Configuring SSL connections

You can enable Secure Socket Layer (SSL) encryption of data exchanged over JMS and HTTP.

To enable SSL encryption, use the following steps:
  1. Use the following Java keytool command to generate a key pair for the probe, along with a keystore file and its associated password:

    keytool -genkey -alias alias_id -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password

  2. When prompted, enter the following details:
    • First and Last Name: U2000 probe at server_hostname
    • Organizational Unit: Netcool/OMNIbus Organization IBM
    • Organization: IBM
    • City: N/A
    • State: N/A
    • Country: US
    • Enter key password: To use the same password that you specified for the keystore password, press ENTER without entering any characters at this prompt.
  3. For each server where an instance of the probe is installed, generate an X.509 self-signed certificate for the probe using the following command:

    keytool -selfcert -alias alias_id -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password

  4. For each server where an instance of the probe is installed, generate and export a certificate file for the probe (probe_cert_filename.cer) using the following command:

    keytool -export -alias alias_id -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password -file probe_cert_filename.cer

    Use a unique alias_id value and probe_cert_filename value for each certificate file.

  5. Manually transport each certificate file generated in step 4 to the Huawei U2000 server.
  6. Import each certificate file generated in step 4 to the Huawei U2000 server. Consult your Huawei documentation for instructions about importing certificate files into the Huawei U2000 system.
  7. Obtain and export the Huawei U2000 system certificate file (huawei_cert_filename.cer). Consult your Huawei documentation for instructions about exporting certificate files from the Huawei U2000 system.
  8. For each server where an instance of the probe is installed, import the Huawei U2000 system certificate (huawei_cert_filename.cer) using the following command:

    keytool -import -alias alias_id -file huawei_cert_filename.cer -keystore $OMNIHOME/java/conf/trusted_keystore.jks -storepass password

    Note: If the HTTP interface and the JMS interface of Huawei U2000 do not share the same certificate, repeat steps 7 and 8 for both the HTTP and JMS interface certificates of the Huawei U2000 system.
  9. Specify values for the following probe properties, using the same Java keystore file as both a key store and a trusted certificates store, and using the same password for each file:
    • ProbeKeyStore: Specify the location of the trusted_keystore.jks file.
    • ProbeKeyStorePassword: Specify an unencrypted password for the trusted_keystore.jks file.
    • TrustedCertsStore: Specify the location of the trusted_keystore.jks file.
    • TrustedCertsStorePassword: Specify the same unencrypted password you used for the ProbeKeyStorePassword property.
    Note: If the keystore file does not require a password, set the ProbeKeyStorePassword property to "".
  10. For SSL connections over a HTTP interface, the values that you specify for the ResyncHTTPConnectionURL and UpdateHTTPConnectionURL properties must begin with https instead of the default http. For example:

    https://217.0.0.1/AlarmHandling/updateAlarms

  11. In the jmsTransport.properties file (located in the $OMNIHOME/java/conf directory), change the default value of the providerURL property to the following value:

    ssl://IP_address:61617

The probe is now enabled to use SSL connections for exchanging data with the Huawei U2000 system over JMS and HTTP.