Highlighted
Acclaimed Contributor.
Acclaimed Contributor.
931 views

active directory integration with NNMi in secure mode

Jump to solution

NNMi 10.2x

We had integrated NNMi with LDAP in non-secured mode and it works fine.

Now we need to integrate NNMi with LDAP in secured mode and when I consult documentation(Deployment reference), I see to import LDAP truststore into NNMi keystore using below command,

/opt/OV//bin/nnmkeytool.ovpl -import -alias nnmi_ldap -storetype PKCS12 -keystore nnm-trust.p12 -file <Directory_Server_Certificate.txt>

However if I look at ldap.properties file, I see to import LDAP truststore into NNMi truststore using below command,

/opt/OV/nonOV/jdk/hpsw/bin/keytool -storepass ovpass -import -file certificate_authority.txt -alias 'myco_ca' -keystore /var/opt/OV/shared/nnm/certificates/nnm.truststore

Which one is correct.

As per my past experience I believe I should import truststore file into NNMi truststore, but please advise.

1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Ramesh,

  The problem is in the last line of the error:

javax.net.ssl.SSLException: java.lang.RuntimeException: Algorithm MD5 not available]

  What this is saying is that the SSL negotiation tried to use MD5, however it would appear NNMi is in FIPs mode and so MD5 is not a valid crypto alogrithm.  The easiest option is to therefore put NNMi into non FIPs mode.  This is easily done by the following steps

1) ovstop
2) cp /opt/OV/newconfig/HPNmsServStgs/Linux/java.security /var/opt/OV/conf/nnm/java.security
3) ovstart

  If you are running Windows, then there is a "Windows" directory for the file for this OS.

  Hope this helps

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.

View solution in original post

7 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Hi Ramesh,

  I think the answer is that they are both correct - it just depends on which version of NNMi you are using and therefore which keystore/trustore names and associated commands.

  Originally NNMi used JKS keystores ( nnm.keystore and nnm.trusstore ) and to manage them you use the java keytool command.   With the introduction of 10.2x the certficiate stores became PKCS12 ( nnm-key.p12 and nnm-trust.p12 ) and to manage these we use the nnmkeytool.ovpl script and have the additional option of the "-storetype pkcs12".  

  Apart from these changes the rest remains pretty much the same.  So determine which storetype you are using, obtain either the ldap server's server certificate, or if its a CA signed one then get the root cert and place either into the NNMi truststore using the appropriate command.  Restart NNMi and you should be good to go.

  You might want to check out the following KCS document which I wrote detailing an option to the keytool command that makes obtaining the remote server's certificate chain much simpler.

KM02678491       How to review and obtain the certificate of a remote server for an SSL connection

  All the best

Dave Y

 

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Dave

I imported the certificates but it fails with below error in nnm.log,

WARNING [com.hp.ov.nms.ui.ejb.ldap.NmsLdapLoginBase] Could not communicate to server. Verify hostname is correct and can be resolved by nameserver.: javax.naming.CommunicationException: domain.corp.in:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Algorithm MD5 not available]

You have any idea.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Ramesh,

  The problem is in the last line of the error:

javax.net.ssl.SSLException: java.lang.RuntimeException: Algorithm MD5 not available]

  What this is saying is that the SSL negotiation tried to use MD5, however it would appear NNMi is in FIPs mode and so MD5 is not a valid crypto alogrithm.  The easiest option is to therefore put NNMi into non FIPs mode.  This is easily done by the following steps

1) ovstop
2) cp /opt/OV/newconfig/HPNmsServStgs/Linux/java.security /var/opt/OV/conf/nnm/java.security
3) ovstart

  If you are running Windows, then there is a "Windows" directory for the file for this OS.

  Hope this helps

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.

View solution in original post

Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Thanks, I configured NNM to non-FIPS mode, but still seeing below error in nnm.log

2018-11-27 10:34:46.323 WARNING [com.hp.ov.nms.ui.ejb.ldap.NmsLdapLoginBase] Could not communicate to server. Verify hostname is correct and can be resolved by nameserver.: javax.naming.CommunicationException:domain.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.]

2018-11-27 10:34:46.325 WARNING [com.hp.ov.nms.ui.ejb.ldap.NmsLdapLoginBase] Exception trying to search of Base DN "DC=domain,DC=com" user "ramesh" filter "sAMAccountName={0}": java.lang.RuntimeException: Could not communicate to server. Verify hostname is correct and can be resolved by nameserver.

We were receiving same error while integrating NNMi to UCMDB after importing UCMDB certificates.

Please advise.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Ramesh,

  This error  "Could not build a validated path.]"   normally indicates a problem with "trust".   I would suggest you run the following command:

keytool printcert -sslserver <ldap server>

from the java bin directory.  it will then print the server certificate (chain) that the ldap server is presenting.   Ensure that if its a selfsigned cert then that cert is in the NNMi truststore, or if its a CA cert that the root cert is in the NNMi truststore.  This error indicates that this might not be the case.

  Note if its not then if you add the "-rfc" option to the command the certs will be printed in "PEM" format which will make it easier to install into the truststore.

  All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Dave

Finally it worked by following your link.

Thanks for your help.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active directory integration with NNMi in secure mode

Jump to solution

Well done, glad to hear its working.

All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.