Administer > Administer the NNM iSPI Performance for Traffic > Manage Securities

Manage Securities

This topic includes the following sections:

The NNM iSPI Performance for Traffic enables you to configure single sign-on (SSO) to provide access to NNM iSPI Performance for Traffic Configuration form from the NNMi console while maintaining secured level of access.

You can also configure NNMi to map Public Key Infrastructure (PKI) certificates to NNMi user accounts. As a result, you can log on to the NNMi console without having to type in the NNMi user name and password on the Login page. However, you will be prompted to provide NNMi user name and password again when you try to launch the NNM iSPI Performance for Traffic Configuration form, unless you perform additional steps to reconcile the mapping with the iSPI.

Do not enable the Single Sign-On feature when NNMi and the NNM iSPI Performance for Traffic are configured to use the Public Key Infrastructure (PKI) authentication.

The NNM iSPI Performance for Traffic enables you to communicate securely with the NNMi management server and NPS. You can also configure the NNM iSPI Performance for Traffic to ensure secure communication between the Master Collector and Leaf Collectors.

Enable Single Sign-On for the NNM iSPI Performance for Traffic

This section describes the steps required to enable single sign-on (SSO) for the NNM iSPI Performance for Traffic. With SSO, when you log on to the NNMi console, you can access the NNM iSPI Performance for Traffic Configuration form without providing the logon credentials again.

Master Collector and NNMi Installed on the Same System

If you have installed the Master Collector on the NNMi management server:

  1. Log on to the Master Collector system as an administrator on Windows and as root on Linux.

  2. Navigate to the following directory:

    On Windows

    %NnmDataDir%\shared\nnm\conf\props

    On Linux

    /var/opt/OV/shared/nnm/conf/props

  3. Open the nms-ui.properties file with a text editor.

  4. Specify the value of the following entry as true in the nms-ui.properties file:

    com.hp.nms.ui.sso.isEnabled = true

  5. Run the following command:

    On Windows

    %NnmInstallDir%\bin\nnmsso.ovpl -reload

    On Linux

    /opt/OV/bin/nnmsso.ovpl -reload

  6. Run the following command:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterssoreload.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterssoreload.ovpl

Master Collector and NNMi Installed on Separate Systems

If you have installed the Master Collector on a separate system (and not on the NNMi management server):

  1. Log on to the NNMi management server as an administrator on Windows and as root on Linux.

  2. Navigate to the following directory:

    On Windows

    %NnmDataDir%\shared\nnm\conf\props

    On Linux

    /var/opt/OV/shared/nnm/conf/props

  3. Open the nms-ui.properties file with a text editor.

  4. Specify the value of the following entry as true in the nms-ui.properties file:

    com.hp.nms.ui.sso.isEnabled = true

  5. Run the following command:

    On Windows

    %NnmInstallDir%\bin\nnmsso.ovpl -reload

    On Linux

    /opt/OV/bin/nnmsso.ovpl -reload

  6. Windows Only:

    • Make sure that the com.hp.nms.ui.sso.initString property in the %NnmDataDir%\shared\nnm\conf\props\nms-ui.properties file and the initString property in the %NnmDataDir%\shared\nnm\conf\lwssofmconf.xml file are set to the same value.

    • Make sure that the com.hp.nms.ui.sso.protectedDomains property in the %NnmDataDir%\shared\nnm\conf\props\nms-ui.properties file and the domain element in the %NnmDataDir%\shared\nnm\conf\lwssofmconf.xml file are set to the same value.

  7. Linux Only:

    • Make sure that the com.hp.nms.ui.sso.initString property in the /var/opt/OV/shared/nnm/conf/props/nms-ui.properties file and the initString property in the /var/opt/OV/shared/nnm/conf/lwssofmconf.xml file are set to the same value.
    • Make sure that the com.hp.nms.ui.sso.protectedDomains property in the /var/opt/OV/shared/nnm/conf/props/nms-ui.properties file and the domain element in the /var/opt/OV/shared/nnm/conf/lwssofmconf.xml file are set to the same value.
  8. Log on to the Master Collector system as an administrator on Windows and as root on Linux.

