IBM Tivoli Monitoring for Virtual Environments, Version 7.2 Fix Pack 3

Enabling SSL communication with Cisco UCS data sources

You can configure the Cisco UCS agent to securely communicate with its Cisco UCS data sources by using SSL. To enable SSL communication, you must add a data source SSL certificate to the certificate truststore of the agent.

About this task

Important: The following information applies only if the agent is configured to validate SSL certificates.

If SSL certificate validation is turned off, the Cisco UCS agent connects to Cisco UCS data sources even if their SSL certificates are expired, untrusted, or invalid. However, turning off SSL certificate validation is potentially not secure and must be done with care.

If a Cisco UCS data source uses an SSL certificate that is signed by a common Certificate Authority (for example, Verisign, Entrust, or Thawte), then it is not necessary to add certificates to the Cisco UCS agent certificate truststore. However, if the data source uses a certificate that is not signed by a common Certificate Authority, as is the case by default, the certificate must be added to the truststore to allow the agent to successfully connect and collect data.

Procedure

  1. Copy the certificate file from your data source to the agent computer.
  2. On the agent computer, place the certificate file in a directory of your choice. Do not overwrite the certificate files. Use a unique file name and label for each certificate that you add.
  3. Use the keytool command to add the data source certificate to the certificate truststore of the agent: 
    keytool -import -noprompt -trustcacerts -alias CertificateAlias -file 
CertificateFile -keystore Truststore -storepass TruststorePassword
    Where:
    CertificateAlias

    A unique reference for each certificate added to the certificate truststore of the agent, for example, an appropriate alias for the certificate from datasource.example.com is datasource.

    CertificateFile
    The complete path and file name to the Cisco UCS data source certificate to add to the truststore.
    Truststore
    Complete path and file name to the Cisco UCS agent certificate database. Use the following path and file name:
    • Windows (32-bit): install_dir\tmaitm6\kv6.truststore
    • Windows (64 bit): install_dir\tmaitm6_x64\kv6.truststore
    • Linux (32-bit): install_dir/li6263/v6/etc/kv6.truststore
    • Linux (64 bit): install_dir/lx8266/vm/etc/kv6.truststore
    TruststorePassword

    ITMFORVE is the default password for the Cisco UCS agent truststore. To change this password, consult the Java™ Runtime documentation for information about the tools to use.

    Important: To use the keytool command, the Java Runtime bin directory must be in your path. Use the following commands:
    • Windows (32-bit): set PATH=%PATH%;install_dir\CNPSJ\java\bin
    • Windows (64 bit): set PATH=%PATH%;install_dir\CNPSJ\java\bin
    • Linux (32-bit): PATH="$PATH":install_dir/JRE/li6263/bin
    • Linux (64 bit): PATH="$PATH":install_dir/JRE/lx8266/bin
  4. After you add all the data source certificates, start the monitoring agent.
Parent topic: Agent-specific installation and configuration

Feedback