10.4.5 Working with Certificates in High-Availability Environments

(1) Configuring High-Availability Using Default Certificates

The process for configuring NNMi for HA correctly shares the self-signed certificate among the primary and secondary cluster nodes. You do not need to take any extra steps to use the default certificate with NNMi running under HA.

To Page Top

(2) Configuring an HA cluster to use a new certificate

Suppose you create a new self-signed or CA certificate, referred to as newcert. Complete the following steps to configure HA to use this new CA or self-signed certificate.

You can complete this procedure before or after configuring NNMi for HA, as described in 19.4 Configuring HA.

Important

When making file changes under High Availability (HA), you must make the changes on both nodes in the cluster. If the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands. See 19.6.1 Placing NNMi in maintenance mode for more information.

1. Change to the following directory on NNMi_HA1 before completing step 2:

   • Windows: %NNM_DATA%\shared\nnm\certificates

   • Linux: $NNM_DATA/shared/nnm/certificates

2. On NNMi_HA1, execute the following command to import newcert into the nnm.keystore file:

   Windows:

   %jdkdir%\bin\keytool.exe -import -alias <newcert_Alias> -keystore nnm.keystore -file newcert

   Linux:

   $jdkdir/bin/keytool -import -alias <newcert_Alias> -keystore nnm.keystore -file newcert

3. Edit the following file on both the active cluster node (NNMi_HA1) and the standby node (NNMi_HA2):

   • Windows: %NNM_DATA%\conf\nnm\props\nms-local.properties

   • Linux: $NNM_DATA/conf/nnm/props/nms-local.properties

4. Change the following line in the nms-local.properties file on both NNMi_HA1 and NNMi_HA2:

   com.hp.ov.nms.ssl.KEY_ALIAS = <newcert_Alias>

5. Save your changes.

To Page Top