10.4 Using Certificates with the JKS Repository
Prior to the version 11-50, NNMi used to provide a Java KeyStore (JKS) repository to store certificates. NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system.
However, when you upgrade an older version of NNMi to the version 11-50 or later version, the PKCS #12 file-based certificate management does not immediately come into effect and NNMi continues to use the JKS repository for certificate management.
If you like, you can continue with the older JKS repository of certificates. This section provides you with instructions to use certificates when you want to continue to use the JKS repository of certificates.
-
You have installed a new instance of NNMi
-
You have upgraded NNMi from an older version, but you have performed the steps in the 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore
|
Concept |
Description |
|---|---|
|
Keystore and Truststore |
Truststore : NNMi truststore is the nnm.truststore file in which you store public keys from sources that you want NNMi to trust. Keystore : NNMi keystore is the nnm.keystore file in which you import NNMi server's private key. The nnm.truststore and nnm.keystore files are located at:
|
|
Default NNMi certificates |
NNMi is installed with a self-signed certificate generated using default properties. You can replace the default certificate with another self-signed or CA-signed certificate. |
|
Tools |
Certificates are generated and managed using Java's Keytool utility. Additionally, NNMi provides the nnmmergecert.ovpl utility to merge certificates to establish trust within NNMi systems.This program is used in HA, Failover, and Global Network Management setups. |
|
Supported encryption algorithms |
NNMi accepts certificates generated using RSA algorithm. DSA algorithm is not supported. |
|
Self-Signed Certificate |
A Self-Signed certificate is typically used for establishing secure communication between your server and a known group of clients. NNMi installs with a self-signed certificate generated using default properties. Note: NNMi instances configured to use a self-signed certificate will display a warning message when users try to access NNMi web console in a web browser. |
|
CA-Signed Certificate |
Signed server certificate that you receive in response to the Certificate Signing Request will contain the NNMi certificate that is CA signed and one or more CA certificates (if there is more than one CA certificate, this is also known as the certificate chain). Note: These certificates might be in a single file or in a two separate files. |
|
Root CA Certificate |
Identifies the certificate authority that is trusted to sign certificates for servers and users. |
|
Intermediate CA Certificate |
A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user. Note: The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain. |
- Organization of this section
10.4.1 Replacing an Existing Certificate with a new Self-Signed or CA-Signed Certificate
10.4.4 Configuring application failover to use self-signed certificates
10.4.5 Working with Certificates in High-Availability Environments
10.4.6 Working with Certificates in Global Network Management Environments
10.4.7 Configuring an SSL connection to the directory service