  9. Stop the Master Collector by running the following command:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl or

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterstop.ovpl

  10. Create the following directory structure on the Master Collector system:

    On Windows

    %TrafficDataDir%\shared\nnm\conf\props

    On Linux

    /var/opt/OV/shared/nnm/conf/props

  11. Windows Only:

    • Copy the following file from the %NnmDataDir%\shared\nnm\conf directory on the NNMi management server to the %TrafficDataDir%\shared\nnm\conf directory on the Master Collector system:

      lwssofmconf.xml

      • Copy the following file from the %NnmDataDir%\shared\nnm\conf\props directory on the NNMi management server to the %TrafficDataDir%\shared\nnm\conf\props directory on the Master Collector system:

        nms-ui.properties

  12. Linux Only:

    • Copy the following file from the /var/opt/OV/shared/nnm/conf directory on the NNMi management server to the /var/opt/OV/shared/nnm/conf directory on the Master Collector system:

      lwssofmconf.xml

    • Copy the following file from the /var/opt/OV/shared/nnm/conf/props directory on the NNMi management server to the /var/opt/OV/shared/nnm/conf/props directory on the Master Collector system:

      nms-ui.properties

  13. Navigate to the following directory:

    On Windows

    %TrafficDataDir%\shared\nnm\conf\props

    On Linux

    /var/opt/OV/shared/nnm/conf/props

  14. Open the nms-ui.properties file with a text editor.

  15. Specify the value of the following entry as true in the nms-ui.properties file on the Master Collector:

    com.hp.nms.ui.sso.isEnabled = true

  16. Start the Master Collector by running the following command:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl or

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterstart.ovpl

  17. Run the following command on the Master Collector system:

    On Windows

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterssoreload.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterssoreload.ovpl

  18. Clear the browser cookies and log on to the NNMi console again with a new browser session and as a non–system user.

  19. Launch the NNM iSPI Performance for Traffic Configuration form. With SSO enabled, you must be able to access the NNM iSPI Performance for Traffic Configuration form without providing logon credentials.

Configure Access with Public Key Infrastructure Authentication

This section describes the steps required to configure the NNM iSPI Performance for Traffic to use the PKI authentication. With PKI authentication, you can access the NNM iSPI Performance for Traffic console without providing the logon credentials.

When NNMi is configured to use the PKI authentication, it is mandatory for the iSPI to use the PKI authentication. You must not configure only the iSPI to use the PKI authentication when NNMi continues to use the credentials-based authentication.

Configure the iSPI to use the PKI authentication involves the following steps:

  1. Configuring NNMi
  2. Configuring a Certificate Validation Method
  3. Configuring the NNM iSPI Performance for Traffic

If you configure the NNM iSPI Performance for Traffic to use the PKI authentication when the Master Collector is in HA cluster, you must perform the required configuration tasks on both, primary (active) and secondary (passive) servers.

  1. Configuring NNMi

    To configure NNMi to use the PKI authentication, follow the steps in the Configuring NNMi to Support Public Key Infrastructure Authentication section.

    After configuring NNMi to use the PKI authentication, if you do not perform Step 3, you will be prompted to provide NNMi user name and password when you try to launch the NNM iSPI Performance for Traffic Configuration form.

  2. Configuring a Certificate Validation Method

    When NNMi is configured to use the PKI authentication, unauthorized access using invalid certificates must be prevented. You must perform additional steps to configure NNMi to use a certificate validation method—Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).

  3. Configuring the NNM iSPI Performance for Traffic

    Configuring NNMi to use the PKI authentication essentially requires updating the nms-auth-config.xml file, which is available in NNMi’s configuration data directory (%nnmdatadir%\nmsas\NNM\conf on Windows; /var/opt/OV/nmsas/NNM/conf on UNIX/Linux). You must modify the nms-authconfig.xml file in the iSPI configuration data directory based on the updated nms-auth-config.xml file to enable the iSPI to use the PKI authentication.

