How to Configure Operations Connector to Use SSL

Operations Connector is shipped with a self-signed certificate. You must replace the certificate with a certificate issued by your Certificate Authority (CA) as described below.

  1. Obtain a server certificate from your CA issued to the Operations Connector server. Typically this certificate is issued in PKCS12 format with a password-protected private key.

    Note The following requirements apply:

    • The Operations Connector server certificate must be created using a lower-case hostname.

    • The private key password must be at least six characters.

  2. Change the Tomcat configuration to use the PKCS12 certificate instead of the default self-signed Java certificate.

    The file server.xml used by OV Tomcat is recreated on each ovc start, with XPL values replacing the values from templates. Therefore run the Operations Agent tool ovconfchg to change the settings in the XPL configuration:

    Run ovconfchg -edit to open the default system editor (Notepad on Windows, vi on Linux) and load thecurrent XPL configuration.

    The Tomcat related XPL settings are in the XPL namespace NONOV.TomcatB. Configure the Tomcat server to request a client certificate by locating the following section:

       keystoreFile="../groups/serverKeystore" keystoreType="JKS"
    keystorePass="changeit"/>

    Change them to:

       keystoreFile="<path to server certificate in PKCS12 format>"  
       keystoreType="PKCS12" 
    keystorePass="<password for the private key>"

    Note The keystore password and the password for the private key must be the same.

    Alternatively, change the settings directly, using the -set option:

    ovconfchg -ns <namespace> -set <parameter><value>

    For example:

    ovconfchg -ns NONOV.TomcatB -set keystoreFile "<path to server certificate in PKCS12 format>" -set keystoreType "PKCS12" -set keystorePass "<password for the private key>"

  3. Restart ovc:

    ovc -restart

If you cannot obtain a server certificate from a CA in PKCS12 format, manually generate a server certificate using a Java Keystore (JKS) and have it signed by your CA. See the section "Creating a Keystore" in the OMi Administration Guide.