Configuring SSL connections

If the Nokia NFM-P server is using a Secure Socket Layer (SSL) connection to encrypt data exchanged over JMS and HTTP, you will need to configure the truststore for the HTTPS connection on the Netcool/OMNIbus probe server.

To configure the truststore, use the following steps:
  1. Obtain the security certificate from the NFM-P server.
  2. Import the security certificate from the NFM-P server.
  3. Verify that the security certificate has been imported into the keystore.

Obtaining a certificate file into the truststore

There are two possible approaches:
  1. Obtaining Nokia NFM-P security certificate from certificate authority (CA)
  2. Exporting security certificate file from an existing keystore file from NFM-P server using the command:

    ./keytool -export -alias alias_name -keystore keystore_file -storepass password -file certificate_file

    Where:

    alias_name is the keystore alias specified during Nokia NFM-P keystore generation, for example: NFMP_ALIAS.

    keystore_file is the path to and name of the Nokia NFM-P keystore file, for example: /opt/nfmpserver.keystore.

    password is the Nokia NFM-P keystore password, for example: the password of nfmpserver.keystore.

    certificate_file is the path to and name of the certificate file to be created, for example: /opt/nfmpcert.

Importing a security certificate into a new or an existing truststore on the Netcool/OMNIbus probe server

To import a certificate file into the truststore, use one of the following steps:

  1. For importing the certificate into a new truststore, use the following command:

    ./keytool -import -trustcacerts -alias new_alias_name -file certificate_file -keystore truststore_file -storepass password

    Note: If the alias does not point to an existing key entry in a truststore file, then keytool assumes you are adding a new trusted certificate entry into truststore file. In this case, the alias should not already exist, otherwise importing fails.

  2. For importing the certificate into an existing truststore, use the following command:

    ./keytool -import -trustcacerts -alias alias_name -file certificate_file -keystore truststore_file -storepass password

    Note: If the alias points to a key entry in a truststore file, then keytool assumes you are importing a certificate reply, replacing old certificate chain with new certificate chain in truststore file.

    Where:

    alias_name is the key entry of the certificate reply. The alias must be the same as that specified during keystore file generation in Nokia NFM-P server, for example: NFMP_ALIAS.

    new_alias_name is the keystore alias of a new keystore, for example: NFMP_ALIAS_NEW.

    certificate_file is the path to and name of the certificate file created earlier, for example: /opt/nfmpcert.

    truststore_file is the path to and name of the truststore file that will contain the imported certificate, for example: /opt/nfmpserver.truststore.

    password is the Nokia NFM-P keystore password, for example: the password of nfmpserver.truststore.

Verifying that the security certificate has been imported into the keystore

To verify that the certificate has been imported into the keystore, use the following command:

./keytool -list -v -keystore truststore_file

Where:

truststore_file is the path to and name of the truststore file generated, for example: /opt/nfmpserver.trustStore.

Note: For more details about configuring SSL security for the Nokia NFM-P server (including instructions about obtaining certificate files) refer to the NFM-P Installation and Upgrade Guide.

Configuring the probe

To configure the probe to connect to the Nokia NFM-P server using an SSL connection, use the following steps:

  1. Set the probe's UseSSL property to true and configure the probe's HTTPPort property to use the default Nokia NFM-P HTTPS port, 8443.
  2. Specify values for the following probe properties:
    • TrustStore: Specify the path of the probe's Java keystore that you created in the steps for importing the certificate into the truststore, for example: /opt/nfmpserver.trustStore.
    • TrustStorePassword: Specify the password that you set for the Java keystore.
    • CertificateStore: Specify the path of the certificate keystore. This will be the same value as that set for the TrustStore property unless you manage them in different keystore files.
    • CertificateStorePassword: Specify the password set for the certificate keystore.

You can set both the TrustStore property and the CertificateStore property to the same keystore file where the license file is imported, or you can specify different keystore files.

Example SSL configuration property settings

The following example shows SSL configuration settings from the properties file of an example Probe for Nokia Network Functions Manager for Packet:

Host                       : "198.162.20.21"
HTTPPort                  : 8443
UseSSL                    : "true"
TrustStore                  : "/opt/nfmpserver.trustStore"
TrustStorePassword          : "newpassword"
CertificateStore          : "/opt/nfmpserver.trustStore"
CertificateStorePassword    : "newpassword"