Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
Use TLS in OMi
Transport Layer Security (TLS) technology secures communication by encrypting data and providing authentication. Without TLS encryption, packets of information travel over networks in full view.
Every TLS certificate is created for a particular server in a specific domain by a Certificate Authority (CA). When an application user or data collector accesses an OMi server, TLS authenticates the server, and can also be configured to authenticate the client. Additionally, OMi establishes an encryption method and a unique key for the communication session.
OMi fully supports the TLS protocol version 1.0 or later. The TLS channel is configured on the OMi servers/clients as required.
For detailed information about how to set up TLS for database connections, see the OMi Database Guide.
Learn more
TLS provides OMi with the following:
- Server authentication. Provides authentication of the OMi server used for communication.
- Client authentication (optional). Provides authentication of the client communicating with the OMi server. The client could be an application user or a data collector.
- Encrypted channel. Encrypts the communication between the client and the server using a variety of ciphers.
- Data integrity. Helps ensure that the information sent by one side over TLS is the same information received by the other side.
Secure communication via HTTPS can terminate either at the load balancer/ reverse proxy or on the OMi gateway server.
If it terminates on the OMi gateway server, the web server on the gateway server is configured to support/require TLS. Otherwise, if TLS terminates on the load balancer/reverse proxy, then only the load balancer/reverse proxy needs to be configured for secure communication.
If there is a load balancer/reverse proxy in front of a OMi gateway server, it is recommended to have TLS terminate on the load balancer/reverse proxy. For BBC channels, see the BBC recommendations and configuration instructions in Configure BBC port 383 connection on reverse proxy.
The following table addresses TLS termination in the High Availability environment:
TLS Termination On | TLS on Load Balancer | TLS on Gateway |
Advantages/ Disadvantages |
---|---|---|---|
Load Balancer/Reverse Proxy | Yes | No |
This is a recommended configuration. It allows:
On each load balancer/reverse proxy, use server certificates issued to the name of the external access point (FQDN) that users/data collectors are using to access OMi. If multiple load balancers/reverse proxies share the load, each one must have these certificates imported. |
Load Balancer/Reverse Proxy and Gateway (TLS all the way) | Yes | Yes |
This is a less ideal configuration, especially where load balancers are concerned. It requires:
In this configuration, in addition to installing certificates on the load balancer, also install server certificates on the gateway server, using a server certificate issued to the FQDN name of the gateway server. In a high availability environment with multiple gateway servers: Traffic from the same data collector will be load-balanced between different gateway servers using a round-robin mechanism. If you have a different certificate on each gateway server issued to a different name, in the worst case scenario, switching between gateway servers will require a TLS renegotiation process to run each time there is a switch between gateways server. This is very expensive in terms of CPU use and network traffic, on both the server and client sides. For this reason, TLS termination is typically done on the load balancer. |
Gateway | No | Yes |
A secure channel for connections to the OMi server (via load balancer or direct) is mandatory in many OMi environments. OMi enables you to generate and install web servers' certificates using the configuration wizard, thereby reducing the TLS configuration and maintenance efforts to a minimum. Once the web servers are configured for TLS, you can configure the load balancer to forward requests to the gateway servers and have TLS termination on the gateways. This means:
|
OMi provides the following command-line interfaces to help you manage certificates:
-
opr-cert-mgmt. The certificate management tool enables you to list, export, import, remove, and synchronize certificates in OMi. For details, see opr-cert-mgmt Command-Line Interface.
-
opr-internal-tls-config. The internal TLS troubleshooting tool allows you to disable secure internal communication, as well as to regenerate keys and certificates. For details, see opr-internal-tls-config Command-Line Interface.
-
opr-tls-config. The TLS troubleshooting tool enables you to temporarily disable or reset the TLS configuration. For details, see opr-tls-config Command-Line Interface.
OMi monitors the expiration time of the certificates used by the web server. The OMi Server Self-Monitoring management pack contains a measurement threshold policy template that monitors the validity of the certificates and generates an event 90, 60, and 30 days before the certificate expires.
To renew the OMi-generated certificates, restart the OMi gateway server within 30 days before the certificates expire. OMi automatically issues new certificates and imports them to the OMi certificate inventory.
If you are using certificates from the CA used by your company, you must issue new certificates and upload them to OMi using the configuration wizard.
For more information, see Management Pack for OMi Server Self-Monitoring.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to ovdoc-asm@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: