hybrid only icon

Importing the certificate

The Netcool®/Impact servers use SSL connections to communicate with Runbook Automation. Therefore, the server certificate for Runbook Automation must be imported into Netcool/Impact's truststore.

About this task

Note: This information only applies to a hybrid deployment of Netcool Operations Insight®. For more information, see Installing on a hybrid architecture.

Run the following steps on the Impact server, Impact secondary servers (if installed), and Impact GUI servers.

Procedure

  1. On Linux® systems, enter the following command to receive the correct certificate:
    echo -n | openssl s_client -showcerts -connect <RBA_ACCESS_HOST>:<RBA_ACCESS_PORT> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > file.cert
    The values for <RBA_ACCESS_HOST> (two occurrences) and <RBA_ACCESS_PORT> (one occurrence) are determined as follows:
    • <RBA_ACCESS_HOST> is the host name where the Netcool Operations Insight service is running. For example, when you login to the Netcool Operations Insight user interface at https://netcool.apps.mycluster.mycompany.com/oauth2/login.jsp, then the host name is netcool.apps.mycluster.mycompany.com.
    • <RBA_ACCESS_PORT> is 443.

    If errors occur, make sure your exported certificate that is stored in file.cert contains a full and valid certificate in PEM format. If the certificate is a chained certificate, then file.cert must contain a concatenated list of all certificates from the chain. Errors in the command output like verify error:num=20:unable to get local issuer certificate occur due to a missing CA root certificate for the DigiCert CA.

    The certificate begins and ends as follows:
    -----BEGIN CERTIFICATE----- 
    ...
    -----END CERTIFICATE-----
    For chained certificates, the file contains multiple sections with the same format, one for each certificate in the chain:
    -----BEGIN CERTIFICATE----- 
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE----- 
    ...
    -----END CERTIFICATE-----
    On Windows systems, use your preferred browser to export the certificate.
  2. Use the following command to import the certificate:
    Warning:
    • The import_cert script does not only import the certificate but it also restarts the Netcool/Impact server and the Netcool/Impact GUI server. If you are working on a production environment, run this script during planned maintenance only.
    • If you have Netcool/Impact running under process control, stop all Netcool/Impact processes in the process control and restart them manually using the stop and start scripts that are found in $IMPACT_HOME/bin. This is necessary because the import_cert.sh script starts and stops the Netcool/Impact processes. Once the import_cert.sh script completes, stop all Netcool/Impact processes and restart them using the process control.
    Note: If you need to change your RBA certificate, you must delete the old certificates before running the import script again. Use the following command for the Netcool/Impact server (for example, replace <instance> with NCI) and for the Netcool/Impact GUI server (for example, replace <instance> with ImpactUI) to delete the outdated RBA certificate from the respective keystores:
    $IMPACT_HOME/sdk/bin/keytool -delete -alias rba_certificate -keystore $IMPACT_HOME/wlp/usr/servers/<instance>/resources/security/trust.jks -storepass <KEY_STORE_PASSWORD>
    On Linux systems:
    $IMPACT_HOME/install/cfg_addons/rba/import_cert.sh <KEY_STORE_PASSWORD> <CERTIFICATE_FILE_FULL_PATH>

    On Windows systems:
    <IMPACT_INSTALL_LOCATION>/install/cfg_addons/rba/import_cert.bat <KEY_STORE_PASSWORD> <CERTIFICATE_FILE_FULL_PATH>
    where <KEY_STORE_PASSWORD> is your Netcool/Impact admin password.

    After the command has completed, ensure that both the Netcool/Impact server and the Netcool/Impact GUI server have been restarted.