If you run Tivoli Netcool/OMNIbus in FIPS 140-2 mode, or if your network has Java-based
clients, use the nc_gskcmd utility.
Procedure
- To request a server certificate, run the following command:
$NCHOME/bin/nc_gskcmd -certreq -create -db "filename" -pw password -label "keylabel" -dn "distinguishedname" -file "$NCHOME/etc/security/keys/certname.arm"
The following table explains
the variables in this instance of the command, and the possible values.
Table 1. Description of command-line arguments to request a
server certificate
Variable |
Explanation |
filename |
The name and path of the key database in which you want to store the
certificate. Specify this value as a quoted string; for example:
- "$NCHOME/etc/security/keys/omni.kdb"
- "%NCHOME%\ini\security\keys\omni.kdb"
|
password |
The password for accessing the key database |
keylabel |
A meaningful short description that can be used to identify the self-signed
certificate in the key database. Specify this value as a quoted string. To help identify the
certificate as self signed within the iKeyman GUI, you can append the words Certification
Authority or CA to the label text. |
keysize |
The length of the key, in bits. The values are 512,
1024, 2048, and 4096. If TLS v1.3 is enabled, the
value should be 2048 or 4096. The longer the key, the more secure
the encryption. Note that a longer key can result in slower
performance. |
distinguishedname |
The distinguished name of the certificate owner as a quoted string in the
following format:"CN=string1, O=string2,
OU=string3, L=string4, ST=string5,
C=string6" . In this string, the common name
(CN) setting is required but all the other settings are optional for self-signed
certificates. In this argument, the settings specify the following information:
- string1 specifies the common name of the certificate owner.
- This is the name of the server to which your clients are connecting, for example
NCOMS . The common name for the server must be the same as the server name in the
connections data file ($NCHOME/etc/omni.dat or
%NCHOME%\ini\sql.ini) on the client machines.
- The common name can also be the hostname of the server that the
ObjectServer is running on. For example,
omnihost.ibm.com or a wildcard domain name
like *.ibm.com . Both examples must match the server entry in the interfaces file,
although with the wildcard option only the domain must match.
- string2 specifies your company name.
- string3 specifies the organizational unit or department name within which the
certificate will be used.
- string4 specifies the locality or city of your organization.
- string5 specifies your state or province.
- string6 specifies the two-letter ISO code for your country.
|
certname |
The name of the certificate file (the .arm file) that you
want to request. The name of the file is the same as the name of the ObjectServer specified in the
omni.dat data connections file. Specify the path to the certificate file as a
quoted string. |
- For failover pairs, repeat step 1 for the backup ObjectServer.
Change the value of the -label option to the
name of the backup ObjectServer (as specified in the omni.dat data connections file), retain the common name values for the -dn command-line option, and change the value of the -file command-line option to the name of the certificate
file for the backup ObjectServer.
Example
The following example shows a certificate request for a primary ObjectServer called
PSERV
which is part of a failover pair with the common name
NCOMS
:$NCHOME/bin/nc_gskcmd -certreq -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -label "PSERV" -dn "CN=NCOMS, O=IBM, OU=Support, L=SouthBank, ST=London, C=GB" -file "$NCHOME/etc/security/keys/pservreq.arm"
The
following example shows a certificate request for the backup ObjectServer in the NCOMS failover
pair, which is called
BSERV
:$NCHOME/bin/nc_gskcmd -certreq -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -label "BSERV" -dn "CN=NCOMS, O=IBM, OU=Support, L=SouthBank, ST=London, C=GB" -file "$NCHOME/etc/security/keys/bservreq.arm"