Master Collector and NNMi Installed on the Same System

To configure the NNM iSPI Performance for Traffic to use the PKI authentication:

  1. Make sure that Step 1 and Step 2 are complete.
  2. Log on to the Master Collector system.

  3. Navigate to the following directory:

    On Windows

    %nnmdatadir%\nmsas\traffic-master\conf

    On Linux

    /var/opt/OV/nmsas/traffic-master/conf

  4. Open the nms-auth-config.xml file using a text editor.

  5. Modify the nms-auth-config.xml file on the Master Collector to enable PKI authentication.

    Make sure that you modify the iSPI nms-auth-config.xml file to match the changes done to the nms-auth-config.xml file on the NNMi management server.

  6. Save and close the file.

  7. Run the following command at the command prompt:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterauthreload.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterauthreload.ovpl

Master Collector and NNMi Installed on Separate Systems

When making file changes under HA, you must make the changes on both nodes in the cluster. For the Master Collector using HA configurations, if the change requires you to stop and restart the Master Collector system, you must put the nodes in maintenance mode before running the nmstrafficmasterstop.ovpl and nmstrafficmasterstart.ovpl commands.

To configure the NNM iSPI Performance for Traffic to use the PKI authentication:

  1. Log on to the Master Collector system.

  2. Navigate to the directory that contains the nnm.truststore files:

    On Windows

    %TrafficDataDir%\shared\nnm\certificates

    On Linux

    /var/opt/OV/shared/nnm/certificates

  3. You must import your trusted CA certificate (entire chain if required) into the nnm.truststore file.

  4. For example, the mycompany_ca.cer file contains the certificate you must use. Run the following

    command to import the CA certificate into the NNMi nnm.truststore file:

    On Windows

    %TrafficInstallDir%\nonOV\jdk\hpsw\bin\keytool -importcert -noprompt -keystore

    “%TrafficDataDir%\shared\nnm\certificates\nnm.truststore” -file mycompany_ca.cer-storepass ovpass -alias <aliasname>

    On Linux

    /opt/OV/nonOV/jdk/hpsw/bin/keytool -importcert -noprompt -keystore

    "/var/opt/OV/shared/nnm/certificates/nnm.truststore" -file mycompany_ca.cer -storepass ovpass -alias <aliasname>

  5. Navigate to the following directory:

    On Windows

    %TrafficDataDir%\nmsas\traffic-master\conf

    On Linux

    /var/opt/OV/nmsas/traffic-master/conf

  6. Open the nms-auth-config.xml file using a text editor.

  7. Modify the nms-auth-config.xml file on the Master Collector to enable PKI authentication.

    Make sure that you modify the iSPI nms-auth-config.xml file to match the changes done to the nms-auth-config.xml file on the NNMi management server.

  8. Save and close the file.

  9. Run the following command on the Master Collector system:

    On Windows

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterauthreload.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterauthreload.ovpl

Enable Security

This section describes the steps required to enable security on the NNM iSPI Performance for Traffic. You can enable secure communication between the following:

  • NNMi management server and the NNM iSPI Performance for Traffic
  • NNM iSPI Performance for Traffic and NPS
  • Master Collector and Leaf Collectors

Enable Secure Communication between NNMi and the NNM iSPI Performance for Traffic

Master Collector and NNMi Installed on the Same System

To enable secure communication between NNMi and the NNM iSPI Performance for Traffic when Master Collector is installed on the NNMi management server:

  1. Log on to the Master Collector system.

  2. Stop the Master Collector processes using the following command:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterstop.ovpl

  3. Navigate to the following directory:

    On Windows

    %NnmDataDir%\nmsas\traffic-master\conf

    On Linux

    /var/opt/OV/nmsas/traffic-master/conf

  4. Open the nnm.extended.properties file with a text editor.

  5. Set the value of the following properties to true:

    • com.hp.ov.nms.spi.traffic-master.spi.isSecure
    • com.hp.ov.nms.spi.traffic-master.Nnm.isSecure

    If you have enabled the Is Secure option when installing the NNM iSPI Performance for Traffic, you do not have to set the above properties.

