10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore
Prior to the version 11-50, NNMi used to provide a Java KeyStore (JKS) repository to store certificates. NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system.
However, when you upgrade an older version of NNMi to 11-50 or later version, the PKCS #12 file-based certificate management does not immediately come into effect and NNMi continues to use the JKS repository for certificate management.
With additional configuration tasks, you can configure the upgraded NNMi management server to use the new technique of PKCS #12 file-based certificate management.
To configure the upgraded NNMi management server to use PKCS #12 file-based certificate management:
-
Log on to the NNMi management server as root or administrator.
-
Run the following command to migrate to the new keystore file:
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -importkeystore -srckeystore %NnmDataDir%shared\nnm\certificates\nnm.keystore -destkeystore %NnmDataDir%shared\nnm\certificates\nnm-key.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE -alias <src_alias>
Linux:
/opt/OV/bin/nnmkeytool.ovpl -importkeystore -srckeystore /var/opt/OV/shared/nnm/certificates/nnm.keystore -destkeystore /var/opt/OV/shared/nnm/certificates/nnm-key.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE -alias <src_alias>
- Caution
-
After running the command, you will be asked to input a password three times, as follows:
"Enter the password of the output destination keystore", "Re-enter the new password", "Enter the password of the source keystore". Enter nnmkeypass in response to all of these requests.
The new certificate management technique enables you to retain only a single certificate in the keystore at a time. In this instance, <src_alias> is the alias of the certificate in the old keystore file that you want to migrate.
For the certificate alias included in the previous keystore file, specify the setting value com.hp.ov.nms.ssl.KEY_ALIAS set in the following file.-
Windows: %NNM_CONF%\nnm\props\nms-local.properties
-
Linux: $NNM_CONF/nnm/props/nms-local.properties
- Note
-
In Application Failover Environmens, <src_alias> is the alias of the certificate of the server executing the command.
-
Run the following command to migrate to the new truststore file:
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -importkeystore -srckeystore %NnmDataDir%shared\nnm\certificates\nnm.truststore -destkeystore %NnmDataDir%shared\nnm\certificates\nnm-trust.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE
Linux:
/opt/OV/bin/nnmkeytool.ovpl -importkeystore -srckeystore /var/opt/OV/shared/nnm/certificates/nnm.truststore -destkeystore /var/opt/OV/shared/nnm/certificates/nnm-trust.p12 -srcstoretype JKS -deststoretype PKCS12 -srcprovidername SUN -destprovidername SunJSSE
- Caution
-
After running the command, you will be asked to input a password three times, as follows:
"Enter the password of the output destination keystore", "Re-enter the new password", "Enter the password of the source keystore". Enter ovpass in response to all of these requests.
-
Open the server.properties file from the following location with a text editor:
-
Windows: %NnmDataDir%nmsas\nms
-
Linux: /var/opt/OV/nmsas/nms
-
-
Delete the existing content of the file.
-
Add the following content to the file:
nmsas.server.security.keystore.type=PKCS12 nmsas.server.security.keystore.file=${com.hp.ov.DataDir}/shared/nnm/certificates/nnm-key.p12 nmsas.server.security.keystore.cred=nnmkeypass nmsas.server.security.truststore.file=${com.hp.ov.DataDir}/shared/nnm/certificates/nnm-trust.p12 nmsas.server.security.truststore.cred=ovpass nmsas.server.security.keystore.alias= nms.comm.soap.https.PROTOCOLS=TLSv1.2
-
Save the file.
-
Open the nms-local.properties file from the following location with a text editor:
-
Windows: %NnmDataDir%conf\nnm\props
-
Linux: /var/opt/OV/conf/nnm/props
-
-
Modify the values of all the javax parameters:
Parameter
Value
javax.net.ssl.trustStore
${NnmDataDir}/shared/nnm/certificates/nnm-trust.p12
javax.net.ssl.trustStoreType
PKCS12
javax.net.ssl.keyStore
${NnmDataDir}/shared/nnm/certificates/nnm-key.p12
javax.net.ssl.keyStoreType
PKCS12
-
Save the file.
-
Delete the nnm.keystore and nnm.truststore files from the following directory.
-
Windows: %NnmDataDir%shared\nnm\certificates
-
Linux: /var/opt/OV/shared/nnm/certificates
-
-
Restart NNMi.