Highlighted
Absent Member.. Absent Member..
Absent Member..
6246 views

NNMi - configuration for HTTPS

Hello,

I want to enable https access to the NNMi application.
The problem is that I didn't find a whitepaper for using 3rd party signed certificates.
I only found a documentation for self-signed certificates.

Can anyone describe how to configure it?

What I did:
1. Generate key
/opt/OV/nonOV/jdk/b/bin/keytool -genkey -alias selfsigned -keyalg RSA -keystore /home/shru/NNMi/ipnnm.keystore

2. Generate cert request
/opt/OV/nonOV/jdk/b/bin/keytool -certreq -alias selfsigned -file /home/shru/NNMi/ipnnm.certreq -keystore /home/shru/NNMi/ipnnm.keystore

3. Got an ipnnm.cer from my security department

4. Import of the cer-file
/opt/OV/nonOV/jdk/b/bin/keytool -import -alias nnmi_https -trustcacerts -keystore /home/shru/NNMi/ipnnm.keystore -file /home/shru/NNMi/ipnnm.cer

Now I should change the server.xml, but I don't know what the SSLCertificateKeyFile is about.

Thanks for any advice!

Sven
Tags (1)
0 Likes
16 Replies
Highlighted
Absent Member.
Absent Member.

Re: NNMi - configuration for HTTPS

Hi Sven

When I configured SSL on our server I used a certificate file which had been created by our IT dept but used the 'self cert' connector block so I didn't need a value for SSLCertificateKeyFile and it works fine. I followed the same steps that you did to generate the key and import the certificates, then edited the server.xml and the HTTPS connector block looks like this:

address="${jboss.bind.address}"
maxThreads="250"
acceptCount="100"
connectionTimeout="20000"
strategy="ms"
maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/var/opt/OV/shared/nnm/certificates/nnm.keystore"
keystorePass="nnmkeypass"
keyAlias="selfsigned"
truststoreFile="/var/opt/OV/shared/nnm/certificates/nnm.truststore"
truststorePass="ovpass"
clientAuth="false"
sslProtocol="SSLv3"
server="nobody"
URIEncoding="UTF-8" />

Hope this helps.

Kitti
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: NNMi - configuration for HTTPS

Thanks for your reply!

I tested some certificates and with your connector config the selfsigned one worked.
but then I got the failure on my browser, that the certificate is selfsigned and is not valid.

That is the point I don't want to have.
I want a server certificate that is valid because of authorization from our root CA so all users don't get a failure when they login to the application.

Thanks for any further advice.

Sven
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: NNMi - configuration for HTTPS

Hi Sven

Did you install the certificate in the browser? In Firefox we just needed to install the certificate, in IE 8 we got rid of the errors and pop-up notifications by installing the certificate and then adding the URL for the NNMi server to the Trusted Sites zone in IE (Tools > Internet Options > Security.)

Regards

Kitti
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: NNMi - configuration for HTTPS

I know the "solution" to install the self-signed certificate.
But that should only be the last way because I have the demand to use our certificate from our root CA so any user could use the application without failure messages in the browser.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: NNMi - configuration for HTTPS

Hi Sven,

I have gone through with your thread and i have also implemented https self signed certificate from NNMi.

when ever I tried to open the https url with IP address like https://192.168.1.1 , i recived error msg in browser.
But as i seen the self signed certificate is generated with hostname of NNMi server(FQDN).
If you use FQDN name with https in the IE browser and it will not give any error msg.

Please try and let me know.
Highlighted
Absent Member.
Absent Member.

Re: NNMi - configuration for HTTPS

you can use link like.
https://nnm.server-domain.com
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: NNMi - configuration for HTTPS

Thanks for your reply, but I don't want to use this self-signed certificate.

With this certificate it was running, but with the error like "certificate was signed by the server itself" or something like that.

One more time: I have to use a certificate signed by our root CA so everyone can use the application without error messages in the browser because the server certificate is signed by a valid authority.
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: NNMi - configuration for HTTPS

I figured something out.

To change the connector port in the server.xml is not the right way because there is a argument which transfers another argument for the keystore.

-Djavax.net.ssl.trustStore=/var/opt/OV/shared/nnm/certificates/nnm.truststore

-Djavax.net.ssl.trustStorePassword=ovpass

I found that in the ovjboss.log.

Now my question:
Is it possible to change these two arguments for truststore and password to my own variables?

Because my keystore has another password.

Thanks a lot!

Sven
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: NNMi - configuration for HTTPS

It was a hard work to search for the right config file, but I found it:

/var/opt/OV/shared/nnm/conf/ovjboss/support/ovjboss.jvm.properties

I changed the value to the custome values of the certificate but it doesn't work.
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: NNMi - configuration for HTTPS

Hi Sven,

I'm in the same spot you are in... trying to get our security department's SSL certificate to work.

I haven't got as far as you have yet, but I'm getting there fast. Self-signed certificate works, but security wants their certificate to be used.

Are you getting any useful errors in %NNMDataDir%\log\nnm\jbossServer.log? I've been reading some forums on this, and I've seen notes that say that your -alias you are importing to in 4 should be to the same keystore and match the alias used to generate the keypair... There might be a mismatch between "selfsigned" and "nnmi_https".

You aren't alone! This seems to be poorly documented in the Deployment Guide, which focuses 95% on the self-signed.

For that sslcertificatekeyfile... I'm wondering if the .PEM file (Private key File, of some sort) can be exported with keytool?

-Chris C
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: NNMi - configuration for HTTPS

Hi Chris,

thanks for your reply and nice to hear that there are more people with the same situation 🙂

I opened a case at HP for that task an d all I got in the first step is the same description as I found in the guide.
I tested the solution once again with the crt- and pem-file but it didn't work once again.

I told the case owner the situation and since that I got no new informations.

I will write here in the forum if I get a new response from HP.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.