The Netcool®/Impact servers use SSL connections
to communicate with Runbook Automation. Therefore,
the server certificate for Runbook Automation must
be imported into Netcool/Impact's truststore.
About this task
Run the following steps on the Impact server, Impact secondary servers (if installed), and Impact
GUI servers.
Procedure
-
On Linux® systems, enter the following command to
receive the correct
certificate:
echo -n | openssl s_client -showcerts -connect <RBA_ACCESS_HOST>:<RBA_ACCESS_PORT> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > file.cert
The values for <RBA_ACCESS_HOST> (two occurrences) and <RBA_ACCESS_PORT> (one
occurrence) are determined as follows:
- <RBA_ACCESS_HOST> is the host name where the Netcool
Operations Insight service is
running. For example, when you login to the Netcool
Operations Insight user interface
at
https://netcool.apps.mycluster.mycompany.com/oauth2/login.jsp
, then the host
name is netcool.apps.mycluster.mycompany.com
.
- <RBA_ACCESS_PORT> is 443.
If
errors occur, make sure your exported certificate that is stored in file.cert
contains a full and valid certificate in PEM format. If the certificate is a chained certificate,
then file.cert
must contain a concatenated list of all certificates from the chain.
Errors in the command output like verify error:num=20:unable to get local issuer
certificate
occur due to a missing CA root certificate for the DigiCert CA.
The
certificate begins and ends as follows:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
For chained certificates, the file contains multiple sections
with the same format, one for each certificate in the chain:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
On Windows systems,
use your preferred browser to export the certificate.
- Use the following command to import the certificate:
Warning:
- The
import_cert
script does not only import the certificate but it also
restarts the Netcool/Impact server and the Netcool/Impact GUI server. If you are working on a production
environment, run this script during planned maintenance only.
- If you have Netcool/Impact running under process
control, stop all Netcool/Impact processes in the process
control and restart them manually using the stop and start scripts that are found in
$IMPACT_HOME/bin
. This is necessary because the import_cert.sh
script starts and stops the Netcool/Impact processes. Once
the import_cert.sh
script completes, stop all Netcool/Impact processes and restart them using the process control.
Note: If you need to change your RBA certificate, you must delete the old certificates before
running the import script again. Use the following command for the Netcool/Impact server (for example, replace <instance> with NCI) and for the
Netcool/Impact GUI server (for example, replace
<instance> with ImpactUI) to delete the outdated RBA certificate from the respective
keystores:
$IMPACT_HOME/sdk/bin/keytool -delete -alias rba_certificate -keystore $IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.jks -storepass <KEY_STORE_PASSWORD>
On Linux
systems:
$IMPACT_HOME/install/cfg_addons/rba/import_cert.sh <KEY_STORE_PASSWORD> <CERTIFICATE_FILE_FULL_PATH>
On Windows
systems:
<IMPACT_INSTALL_LOCATION>/install/cfg_addons/rba/import_cert.bat <KEY_STORE_PASSWORD> <CERTIFICATE_FILE_FULL_PATH>
where <KEY_STORE_PASSWORD> is your Netcool/Impact
admin password.
After the command has completed, ensure that both the Netcool/Impact server and the Netcool/Impact GUI
server have been restarted.