10.3.8 Configuring an SSL connection to the Directory service
- Caution
-
NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.
In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore.
By default, when directory service communications are enabled, NNMi uses the LDAP protocol for retrieving data from a directory service. If your directory service requires an SSL connection, you must enable the SSL protocol to encrypt the data that flows between NNMi and the directory service.
SSL requires a trust relationship between the directory service host and the NNMi management server. To create this trust relationship, add a certificate to the NNMi truststore. The certificate confirms the identity of the directory service host to the NNMi management server.
To install a truststore certificate for SSL communications, follow these steps:
-
Obtain your company's truststore certificate from the directory server.
The directory service administrator should be able to give you a copy of this text file.
Note that the owner CN of the Truststore certificate must match the host name of the directory server.
-
Change to the directory that contains the NNMi truststore:
-
Windows: %NnmDataDir%shared\nnm\certificates
-
Linux: $NnmDataDir/shared/nnm/certificates
Run all commands in this procedure from the certificates directory.
-
-
Import your company's truststore certificate into the NNMi truststore.
- Note
-
Import the root CA certificate of the LDAP directory server (without intermediate certificates) into the NNMi truststore.
If you need to import root CA certificates for multiple LDAP directory servers, when you import the second and subsequent certificates, replace “nnmi_ldap” in the procedure with a name of your choice (example: nnmi_ldap2).
-
Run the following command:
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -import -alias nnmi_ldap -storetype PKCS12 -keystore nnm-trust.p12 -storepass ovpass -file <Directory_Server_Certificate.txt>
Linux:
$NnmInstallDir/bin/nnmkeytool.ovpl -import -alias nnmi_ldap -storetype PKCS12 -keystore nnm-trust.p12 -storepass ovpass -file <Directory_Server_Certificate.txt>
Where <Directory_Server_Certificate.txt> is your company's truststore certificate.
-
When prompted to trust the certificate, enter: y
Example output for importing a certificate into the truststore
The output from this command is of the form:
Owner:CN=NNMi_server.example.com Issuer:CN=NNMi_server.example.com Serial number:494440748e5 Valid from:Tue Oct 28 10:16:21 MST 2008 until:Thu Oct 04 11:16:21 MDT 2108 Certificate fingerprints: MD5:29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02 SHA1:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03 Trust this certificate?[no]:y Certificate was added to keystore
-
Examine the contents of the truststore:
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -list -storetype PKCS12 -keystore nnm-trust.p12 -storepass ovpass
Linux:
$NnmInstallDir/bin/nnmkeytool.ovpl -list -storetype PKCS12 -keystore nnm-trust.p12 -storepass ovpass
Example truststore output
The truststore output is of the form:
Keystore type:PKCS12 Keystore provider:SunJSSE Your keystore contains 1 entry nnmi_ldap, Nov 14, 2008, trustedCertEntry, Certificate fingerprint (MD5):29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
- Tip
-
The truststore can include multiple certificates.
-
Run the following commands to restart NNMi:
ovstop ovstart
- Important
-
When making file changes under High Availability (HA), you must make the changes on both nodes in the cluster. If the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands. See 19.6.1 Placing NNMi in maintenance mode for more information.