Configuring SSL connections

You can enable Secure Socket Layer (SSL) encryption of data exchanged over JMS and HTTP. A Java keystore file is required for this HTTPS connection, access to which is specified using the CertificateStore and CertificateStorePassword properties. The keystore file can be created using the Java keytool command.

For general details of JMS connections over SSL guidelines, see https://community.jboss.org/wiki/JMSOverSSL?_sscc=t.

To enable SSL encryption, use the following steps:
  1. Use the keytool command to generate the keystore by running the following command:

    keytool -genkey -alias sslprobecert -keyalg RSA -keystore alcateload.jks -keysize 2048

    Note: If you are running more than one probe, you must generate a keystore for each probe and provide a different name for each, for example, alcateload01.jks, alcateload02.jks, alcateload03.jks, and so forth.
  2. When prompted for a password, press ENTER to use the same password as the keystore password.
    Note: To reset the password for the probe's Java keystore at a later date, you can use the following command:

    keytool -storepasswd -new new_storepass -keystore alcateload.jks

  3. Store the keystore file in the following directory:

    $OMNIHOME/probes/java/keystore/nco_p_alcatel_5529_oad_v6/

  4. Obtain the Alcatel EMS certificate (alcatelclient.cert) certificate. Consult your Alcatel documentation for instructions about obtaining certificate files.
  5. Import the Alcatel EMS certificate into the keystore file using the following command:

    keytool -import -trustcacerts -alias alcatelsslclientcert -file alcatelclient.cert -keystore alcateload.jks

  6. Verify that the certificate has been imported into the keystore using the following command:

    keytool -list -v -keystore alcateload.jks

  7. Set the probe's UseSsl property to true and configure the ports specified with the probe's HttpHostPort property to use the default Alcatel EMS HTTPS port, for example, 8443.
  8. Specify values for the following probe properties, using the same Java keystore file as both certificate store and trusted certificates store, using the same password for each:
    • CertificateStore: Specify the path of the probe's Java keystore that you created.
    • CertificateStorePassword: Specify the password that you set for the Java keystore.
    • TrustStore: Specify the same value as that set for the CertificateStore property.
    • TrustStorePassword: Specify the same value as that set for the CertificateStorePassword property.
Note:

The format of the keystore file that the AMS/OAD uses has changed in 9.7.03 from JKS to PKCS12.

Probe version 7.5 has introduced new properties which can be used to configure keystore type:

CertificateStoreType: "PKCS12"
TrustStoreType:       "PKCS12"

Due to a limitation in IBM Java, the Probe requires Oracle Java rather than IBM Java to connect to the OAD 9.7.03 or later.

Example SSL configuration property settings

The following example shows SSL configuration settings from the properties file of an example Probe for Alcatel-Lucent 5529 OAD:

HTTPHostPort              : "198.162.20.21:8443"
UseSsl                    : "true"
CertificateStore          : 
"/opt/IBM/tivoli/netcool/omnibus/probes/java/keystore/nco_p_alcatel_5529_oad_v6/alcateload.jks"
CertificateStorePassword    :	 "ECEDBJAGBJFHGD"
TrustStore                  : 	
"/opt/IBM/tivoli/netcool/omnibus/probes/java/keystore/nco_p_alcatel_5529_oad_v6/alcateload.jks"
TrustStorePassword          : "ECEDBJAGBJFHGD"