    If the NNMi management server is configured for application failover, set the com.hp.ov.nms.spi.traffic-master.Nnm.secondary.isSecure property to true.

  6. Set the value of the following properties to https:

    • com.hp.ov.nms.spi.traffic-master.spi.secureprotocol
    • com.hp.ov.nms.spi.traffic-master.Nnm.secureprotocol

    If the NNMi management server is configured for application failover, set com.hp.ov.nms.spi.traffic-master.Nnm.secondary.secureprotocol to https.

  7. Set the value of the following properties to the HTTPS port number of the NNMi management server:

    • com.hp.ov.nms.spi.traffic-master.Nnm.secureport
    • com.hp.ov.nms.spi.traffic-master.Nnm.https.port

    If the NNMi management server is configured for application failover, set the value of the following properties to the HTTPS port number of the NNMi management server:

    • com.hp.ov.nms.spi.traffic-master.Nnm.secondary.secureport
    • com.hp.ov.nms.spi.traffic-master.Nnm.secondary.https.port

  8. Navigate to the following directory:

    On Windows

    %NnmInstallDir%\traffic-master\server\conf

    On Linux

    /opt/OV/traffic-master/server/conf

  9. Open the login-config.xml file using a text editor.

  10. Search for the following string:

    <application-policy name="nnm">

  11. Locate the <module-option

    name="nnmAuthUrl">http://<nnmhost>:<nnmport>/spilogin/auth</module-option> property and change the following:

    • http to https
    • HTTP port number of the NNMi management server to the HTTPS port number of the NNMi management server
  12. Save and close the file.

  13. Restart the Master Collector processes using the following command:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

    On Linux

    /opt/OV/traffic-leaf/bin/nmstrafficleafstart.ovpl

Master Collector and NNMi Installed on Separate Systems

To enable secure communication between NNMi and the NNM iSPI Performance for Traffic when Master Collector is not installed on the NNMi management server:

  1. Log on to the Master Collector system.

  2. Stop the Master Collector processes using the following command:

    On Windows

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterstop.ovpl

  3. Navigate to the following directory:

    On Windows

    %TrafficDataDir%\nmsas\traffic-master\conf

    On Linux

    /var/opt/OV/nmsas/traffic-master/conf

  4. Open the nnm.extended.properties file with a text editor.

  5. Set the value of the following properties to true:

    • com.hp.ov.nms.spi.traffic-master.spi.isSecure
    • com.hp.ov.nms.spi.traffic-master.Nnm.isSecure

    If you have enabled the Is Secure option when installing the NNM iSPI Performance for Traffic, you do not have to set the above properties.

    If the NNMi management server is configured for application failover, set the com.hp.ov.nms.spi.traffic-master.Nnm.secondary.isSecure property to true.

  6. Set the value of the following properties to https:

    • com.hp.ov.nms.spi.traffic-master.spi.secureprotocol
    • com.hp.ov.nms.spi.traffic-master.Nnm.secureprotocol

    If the NNMi management server is configured for application failover, set com.hp.ov.nms.spi.traffic-master.Nnm.secondary.secureprotocol to https.

  7. Set the value of the following properties to HTTPS port number of the NNMi management server:

    • com.hp.ov.nms.spi.traffic-master.Nnm.secureport
    • com.hp.ov.nms.spi.traffic-master.Nnm.https.port

    If the NNMi management server is configured for application failover, set the value of the following properties to HTTPS port number of the NNMi management server:

    • com.hp.ov.nms.spi.traffic-master.Nnm.secondary.secureport
    • com.hp.ov.nms.spi.traffic-master.Nnm.secondary.https.port

