Hitachi

JP1 Version 12 JP1/Network Node Manager i Setup Guide


10.3.6 Working with Certificates in High-Availability Environments

This section describes how to configure NNMi to use Self-Signed or Certificate Authority Certificates in an HA environment.

Figure 10‒2: Using certificates with HA

[Figure]

Caution

NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system. If you have upgraded from an older version of NNMi, you must migrate to the PKCS #12 repository manually.

In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore.

Organization of this subsection

(1) Configuring High-Availability Using Default Certificates

The process for configuring NNMi for HA correctly shares the default self-signed certificate among the primary and secondary cluster nodes. You do not need to take any extra steps to use the default certificate with NNMi running under HA.

(2) Configuring High-Availability Using New Certificates

This section creates a new self-signed or CA certificate, referred to as newcert. Complete the following steps to configure HA with this new CA or self-signed certificate.

Important

When making file changes under High Availability (HA), you must make the changes on both nodes in the cluster. If the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands. See 19.6.1 Placing NNMi in maintenance mode for more information.

Tip

You can complete this procedure before or after configuring NNMi for HA, as described in 19.5 Shared NNMi Data.

  1. Change to the following directory on NNMi_HA1 before completing step 2:

    • Windows: %NnmDataDir%shared\nnm\certificates

    • Linux: $NnmDataDir/shared/nnm/certificates

  2. On NNMi_HA1, run the following commands to import newcert into the nnm-key.p12 file:

    Windows:

    %NnmInstallDir%bin\nnmkeytool.ovpl -import -alias <newcert_Alias> -storetype PKCS12 -keystore nnm-key.p12 -file newcert -storepass nnmkeypass

    Linux:

    $NnmInstallDir/bin/nnmkeytool.ovpl -import -alias <newcert_Alias> -storetype PKCS12 -keystore nnm-key.p12 -file newcert -storepass nnmkeypass