Requesting a server certificate from a CA using nc_gskcmd

If you run Tivoli Netcool/OMNIbus in FIPS 140-2 mode, or if your network has Java-based clients, use the nc_gskcmd utility.

Procedure

  1. To request a server certificate, run the following command:
    $NCHOME/bin/nc_gskcmd -certreq -create -db "filename" -pw password -label "keylabel" -dn "distinguishedname" -file "$NCHOME/etc/security/keys/certname.arm"

    The following table explains the variables in this instance of the command, and the possible values.

    Table 1. Description of command-line arguments to request a server certificate
    Variable Explanation
    filename The name and path of the key database in which you want to store the certificate. Specify this value as a quoted string; for example:
    • For UNIX operating systemFor Linux operating system"$NCHOME/etc/security/keys/omni.kdb"
    • For Windows operating system"%NCHOME%\ini\security\keys\omni.kdb"
    password The password for accessing the key database
    keylabel A meaningful short description that can be used to identify the self-signed certificate in the key database. Specify this value as a quoted string. To help identify the certificate as self signed within the iKeyman GUI, you can append the words Certification Authority or CA to the label text.
    keysize The length of the key, in bits. The values are 512, 1024, 2048, and 4096. If TLS v1.3 is enabled, the value should be 2048 or 4096. The longer the key, the more secure the encryption. Note that a longer key can result in slower performance.
    distinguishedname The distinguished name of the certificate owner as a quoted string in the following format:"CN=string1, O=string2, OU=string3, L=string4, ST=string5, C=string6". In this string, the common name (CN) setting is required but all the other settings are optional for self-signed certificates. In this argument, the settings specify the following information:
    • string1 specifies the common name of the certificate owner.
      • This is the name of the server to which your clients are connecting, for example NCOMS. The common name for the server must be the same as the server name in the connections data file ($NCHOME/etc/omni.dat or %NCHOME%\ini\sql.ini) on the client machines.
      • Function introduced in Fix Pack
12The common name can also be the hostname of the server that the ObjectServer is running on. For example, omnihost.ibm.com or a wildcard domain name like *.ibm.com. Both examples must match the server entry in the interfaces file, although with the wildcard option only the domain must match.
    • string2 specifies your company name.
    • string3 specifies the organizational unit or department name within which the certificate will be used.
    • string4 specifies the locality or city of your organization.
    • string5 specifies your state or province.
    • string6 specifies the two-letter ISO code for your country.
    certname The name of the certificate file (the .arm file) that you want to request. The name of the file is the same as the name of the ObjectServer specified in the omni.dat data connections file. Specify the path to the certificate file as a quoted string.
  2. For failover pairs, repeat step 1 for the backup ObjectServer.
    Change the value of the -label option to the name of the backup ObjectServer (as specified in the omni.dat data connections file), retain the common name values for the -dn command-line option, and change the value of the -file command-line option to the name of the certificate file for the backup ObjectServer.

Example

The following example shows a certificate request for a primary ObjectServer called PSERV which is part of a failover pair with the common name NCOMS:
$NCHOME/bin/nc_gskcmd -certreq -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -label "PSERV" -dn "CN=NCOMS, O=IBM, OU=Support, L=SouthBank, ST=London, C=GB" -file "$NCHOME/etc/security/keys/pservreq.arm"
The following example shows a certificate request for the backup ObjectServer in the NCOMS failover pair, which is called BSERV:
$NCHOME/bin/nc_gskcmd -certreq -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -label "BSERV" -dn "CN=NCOMS, O=IBM, OU=Support, L=SouthBank, ST=London, C=GB" -file "$NCHOME/etc/security/keys/bservreq.arm"