As an Administrator, if you are familiar with SSL communication in Tivoli Netcool/OMNIbus, you can configure
SSL in a multitier environment.
Before you begin
All components are already installed and configured per the product documentation.
About this task
Complete the following steps to configure SSL connections between components in a multitier
environment. Where applicable, the steps include sample entries for the files and the
nc_gskcmd
utility. You can also use the iKeyman
graphical utility.
For a diagram that describes the Tivoli Netcool/OMNIbus component
architecture, see Introduction to Tivoli Netcool/OMNIbus.
For more information about a multitier environment, see the following documentation.
Tivoli Netcool/OMNIbus supports
FIPS 140-2 and NIST SP800-131 security standards that specify the security algorithms, key sizes,
and password lengths that are permitted. For more information about these security standards, see
Configuring FIPS 140–2 support for the server components and Configuring the server components for SP800-131 enhanced encryption.If you want to set up strong encryption or FIPS 0-142
mode, you must complete the configuration steps in FIPS 140–2 configuration checklist.
Procedure
-
Modify the interfaces file and configure SSL ports. Create entries for SSL in the Server
editor, or manually define these entries in the
omni.dat
connections file. Create
and distribute the interfaces file. To prevent plain text connections, configure an SSL port and do
not use both SSL and plain text ports. Use the following interfaces file as guidance.
[AGG_P]
{
Primary: omnihost1.ibm.com ssl 4101
}
[AGG_B]
{
Primary: omnihost2.ibm.com ssl 4101
}
[AGG_V]
{
Primary: omnihost1.ibm.com ssl 4101
Backup: omnihost2.ibm.com ssl 4101
}
[AGG_GATE]
{
Primary: omnihost2.ibm.com 4301
}
-
Create a key database for storing digital certificates on each computer where a server
component is installed (a server component can be an ObjectServer, a process agent, or a proxy
agent), and on each computer from which clients connect to the server by using an SSL port. Use a
dedicated key database file
omni.kdb
for each Tivoli Netcool/OMNIbus installation on a
server or a client computer. Reference the following example to create a key database with the
nc_gskcmd
utility.
Create a key database file
($NCHOME/etc/security/keys/omni.kdb on both
the
AGG_P
and
AGG_B
host
servers.
$NCHOME/bin/nc_gskcmd -keydb -create
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -stash -expire 366
Note: Because the command stores the password in the stash file, the -pw password
argument can be interchanged with the -stashed
option in all the following
commands.
-
Create a root CA certificate. If you want to set up a private truest network in which you are
acting as the issuing CA for your server certificates, then create a root CA self-signed
certificate. Reference the following example to create a root CA self-signed certificate with the
nc_gskcmd
utility.
$NCHOME/bin/nc_gskcmd -cert -create
-db "$NCHOME/etc/security/keys/omni.kdb" -pw
password -label "NCOMS_CA" -ca true -dn
"CN=NCOMS_CA,O=IBM,OU=Support,L=SouthBank,ST=London,C=GB"
-expire 366 -x509version 3
-
Distribute a root CA certificate. To use a root CA self-signed certificate as a signer
certificate, distribute the certificate to all clients. Extract the certificate from the server key
database and then add the extracted certificate to the key database on each client computer.
Reference the following sample substeps.
- Extract a certificate.
$NCHOME/bin/nc_gskcmd -cert -extract
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -label "NCOMS_CA" -target
"$NCHOME/etc/security/keys/ncoms-ca-cert.arm"
- Transfer the CA certificate to all clients and add the certificate to the key
database.
$NCHOME/bin/nc_gskcmd -cert -add
-db "$NCHOME/etc/security/keys/omni.kdb" -pw
password -label "NCOMS_CA" -file "ncoms-ca-cert.arm"
-
Create a certificate request. From each server computer, create a request for a digital
certificate for the server and send the certificate request to a trusted CA for authorization. The
CA authorizes the certificate request and uses its self-signed root certificate to generate a server
certificate and the CA then returns the signed server certificate. Create a certificate signing
request for both
AGG_P
and AGG_B
ObjectServers, see the following
sample substeps. Create the signing request on the same host as the ObjectServer for which the
certificate is intended, which is omnihost1.ibm.com
for AGG_P
and
omnihost2.ibm.com
for AGG_B
.
- Create a certificate request for
AGG_P
ObjectServer.$NCHOME/bin/nc_gskcmd -certreq -create
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -label "AGG_P" -dn
"CN=AGG_V,O=IBM,OU=Support,L=SouthBank,ST=London,C=GB" -file
"$NCHOME/etc/security/keys/aggp-certreq.arm"
- Create a certificate request for
AGG_B
ObjectServer. This step must be run on
the AGG_B
host machine.$NCHOME/bin/nc_gskcmd -certreq -create
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -label "AGG_B" -dn
"CN=AGG_V,O=IBM,OU=Support,L=SouthBank,ST=London,C=GB" -file
"$NCHOME/etc/security/keys/aggb-certreq.arm"
It is also possible to use the CN values that equal the hostname or the domain name of the
host computer, see
Sharing certificates.
-
Sign certificate requests by using CA. If you set up a private trust network, reference the
following sample substeps to sign each request with the root CA certificate.