  8. Navigate to the following directory:

    On Windows

    %TrafficInstallDir%\traffic-master\server\conf

    On Linux

    /opt/OV/traffic-master/server/conf

  9. Open the login-config.xml file using a text editor.

  10. Search for the following string:

    <application-policy name="nnm">

  11. Locate the <module-option name="nnmAuthUrl">http://<nnmhost>:<nnmport>/spilogin/auth</module-option> property and change the following:

    • http to https
    • HTTP port number of the NNMi management server to the HTTPS port number of the NNMi management server
  12. Save and close the file.
  13. Log on to the NNMi management server

  14. Navigate to the following directory:

    On Windows

    %NNMDataDir%\shared\nnm\certificates

    On Linux

    /var/opt/OV/shared/nnm/certificates

  15. Copy the nnm.cert file to a temporary directory on the Master Collector system.

    If nnm.cert file is not available in the %NnmDataDir%\shared\nnm\certificates\ folder:

    1. Run the following command to generate the nnm.cert file:

      On Windows

      %NnmInstallDir%\bin\nnmkeytool.ovpl -export -file c:\nnm.cert -keystore nnmkey.p12 -storetype PKCS12 -storepass nnmkeypass -alias <nnmi_FQDN>.selfsigned

      On Linux

      $NnmInstallDir/bin/nnmkeytool.ovpl -export -file /tmp/nnm.cert -keystore nnmkey.p12 -storetype PKCS12 -storepass nnmkeypass -alias <nnmi_FQDN>.selfsigned

      In this instance, <nnmi_FQDN> is the FQDN of the NNMi management server.

    2. Copy the nnm.cert file to a temporary directory on the Master Collector system.

  16. Run the following command on the Master Collector to add the certificate to the truststore:

    On Windows

    %TrafficInstallDir%\nonOV\jdk\hpsw\bin\keytool -importcert -file "<tmp>/nnm.cert" -keystore "%TrafficDataDir%/shared/nnm/certificates/nnm.truststore" -storepass ovpass-noprompt -alias <nnmi_FQDN>

    On Linux

    /opt/OV/nonOV/jdk/hpsw/bin/keytool -importcert -file "<tmp>/nnm.cert" -keystore"/var/opt/OV/shared/nnm/certificates/nnm.truststore" -storepass ovpass -noprompt -alias <nnmi_FQDN>

    In this instance, <nnmi_FQDN> is the FQDN of the NNMi management server.

  17. Run the following command on the Master Collector to verify that the certificates are added to the truststore:

    On Windows

    %TrafficInstallDir%\nonOV\jdk\hpsw\bin\keytool -list -keystore "%TrafficDataDir%\shared\nnm\certificates\nnm.truststore" -storepass ovpass

    On Linux

    /opt/OV/nonOV/jdk/hpsw/bin/keytool -list -keystore "/var/opt/OV/shared/nnm/certificates/nnm.truststore" -storepass ovpass

  18. Restart the Master Collector processes using the following command:

    On Windows

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

    On Linux

    /opt/OV/traffic-leaf/bin/nmstrafficmasterstart.ovpl

Enable Secure Communication between Master Collector and NPS

To enable secure communication between the Master Collector and NPS when NPS is running in secure mode:

  1. Export the third-party Cognos certificate

    To export the Cognos certificate using the browser keystore:

    1. Log on to NPS directly, by pointing your browser at the following URL:

      https://<fully_qualified_domain_name>:<nps_https_port>

      In this instance, <fully_qualified_domain_name> is the fully qualified domain name of the NPS system and <nps_https_port> is the HTTPS port that NPS uses for secure communication. The default port that NPS uses for secure communication is 9305.

    2. View the certificate and export it as a DER-encoded binary file. Name the file as trafficcert.cer.

      Ignore any warning message that you may see.

    3. Copy the exported certificate to a temporary location on the Master Collector.

  2. Import the third-party Cognos certificate to nnm.truststore.

    To import the certificate to the nnm.truststore:

    1. Stop the Master Collector processes using the following command:

      On Windows

      %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

      or

      %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

      On Linux

      /opt/OV/traffic-master/bin/nmstrafficmasterstop.ovpl

      If you have installed the Master Collector on the NNMi management server, you must stop the NNMi processes before importing the certificate into the nnm.truststore by running the ovstop -c ovjboss command.

