Administer > Manage Certificates > Using Certificates with the PKCS #12 Repository > Configuring an SSL Connection to the Directory Service

Configuring an SSL Connection to the Directory Service

Note NNMi10.30 introduces a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi10.30 on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.

In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in Configure an Upgraded NNMi Environment to Use the New Keystore.

If you have upgraded to NNMi10.30 and did not complete the steps in Configure an Upgraded NNMi Environment to Use the New Keystore, skip to Configuring an SSL Connection to the Directory Service.

By default, when directory service communications are enabled, NNMi uses the LDAP protocol for retrieving data from a directory service. If your directory service requires an SSL connection, you must enable the SSL protocol to encrypt the data that flows between NNMi and the directory service.

SSL requires a trust relationship between the directory service host and the NNMi management server. To create this trust relationship, add a certificate to the NNMi truststore. The certificate confirms the identity of the directory service host to the NNMi management server.

To install a truststore certificate for SSL communications, follow these steps:

  1. Obtain your company’s truststore certificate from the directory server. The directory service administrator should be able to give you a copy of this text file.
  2. Change to the directory that contains the NNMi truststore:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates

    Run all commands in this procedure from the certificates directory.

  3. Import your company’s truststore certificate into the NNMi truststore:

    Note Import the root CA certificate of the LDAP directory server (without intermediate certificates) into the NNMi truststore.

    1. Run the following command:

      • Windows:

        %NnmInstallDir%\bin\nnmkeytool.ovpl -import
        -alias nnmi_ldap -storetype PKCS12 -keystore nnm-trust.p12
        -file <Directory_Server_Certificate.txt>

      • Linux:

        $NnmInstallDir/bin/nnmkeytool.ovpl -import
        -alias nnmi_ldap -storetype PKCS12 -keystore nnm-trust.p12
        -file <Directory_Server_Certificate.txt>

        Where <Directory_Server_Certificate.txt> is your company’s truststore certificate.

    2. When prompted for password, enter: ovpass
    3. When prompted to trust the certificate, enter: y

      Example output for importing a certificate into the truststore

      The output from this command is of the form:

      Owner: CN=NNMi_server.example.com
      Issuer: CN=NNMi_server.example.com
      Serial number: 494440748e5
      Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108
      Certificate fingerprints:
      MD5:  29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
      SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03
      Trust this certificate? [no]:  y
      Certificate was added to keystore
  4. Examine the contents of the truststore:

    • Windows:

       %NnmInstallDir%\bin\nnmkeytool.ovpl -list
      -storetype PKCS12 -keystore nnm-trust.p12
    • Linux:

      $NnmInstallDir/bin/nnmkeytool.ovpl -list
      -storetype PKCS12 -keystore nnm-trust.p12

    When prompted for the keystore password, enter: ovpass

    Example truststore output

    The truststore output is of the form:

    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    nnmi_ldap, Nov 14, 2008, trustedCertEntry,
    Certificate fingerprint (MD5): 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02

    Tip The truststore can include multiple certificates.

  5. Restart the NNMi management server.

    1. Run the ovstop command on the NNMi management server.

    2. Run the ovstart command on the NNMi management server.

      Note When making file changes under High Availability (HA), you must make the changes on both nodes in the cluster. If the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands. See Maintenance Mode for more information.