- Sign a certificate request for
AGG_P
ObjectServer.$NCHOME/bin/nc_gskcmd -cert -sign
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -label NCOMS_CA
-target "$NCHOME/etc/security/keys/aggp-cert.arm"
-expire 366
-file "$NCHOME/etc/security/keys/aggp-certreq.arm"
- Sign a certificate request for
AGG_B
ObjectServer. Ensure that
"$NCHOME/etc/security/keys/aggb-certreq.arm"
is copied to the server that created
the root certificate in step 3. Run the command on the same
server that created the root certificate. When the command runs successfully, copy the target file
"$NCHOME/etc/security/keys/aggb-cert.arm"
to the originating
server.$NCHOME/bin/nc_gskcmd -cert -sign
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -label NCOMS_CA
-target "$NCHOME/etc/security/keys/aggb-cert.arm"
-expire 366
-file "$NCHOME/etc/security/keys/aggb-certreq.arm"
-
Add certificates to key database. Upon receipt of the server certificate from the issuing CA,
receive the certificate into the key database for the server. The server certificate authenticates
the server side of Tivoli Netcool/OMNIbus communications when a
client requests a secure connection. Reference the following sample substeps.
- Receive a certificate for
AGG_P
ObjectServer.$NCHOME/bin/nc_gskcmd -cert -receive
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -file "$NCHOME/etc/security/keys/aggp-cert.arm"
- Receive a certificate for
AGG_B
ObjectServer.$NCHOME/bin/nc_gskcmd -cert -receive
-db $NCHOME/etc/security/keys/omni.kdb" -pw
password -file "$NCHOME/etc/security/keys/aggb-cert.arm"
-
Configure a failover gateway
AGG_GATE
. ObjectServer clients use the server
certificate subject Common Name (CN) value to authenticate the server. The aggregation layer
consists of a virtual pair of ObjectServers AGG_P
and AGG_B
, with
a virtual name of AGG_V
. When the gateway connects to each ObjectServer, the CN
value in the certificate that is presented by the server equals AGG_V
, which is
different from the ObjectServer name. To authenticate the connection, you must add the
AGG_V
virtual name to the permitted common names property for each ObjectServer in
the AGG_GATE
gateway properties file. Reference the following sample command to set
the Common Names property.
Gate.ObjectServerA.CommonNames: 'AGG_V'
Gate.ObjectServerB.CommonNames: 'AGG_V'
It is also possible to use the CN values that
equal the hostname or the domain name of the host computer, see
Sharing certificates.
-
Configure extra ObjectServer layers. Complete the following steps to configure an extra
ObjectServer collection layer or a display layer. This procedure is almost identical to the
procedure for an ObjectServer aggregation layer.
-
Modify the interfaces file and configure SSL ports. In the interfaces file, modify the host
details for the extra ObjectServer and add an SSL port. Reference the following example definition,
which is part of the collection layer definition.
[COL_P_1]
{
Primary: omnihost3.ibm.com ssl 4101
}
[C_TO_A_GATE_P_1]
{
Primary: omnihost3.ibm.com 4301
}
-
Follow the guidance in Create key
database.
-
Follow the guidance in Distribute root CA
certificate.
-
Create a certificate request. Complete this step on the ObjectServer host machine. Run the
following sample command, replace
[NAME]
with the name of the ObjectServer being
configured.
$NCHOME/bin/nc_gskcmd -certreq -create
-db "$NCHOME/etc/security/keys/omni.kdb"
-pw password -label "[NAME]" -dn
"CN=[NAME],O=IBM,OU=Support,L=SouthBank,ST=London,C=GB" -file
"$NCHOME/etc/security/keys/[name]-certreq.arm"
-
Follow the guidance in Sign certificate requests
by using CA.
-
Follow the guidance in Add certificates to key
database.
Inter-tier routing gateways such as
C_TO_A_GATE_P_1
or
A_TO_D_GATE_1
do not require any specific configuration to enable SSL encryption
between OjectServers.
It is also possible to use the CN values that equal the hostname or the
domain name of the host computer, see Sharing certificates.
-
Configure an SSL connection between Dashboard Application
Services Hub and the user repository
that you defined in the realm. This repository can be an LDAP directory or an ObjectServer. The
configuration differs and depends on the user repository.
-
Configure SSL for the event feed to the Web GUI. Create a secure
connection between the Web GUI and the
ObjectServer so that the feed of event data in to the Web GUI is SSL protected.
-
Replace the default certificate for Web GUI clients, which
comes from Dashboard Application
Services Hub to
authenticate SSL connections to Web GUI clients. Replace
this default certificate with one of your own certificates that was created by a CA or a self-signed
certificate.
-
Configure an ObjectServer SSL connection for IBM Tivoli Netcool/Impact. Complete the following
substeps, which refer you to IBM Tivoli Netcool/Impact topics in the IBM Tivoli Netcool/Impact IBM Documentation, see
https://www.ibm.com/support/knowledgecenter/SSSHYH.
-
If you use the ObjectServer as a user repository, complete steps in the IBM Tivoli Netcool/Impact topic Configuring SSL
for ObjectServer user authentication.
-
Configure secure communications for the event feed between an ObjectServer and IBM Tivoli Netcool/Impact. Complete steps in the
IBM Tivoli Netcool/Impact topic
Enabling SSL communication with the ObjectServer.
What to do next
The nc_gskcmd
command-line utility provides many command options, see the
following sample commands. For more information about all commands, see nc_gskcmd command-line options.
Note: When using a bidirectional gateway, troubleshooting with nco_ping
to
verify that an ObjectServer is accessible does not work as expected. Do not use
nco_ping
with the individual hosts, for example, nco_ping AGG_P
or
nco_ping AGG_B
. Instead, use nco_ping
with the nco_ping
AGG_V
gateway.