    2. Import the Cognos certificate into the nnm.truststore file.

      For example, the trafficcert.cer file contains the certificate you must use. Run the following command to import the CA certificate into the nnm.truststore file:

      On Windows

      %NnmInstallDir%\nonOV\jdk\hpsw\bin\keytool -importcert -noprompt -keystore “%NnmDataDir%\shared\nnm\certificates\nnm.truststore” -file trafficcert.cer -storepass ovpass -alias cognos

      or

      %TrafficInstallDir%\nonOV\jdk\hpsw\bin\keytool -importcert -noprompt -keystore“%TrafficDataDir%\shared\nnm\certificates\nnm.truststore” -file trafficcert.cer -storepass ovpass -alias cognos

      On Linux

      /opt/OV/nonOV/jdk/hpsw/bin/keytool -importcert -noprompt -keystore"/var/opt/OV/shared/nnm/certificates/nnm.truststore" -file trafficcert.cer -storepass ovpass -alias cognos

      Ignore any warning message that you may see.

      The keytool used should be the Oracle implementation and not the GNU implementation.

      If you have stopped NNMi processes in step a, you must start the NNMi processes after importing the certificate into the nnm.truststore by running the ovstart -c ovjboss command.

    3. Start the Master Collector processes using the following command:

      On Windows

      %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

      or

      %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

      On Linux

      /opt/OV/traffic-master/bin/nmstrafficmasterstart.ovpl

Enable Secure Communication between the Master and the Leaf Collector

During the Leaf Collector installation, the installation script creates a self-signed certificate for the Leaf Collector system. This certificate contains an alias that includes the fully-qualified domain name of the node. The installation script adds this self-signed certificate to the nnm.keystore, nnm.truststore, and nnm.cert files on the Leaf Collector system.

After installing the Master Collector and the Leaf Collector, you can use the Leaf Collector system’s selfsigned certificate to enable the Master Collector to use HTTPS protocol to communicate with Leaf Collector systems.

To enable secure communication between the Master and the Leaf Collectors:

  1. Add the Leaf Collector Certificate to the Trusted Certificates on the Master Collector.

    When Master Collector and Leaf Collector are installed on the same system, no additional steps are required to add Leaf Collector certificates to the trusted certificates.

    When Master Collector and Leaf Collector are installed on separate systems, follow these steps for each Leaf Collector system:

    1. Log on to the Leaf Collector system.

    2. Navigate to the directory that contains the Leaf Collector certificate file, nnm.cert:

      On Windows

      %NnmDataDir%\shared\nnm\certificates

      or

      %TrafficDataDir%\shared\nnm\certificates

      On Linux

      /var/opt/OV/shared/nnm/certificates

    3. Copy the Leaf Collector certificate to the Master Collector system.

      When making file changes under HA, you must make the changes on both nodes in the cluster. For the Master Collector using HA configurations, if the change requires you to stop and restart the Master Collector system, you must put the nodes in maintenance mode before running the nmstrafficmasterstop.ovpl and nmstrafficmasterstart.ovpl commands.

    4. Stop the Master Collector by running the following command:

      On Windows

      %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

      or

      %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

      On Linux

      /opt/OV/traffic-master/bin/nmstrafficmasterstop.ovpl

      If you have installed the Master Collector on the NNMi management server, you must stop the NNMi processes before importing the certificate into the nnm.truststore by running the ovstop -c ovjboss command.

    5. Import the Leaf Collector certificate into the nnm.truststore file.

      For example, the leaf.cert file contains the certificate from the Leaf Collector that you must use.

      The leaf.cert file can be the self-signed certificate or a signed certificate from the Certificate Authority that you need to import.

