Securing communication between the Operations Center and the hub server

To secure communications between the Operations Center and the hub server, you must add the Transport Layer Security (TLS) certificate of the hub server to the truststore file of the Operations Center.

Before you begin

The truststore file of the Operations Center is a container for certificates that the Operations Center can access. The truststore file contains the certificate that the Operations Center uses for HTTPS communication with web browsers.

During the installation of the Operations Center, you create a password for the truststore file. To secure communication between the Operations Center and the hub server, you must use the same password to add the certificate of the hub server to the truststore file. If you do not remember this password, you can reset it. See Resetting the password for the Operations Center truststore file.

For information about the certificates that are needed to connect to the server, see Configuring the server to accept SSL connections

Procedure

Stop the Operations Center web server.
Go to the command line of the operating system on which the Operations Center is installed.
Add the certificate to the truststore file of the Operations Center by using the iKeycmd utility or the iKeyman utility.

The iKeycmd utility is a command line interface, and the iKeyman utility is the IBM® Key Management graphical user interface.

The iKeycmd and the iKeyman utilities must be run as the root user.

The iKeycmd and the iKeyman utilities must be run by an administrator account.

To add the TLS certificate by using the command line interface, complete the following steps:
1. Go to the following directory, where installation_dir represents the directory in which the Operations Center is installed:
  - installation_dir/ui/jre/bin
  - installation_dir\ui\jre\bin
2. Issue the iKeycmd command to add the cert256.arm certificate as the default certificate in the key database file of the hub server:
```
ikeycmd -cert -add 
-db /installation_dir/ui/Liberty/usr/servers/guiServer/gui-truststore.jks 
-file /server_instance_dir/cert256.arm 
-label 'label description' 
-pw 'password' -type jks -format ascii -trust enable 
```
  where:
  
  installation_dir
  
  The directory in which the Operations Center is installed.
  
  server_instance_dir
  
  The IBM Spectrum Protect server instance directory.
  
  label description
  
  The description that you assign to the label.
  
  password
  
  The password that you created when you installed the Operations Center. To reset the password, uninstall the Operations Center, delete the .jks file, and reinstall the Operations Center.
To add the certificate by using the IBM Key Management window, complete the following steps:
1. Go to the following directory, where installation_dir represents the directory in which the Operations Center is installed:
  - installation_dir/ui/jre/bin
  - installation_dir\ui\jre\bin
2. Open the IBM Key Management window by issuing the following command:
```
 ikeyman
```
3. Click Key Database File > Open.
4. In the Open window, click Browse, and go to the following directory, where installation_dir represents the directory in which the Operations Center is installed:
  - installation_dir/ui/Liberty/usr/servers/guiServer
  - installation_dir\ui\Liberty\usr\servers\guiServer
5. In the guiServer directory, select the gui-truststore.jks file.
6. Click Open, and click OK.
7. Enter the password for the truststore file, and click OK.
8. In the Key database content area of the IBM Key Management window, click the arrow, and select Signer Certificates from the list.
9. Click Add.
10. In the Open window, click Browse, and go to the hub server instance directory. This directory contains the cert256.arm certificate.
  If you cannot access the hub server instance directory from the Open window, complete the following steps:
  1. Use FTP or another file-transfer method to copy the cert256.arm files from the hub server to the following directory on the computer where the Operations Center is installed:
    
    installation_dir/ui/Liberty/usr/servers/guiServer
    
    installation_dir\ui\Liberty\usr\servers\guiServer
  2. In the Open window, go to the guiServer directory.
11. Select the cert256.arm certificate as the certificate.
  
  Tip: The certificate that you choose must be set as the default certificate in the key database file of the hub server.
12. Click Open, and click OK.
13. Enter a label for the certificate.
  For example, enter the name of the hub server.
14. Click OK.
  The SSL certificate of the hub server is added to the truststore file, and the label is displayed in the Key database content area of the IBM Key Management window.
15. Close the IBM Key Management window.
Start the Operations Center web server.
When you connect to the Operations Center for the first time, you are prompted to identify the IP address or network name of the hub server, and the port number for communicating with the hub server. Enter the port number that is specified by either the TCPADMINPORT or SSLTCPADMINPORT server option.
If the Operations Center was previously configured, you can review the contents of the serverConnection.properties file to verify the connection information. The serverConnection.properties file is in the following directory on the computer where the Operations Center is installed:
- installation_dir/ui/Liberty/usr/servers/guiServer
- installation_dir\ui\Liberty\usr\servers\guiServer

What to do next

To set up TLS communication between the hub server and a spoke server, see Securing communication between the hub server and a spoke server.