Setting up SSL for distributed installations

If you are using SSL ports and unencrypted ports on your host computer, create an interfaces file for your remote client computers that uses SSL ports. Distribute this interfaces file to remote client computers, instead of using the interfaces file that is generated on the server host computer.

About this task

In a failover pair, clients identify both ObjectServers by using the same server name. This name must be the common name of the server when using the SSL port to connect.

For more information about the example script (which is shipped with the installation) that demonstrates how the ObjectServer's certificate can be created and shared with clients, see Example keystores.

Procedure

  • Define a certificate with any common name, for example, NCOMS. Make a note of this value because you will need it later.
  • Configure the ObjectServer to use the new certificate.

    In a failover pair, clients identify both ObjectServers by using the same server common name. This name must be the common name of the server when using the SSL port to connect.

  • Configure gateways:

    For the unidirectional gateway, use the Gate.Reader.CommonNames and Gate.Writer.CommonNames properties to specify acceptable common names for the primary and backup ObjectServers.

    For the bidirectional gateway, use the Gate.ObjectServerA.CommonNames and Gate.ObjectServerB.CommonNames properties.

    The following example shows sample configuration of the common name for a unidirectional gateway:
    Gate.Reader.Server:			'PSERV'
    Gate.Reader.CommonNames:		'NCOMS'
    Gate.Writer.Server:			'BSERV'
    Gate.Writer.CommonNames:		'NCOMS'
    In this example, it is not possible to connect by specifying PSERV or BSERV. To make the connection, specify the virtual name NCOMS.
  • Configure probes: If a probe is connecting to an ObjectServer using SSL, and the CommonName field of the received certificate does not match the name specified by the server property, use the SSLServerCommonName property to specify a comma-separated list of acceptable SSL common names (the default is to use the server property).
    SSLServerCommonName:			'NCOMS'
  • Functionality delivered in fix pack
24Configure clients: If an event list client is connecting to an ObjectServer using SSL, and the CommonName field of the received certificate does not match the name specified by the server property, complete the following steps depending on your operating system:
    • UNIX: Before running the event list, specify the NCO_SSL_COMMONNAME environment variable as a comma-separated list of acceptable SSL common names (the default is to use the server property).
    • Windows: Before running the event list, create a new string value, named NCO_SSL_COMMONNAME, under the HKEY_CURRENT_USER\Software\Micromuse\OMNIbus\CurrentVersion\Desktop Settings\NCOEvent registry key. Set the value to a comma-separated list of acceptable common names.