8.8 Configuring an SSL connection to the directory service
By default, when directory service communications are enabled, NNMi uses the LDAP protocol for retrieving data from a directory service. If your directory service requires an SSL connection, you must enable the SSL protocol to encrypt the data that flows between NNMi and the directory service. To enable the SSL protocol, specify the java.naming.security.protocol=ssl parameter in the ldap.properties file.
SSL requires a trust relationship between the directory service host and the NNMi management server. To create this trust relationship, add a certificate to the NNMi truststore. The certificate confirms the identity of the directory service host to the NNMi management server.
To install a truststore certificate for SSL communications, follow these steps:
-
Obtain your company's truststore certificate from the directory server.
The directory service administrator can give you a copy of this text file.
-
Change to the directory that contains the NNMi truststore:
-
Windows: %NNM_DATA%\shared\nnm\certificates
-
UNIX: $NNM_DATA/shared/nnm/certificates
Execute all commands in this procedure from the certificates directory.
-
-
Import your company's truststore certificate into the NNMi truststore.
a. Execute the following command:
- Windows:
-
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool -import \
-alias nnmi_ldap -keystore nnm.truststore \
-file directory-server-certificate.txt
- UNIX:
-
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool -import \
-alias nnmi_ldap -keystore nnm.truststore \
-file directory-server-certificate.txt
directory-server-certificate.txt is your company's truststore certificate.
Legend:
A backslash (\) at the end of a line specifies that the line continues.
b. When prompted for the truststore password, enter ovpass.
c. When prompted to trust the certificate, enter y.
- Example output for importing a certificate into the truststore
-
The output format of this command is as follows:
Owner: CN=NNMi_server.example.com
Issuer: CN=NNMi_server.example.com
Serial number : 494440748e5
Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108
Certificate fingerprints:MD5: 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03
Trust this certificate? [no]: y
Certificate was added to keystore
-
Check the contents of the truststore:
- Windows:
-
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool.exe -list \
-keystore nnm.truststore
- UNIX:
-
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool -list \
-keystore nnm.truststore
- Legend:
-
A backslash (\) at the end of a line specifies that the line continues.
When prompted for the truststore password, enter ovpass.
- Example truststore output
-
The truststore output format is as follows:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
nnmi_ldap, Nov 14, 2008, trustedCertEntry,
Certificate fingerprint (MD5):
29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
The truststore can include multiple certificates.
-
Execute the following commands to restart NNMi:
ovstop
ovstart
For details about the keytool command, search for Key and Certificate Management Tool at http://www.oracle.com/technetwork/java/index.html.