Encrypting communications for Java collectors

Edit online

By default, Java collectors communicate with the Java Helper using Transport Layer Security (TLS) encryption. If you regenerated the certificates using CA-provided certificates, and the password or file names are now different to the defaults, then you must perform extra configuration tasks.

About this task

If you did not modify the default encrypted communications, you do not need to perform this task. To configure encryption for Java collectors, complete the following tasks.

Procedure

  1. Back up and edit the $NCHOME/precision/platform/java/grpc-tls.properties file, to configure TLS settings for the Java Helper. Check and if necessary, update the following settings:
    grpc.tls.enabled

    By default this is true. Set to false to disable TLS.

    Note: Ensure that this property matches the grpc.tls.enabled property in the $NCHOME/precision/collectors/javaCollectors/framework/collector-grpc-server-tls.properties file.
    grpc.tls.trustCertCollection
    The relative path from $NCHOME to the trust certificate, that is, the CA certificate that signed the server's certificate.
    grpc.tls.trustCertPassword
    The password for the trust certificate.
    grpc.tls.protocols
    A comma-separated list of allowed TLS protocol versions, for example, TLSv1.2,TLSv1.3.
  2. Back up and edit the $NCHOME/precision/collectors/javaCollectors/framework/collector-grpc-server-tls.properties file, to configure TLS settings for the GRPC collector. Check and if necessary, update the following settings:
    grpc.tls.enabled

    By default this is true. Set to false to disable TLS.

    Note: Ensure that this property matches the grpc.tls.enabled property in the $NCHOME/precision/platform/java/grpc-tls.properties file.
    grpc.tls.server.certChain
    The Server Certificate Chain. This path, relative to $NCHOME, must contain the server's certificate and any intermediate certificates.
    grpc.tls.server.privateKey
    The full path, relative to $NCHOME, to the .pem file that contains the private key for the server certificate.
    grpc.tls.server.privateKeyPassword
    The password for the private key, if any.
    grpc.tls.trustCertCollection
    The CA certificates that are used to verify client certificates. Required if using mutual TLS.
    grpc.tls.clientAuth.required
    A Boolean property that defines whether to use mutual TLS. Set this to false for server-side TLS only.
    grpc.tls.protocols
    A comma-separated list of allowed TLS protocol versions, for example, TLSv1.2,TLSv1.3.
    grpc.tls.cipherSuites
    A comma-separated list of allowed cipher suites. For example: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256