Administer > Manage Certificates > Using Certificates with the PKCS #12 Repository > Working with Certificates in Global Network Management Environments

Working with Certificates in Global Network Management Environments

Note NNMi10.30 introduces a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi10.30 on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.

If you have upgraded to NNMi10.30 and did not complete the steps in Configure an Upgraded NNMi Environment to Use the New Keystore, skip to Configuring Certificates in Global Network Management Environments.

In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in Configure an Upgraded NNMi Environment to Use the New Keystore.

Configuring Certificates in Global Network Management Environments

During NNMi installation, the installation script creates a self-signed certificate for the NNMi management server. This certificate contains an alias that includes the fully-qualified domain name of the node. The installation script adds this self-signed certificate to the NNMi management server’s nnm-key.p12 and nnm-trust.p12 files.

Complete the following steps to configure the global network management feature to use self-signed/CA-signed certificates based on the following diagram.

Before you begin, make sure that the required certificates are created on the regional manager systems. For details, see Replacing an Existing Certificate with a new Self-Signed or CA-Signed Certificate.

If you are using a mix of newly installed NNMi 10.30 instances and NNMi management servers upgraded to the version 10.30 from an older version, follow the guideline in Configure an Upgraded Environment to Use the New Keystore.

Global Network Management

  1. Change to the following directory on regional1 and regional2 :

    • Windows:%NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  2. Copy the nnm-trust.p12 files from the above locations on regional1 and regional2 to some temporary location on global1.
  3. Run the following command on global1 to merge the regional1 and regional2 certificates into global1’s nnm-trust.p12 file.

    Windows:

    1. nnmcertmerge.ovpl -truststore regional1_nnm-trust.p12_location
    2. nnmcertmerge.ovpl -truststore regional2_nnm-trust.p12_location

    Linux

    1. nnmcertmerge.ovpl -truststore regional1_nnm-trust.p12_location
    2. nnmcertmerge.ovpl -truststore regional2_nnm-trust.p12_location
  4. Run the following command sequence on global1:

    1. Run ovstop on the global1NNMi management server.
    2. Run ovstart on the global1NNMi management server.

    When making file changes under High Availability (HA), you need to make the changes on both nodes in the cluster. For NNMi using HA configurations, if the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands.

Configuring Certificates in Global Network Management Environments with Failover

During NNMi installation the installation script creates a self-signed certificate for the NNMi management server. This certificate contains an alias that includes the fully-qualified domain name of the node. The installation script adds this self-signed certificate to the NNMi management server’s nnm-key.p12 and nnm-trust.p12 files.

If you are using a mix of newly installed NNMi 10.30 instances and NNMi management servers upgraded to the version 10.30 from an older version, follow the guideline in Configure an Upgraded Environment to Use the New Keystore.

This example uses the global network management configuration with the application failover feature as shown in the following diagram:

Global Network Management with Application Failover

Complete the following steps to configure the global network management feature to work with application failover based on the above diagram.

  1. Follow the instructions shown in Working with Certificates in Application Failover Environments for each application failover cluster shown in the above diagram.
  2. Complete the configuration for application failover shown in Application Failover Requirements.
  3. Follow the instructions shown in Configuring Certificates in Global Network Management Environments for regional1_active and regional2_active.