Specifying a keystore file

If you are using a TLS connection, you must generate a keystore file to store the mail server's digital certificate and the encryption keys. You must also specify the keystore and truststore properties in the properties file.

To enable a TLS connection, you must first obtain the mail server's digital certificate file. The certificate usually contains the server name, the trusted certificate authority (CA) and the server's public encryption key. You then use the certificate to generate a Java™ keystore file.

You generate the keystore file using the Java keytool utility, which is located in the following directory:

$NCHOME/platform/arch/jre_1.5.6/jre/bin

To generate the keystore file, use the following steps:
  1. Use the keytool utility to generate the keystore by running the following command:

    keytool -import -alias client_certificate -file certificate_file -keystore keystore_name

    where:
    • client_certificate is an alias (any name will do, for example: omnibus).
    • certificate_file is the mail server's certificate file.
    • keystore_name is the name of the output keystore file, for example, keystore_sol2.
  2. When prompted, enter a password for the keystore file and make a note of it.
  3. Store the keystore file in the following directory:

    $OMNIHOME/probes/arch/

  4. Encrypt the keystore password using the nco_g_crypt utility by running the following command:

    $OMNIHOME/bin/nco_g_crypt password

There are several methods for creating a truststore file. The best method for use with the SNMP Probe is to specify the same values for the keystore properties and the truststore properties. This means that, after generating the keystore file and encrypting its password, you must specify the following properties in the properties file:
  • KeyStoreFile - Use this property to specify the location of the keystore file.
  • KeyStorePassword - Use this property to specify the encrypted keystore password.
  • TrustStoreFile - Use this property to specify the location of the keystore file.
  • TrustStorePassword - Use this property to specify the encrypted keystore password.
This method is preferred because it requires only one file and password to be created, and it makes the truststore file specific to the probe and independent of the JRE installation.
Note: You might wish to use the keystore only for encrypting or signing files using your private key and use the truststore for other tasks, such as authenticating with remote servers. If you decide to divide tasks between the two stores, you must generate a separate truststore file from the same server certificate used to generate the keystore file. The keystore and truststore passwords can be different, if required.