      Run the following command to import the CA certificate into the nnm.truststore file:

      On Windows

      %NnmInstallDir%\nonOV\jdk\hpsw\bin\keytool -importcert -noprompt -keystore“%NnmDataDir%\shared\nnm\certificates\nnm.truststore” -file leaf.cert -storepassovpass -alias <leaf_FQDN>

      or

      %TrafficInstallDir%\nonOV\jdk\hpsw\bin\keytool -importcert -noprompt -keystore“%TrafficDataDir%\shared\nnm\certificates\nnm.truststore” -file leaf.cert -storepass ovpass -alias <leaf_FQDN>

      On Linux

      /opt/OV/nonOV/jdk/hpsw/bin/keytool -importcert -noprompt -keystore"/var/opt/OV/shared/nnm/certificates/nnm.truststore" -file leaf.cert -storepassovpass -alias <leaf_FQDN>

      If you have stopped NNMi processes in step d, you must start the NNMi processes after importing the certificate into the nnm.truststore.

    6. Start the Master Collector by running the following command:

      On Windows

      %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

      or

      %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

      On Linux

      /opt/OV/traffic-master/bin/nmstrafficmasterstart.ovpl

  2. Log on to the NNM iSPI Performance for Traffic Configuration UI with the system user account to enable secure communication between the Master Collector and the Leaf Collector. Follow the steps listed in the Configuring Leaf Collector Systems section in the Network Node Manager iSPI Performance for Traffic Software Online Help.

Use a Signed Certificate from a Certificate Authority

To use a signed certificate from a Certificate Authority instead of self-signed certificate on the Master Collector:

  1. Log on to the Master Collector system.

  2. Stop the Master Collector by running the following command:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

    or

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstop.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterstop.ovpl

  3. Follow steps similar to the steps listed in the Generating a Certificate Authority Certificate section.

  4. Navigate to the following directory on the Master Collector:

    On Windows

    %NnmDataDir%\nmsas\traffic-master

    or

    %TrafficDataDir%\nmsas\traffic-master

    On Linux

    /var/opt/OV/nmsas/traffic-master

  5. Open the server.properties file using a text editor.

  6. Add the following property :

    nmsas.server.security.keystore.alias=<new alias name>

    In this instance, <new alias name> is the alias name that you provide when importing the signed certificate.

  7. Save and close the file.

  8. Start the Master Collector by running the following command:

    On Windows

    %NnmInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

    or

    %TrafficInstallDir%\traffic-master\bin\nmstrafficmasterstart.ovpl

    On Linux

    /opt/OV/traffic-master/bin/nmstrafficmasterstart.ovpl

To use a signed certificate from a Certificate Authority instead of self-signed certificate on the Leaf Collector:

  1. Log on to the Leaf Collector system.

  2. Stop the Leaf Collector by running the following command:

    On Windows

    %NnmInstallDir%\traffic-leaf\bin\nmstrafficleafstop.ovpl

    or

    %TrafficInstallDir%\traffic-leaf\bin\nmstrafficleafstop.ovpl

    On Linux

    /opt/OV/traffic-leaf/bin/nmstrafficleafstop.ovpl

  3. Follow steps similar to the steps listed in the Generating a Certificate Authority Certificate section.

  4. Navigate to the following directory on the Leaf Collector:

    On Windows

    %NnmDataDir%\nmsas\traffic-leaf

    or

    %TrafficDataDir%\nmsas\traffic-leaf

    On Linux

    /var/opt/OV/nmsas/traffic-leaf

  5. Open the server.properties file using a text editor.

  6. Add the following property :

    nmsas.server.security.keystore.alias=<new alias name>

    In this instance, <new alias name> is the alias name that you provide when importing the signed certificate.

  7. Save and close the file.

  8. Start the Leaf Collector by running the following command:

    On Windows

    %NnmInstallDir%\traffic-leaf\bin\nmstrafficleafstart.ovpl

    or

    %TrafficInstallDir%\traffic-leaf\bin\nmstrafficleafstart.ovpl

    On Linux

    /opt/OV/traffic-leaf/bin/nmstrafficleafstart.ovpl

Send Help Center feedback