cert_file -out cert_pkcs12

Where

key_file is the key file retrieved from the server.

cert_file is the certificate retrieved from the server.

cert_pkcs12 is the combined file in PKCS12 format for loading into the keystore.

Creating the SSL keystore

To create a Java keystore, use the following steps:

Convert the server certificate to PKCS12 format using the following OpenSSL toolkit command:
openssl pkcs12 -export -inkey server_key.pem -in server_ca.cer -out server_ca.pkcs12
Create the keystore using the KeyMan utility:
1. Start the KeyMan utility.
2. Click Create New and select the Keystore token option.
3. Click File > Import and choose the server_ca.pkcs12 file that you created in step 1.
  This imports the keyEntry into the keystore.
4. Click File > Import and choose the server_ca.cer certificate.
  This imports the server certificate into the keystore.
5. Click File > Import and choose the client_ca.cer certificate.
  This imports the client certificate into the keystore.
6. Click File > Save and enter a password and name for the keystore, for example trusted_keystore.jks.

Enabling SSL connections

To enable SSL-based connections between the probe and the Element Management System (EMS) server, make the following changes to the generic_tmf814.props file:

Set the EnableSSL property to true.
When the EnableSSL property is set to true, the following properties are enabled:
- KeyStore
- KeyStorePassword
- SecurityProtocol
Use the KeyStore property to specify the location and file name of the keystore file trusted_keystore.jks.
Use the KeyStorePassword property to specify a password for the keystore.
Encrypt the keystore file password using the nco_g_crypt utility.