Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Network Node Manager i Software10.30

Administer > Configure NNMi to Support Public Key Infrastructure User Authentication > Configure NNMi for PKI User Authentication (X.509 Certificate Authentication)

Configure NNMi for PKI User Authentication (X.509 Certificate Authentication)

Before configuring NNMi for PKI user authentication, note that user account names must match the user names contained in the certificates. Set roles using one of the following methods:

To use LDAP, seeIntegrate NNMi with a Directory Service through LDAP.
To use the NNMi console to add a user account, select the Directory Service Account check box on the User Account form and leave the Password field blank. Then, use the user account name to match the previous mapping rule.

For NNMi, enable and customize PKI user authentication in the following file:

Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml
Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

To enable NNMi to require PKI user authentication, also referred to as X.509 Certificate Authentication, follow these steps:

Edit the following file:
- Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml
- Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

Search for the following text block:

<realm name="console">

<mode>FORM</mode>

</realm>

Edit the located lines to read:

<realm name="console">

<mode>X509</mode>

</realm>

Search for the following text block:
```
<principalMapping>
```
Configure NNMi to extract (map) the principal by editing the items in the <principalMapping> section. You must know the format of your certificate to complete this step.
Note NNMi supports several options for extracting a principal and those options can be specified in any order and in any number.
- The attribute element extracts a field from the SubjectDN; for example, EMAILADDRESS.
  - If you are using LDAP, the extracted name must match the name the LDAP configuration expects. For more information, see Integrating NNMi with a Directory Service through LDAP.
  - If you use internal accounts, the name must match the NNMi user account name. If the account is used for PKI user authentication only, it should be created as a “Directory Service Account”, without a password (using the NNMi User Account form. Select the Directory Service Account check box and leave the Password field blank). If the account is used for both PKI user authentication and password logon, it should be created as a standard account with a password.
- The regexp element runs the regular expression against the whole SubjectDN.
- The subjectAlternativeName (SAN) element can be used with type rfc822Name (which is an email address).
- The subjectAlternativeName element with type otherName and an additional oid attribute. This option is commonly used for the Microsoft Universal Principal Name (UPN) field.
In addition to the examples provided in the nms-auth-config.xml file’s <principalMapping> section, see the following examples:

Example 1: Edit the following lines to read as follows for using the EMAIL field:
```

```
```
<attribute>EMAILADDRESS</attribute>
```
Example 2: Edit the following lines as an example of using a more complex regular expression to extract part of the field, as in extracting just part of the EMAILADDRESS field. To extract just the name part of the EMAILADDRESS field, use the following regular expression:
```
 <regexp group="1">EMAILADDRESS=([^@]+).*</regexp>
```
Example 3: Edit the following lines as an example of using a more complex regular expression to match fields in the middle of the string:
```
 
```
```
<subjectAlternativeName type="rfc822Name" />
```
Example 5: Edit the following lines to read as follows to extract a particular OID from the Subject Alternative Name:
```

```
```
<subjectAlternativeName type="otherName" oid="1.3.6.1.4.1.311.20.2.3" />
```
Note The logging command to enable debug logging is as follows:
```
nnmsetlogginglevel.ovpl 
```
```
com.hp.ov.nms.as.server.auth.x509.NmsCertMapper FINEST
```
Save your changes.
If you have already installed your trusted CA certificates into the truststore, run the following script for the changes to the nms-auth-config.xml file to take immediate effect:
```
nnmsecurity.ovpl -reloadAuthConfig
```
Otherwise, if you have not yet installed your certificates, proceed with the following steps.
Change to the directory on the NNMi management server that contains the nnm-trust.p12 file:

Windows: %NnmDataDir%\shared\nnm\certificates

Linux: $NnmDataDir/shared/nnm/certificates

Import your trusted CA certificate into the nnm-trust.p12 file. Suppose the example_ca.cer file contains the certificate you must use. Run the following command to import the CA certificate into the NNMi nnm-trust.p12 file:

Windows:

%NnmInstallDir%\bin\nnmkeytool.ovpl -import -alias myca -storetype PKCS12 -keystore nnm-trust.p12 -file example_ca.cer

Linux:

$NnmInstallDir/bin/nnmkeytool.ovpl -import -alias myca -storetype PKCS12 -keystore nnm-trust.p12 -file example_ca.cer

Restart the NNMi services.
1. Run the ovstop command on the NNMi management server.
2. Run the ovstart command on the NNMi management server.

Note When making file changes under HA, you must make the changes on both nodes in the cluster. For NNMi using HA configurations, if the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands.

NNMi is now configured to use PKI user authentication. You can no longer use passwords to log on NNMi. Check that your LDAP and NNMi user accounts are working correctly, and that the certificates and accounts are configured correctly for user access to NNMi.

Log on to NNMi using a Client Certificate

To log on to NNMi using a client certificate, follow these steps:

Ensure that your client certificate is accessible in your browser.
Point your browser to https://<hostname>/nnm.
NNMi permits you access and assigns user roles based on your NNMi or LDAP account configuration.

Revoke Access for a User Having a Client Certificate

To remove a user from accessing NNMi, do one of the following:

If you configured a user for access using an LDAP account, remove the user from all LDAP groups associated with NNMi.
If you configured a user for access using NNMi user accounts, remove the user from the user group and remove their user account.

In either case, the user can no longer log on to the NNMi console.

Special Considerations When PKI User Authentication in Global Network Management Environments

If you use NNMi in a Global Network Management configuration, configure PKI user authentication for all of the NNMi management servers included in the Global Network Management Configuration.

Send Help Center feedback