Hitachi

JP1 Version 12 JP1/Network Node Manager i Setup Guide

10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore

Prior to the version 11-50, NNMi used to provide a Java KeyStore (JKS) repository to store certificates. NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system.

However, when you upgrade an older version of NNMi to 11-50 or later version, the PKCS #12 file-based certificate management does not immediately come into effect and NNMi continues to use the JKS repository for certificate management.

With additional configuration tasks, you can configure the upgraded NNMi management server to use the new technique of PKCS #12 file-based certificate management.

To configure the upgraded NNMi management server to use PKCS #12 file-based certificate management:

  1. Log on to the NNMi management server as root or administrator.

  2. Run the following command to migrate to the new keystore file:

    Windows:

    %NnmInstallDir%bin\nnmkeytool.ovpl -importkeystore -srckeystore 
%NnmDataDir%shared\nnm\certificates\nnm.keystore -destkeystore 
%NnmDataDir%shared\nnm\certificates\nnm-key.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE -alias <src_alias>

    Linux:

    /opt/OV/bin/nnmkeytool.ovpl -importkeystore -srckeystore 
/var/opt/OV/shared/nnm/certificates/nnm.keystore -destkeystore 
/var/opt/OV/shared/nnm/certificates/nnm-key.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE -alias <src_alias>
    Caution

    After running the command, you will be asked to input a password three times, as follows:

    "Enter the password of the output destination keystore", "Re-enter the new password", "Enter the password of the source keystore". Enter nnmkeypass in response to all of these requests.

    The new certificate management technique enables you to retain only a single certificate in the keystore at a time. In this instance, <src_alias> is the alias of the certificate in the old keystore file that you want to migrate.

    For the certificate alias included in the previous keystore file, specify the setting value com.hp.ov.nms.ssl.KEY_ALIAS set in the following file.

    • Windows: %NNM_CONF%\nnm\props\nms-local.properties

    • Linux: $NNM_CONF/nnm/props/nms-local.properties

    Note

    In Application Failover Environmens, <src_alias> is the alias of the certificate of the server executing the command.

  3. Run the following command to migrate to the new truststore file:

    Windows:

    %NnmInstallDir%bin\nnmkeytool.ovpl -importkeystore -srckeystore 
%NnmDataDir%shared\nnm\certificates\nnm.truststore -destkeystore 
%NnmDataDir%shared\nnm\certificates\nnm-trust.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE

    Linux:

    /opt/OV/bin/nnmkeytool.ovpl -importkeystore -srckeystore 
/var/opt/OV/shared/nnm/certificates/nnm.truststore -destkeystore 
/var/opt/OV/shared/nnm/certificates/nnm-trust.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE
    Caution

    After running the command, you will be asked to input a password three times, as follows:

    "Enter the password of the output destination keystore", "Re-enter the new password", "Enter the password of the source keystore". Enter ovpass in response to all of these requests.

  4. Open the server.properties file from the following location with a text editor:

    • Windows: %NnmDataDir%nmsas\nms

    • Linux: /var/opt/OV/nmsas/nms

  5. Delete the existing content of the file.

  6. Add the following content to the file:
    nmsas.server.security.keystore.type=PKCS12
nmsas.server.security.keystore.file=${com.hp.ov.DataDir}/shared/nnm/certificates/nnm-key.p12
nmsas.server.security.keystore.cred=nnmkeypass
nmsas.server.security.truststore.file=${com.hp.ov.DataDir}/shared/nnm/certificates/nnm-trust.p12
nmsas.server.security.truststore.cred=ovpass
nmsas.server.security.keystore.alias=
nms.comm.soap.https.PROTOCOLS=TLSv1.2

  7. Save the file.

  8. Open the nms-local.properties file from the following location with a text editor:

    • Windows: %NnmDataDir%conf\nnm\props

    • Linux: /var/opt/OV/conf/nnm/props

  9. Modify the values of all the javax parameters:

    Parameter

    Value

    javax.net.ssl.trustStore

    ${NnmDataDir}/shared/nnm/certificates/nnm-trust.p12

    javax.net.ssl.trustStoreType

    PKCS12

    javax.net.ssl.keyStore

    ${NnmDataDir}/shared/nnm/certificates/nnm-key.p12

    javax.net.ssl.keyStoreType

    PKCS12

  10. Save the file.

  11. Delete the nnm.keystore and nnm.truststore files from the following directory.

    • Windows: %NnmDataDir%shared\nnm\certificates

    • Linux: /var/opt/OV/shared/nnm/certificates

  12. Restart NNMi.

To Page Top

© Copyright 2009-2021 Micro Focus or one of its affiliates.

All Rights Reserved. Copyright (C) 2019, 2021, Hitachi, Ltd.

This software and documentation are based in part on software and documentation under license from Micro Focus or one of its affiliates.