Use > JMX Reference > Hardening Methods > How to Enable Mutual Certificate Authentication for SDK

How to Enable Mutual Certificate Authentication for SDK

This mode uses SSL and enables both server authentication by the UCMDB and client authentication by the UCMDB-API client. Both the server and the UCMDB-API client send their certificates to the other entity for authentication.


  • The following method of enabling SSL on the SDK with mutual authentication is the most secure of the methods and is therefore the recommended communication mode.
  • The keystore used for client SDK must be in Java Keystore (JKS) format. The Java Cryptography Extension KeyStore (JCEKS) or other formats are not supported.

  • The keystore used for SDK must contain only one key-pair and nothing else in it. The password for this key-pair must be the same as the one for keystore.

  1. Harden the UCMDB-API client connector in UCMDB:

    1. Access the UCMDB JMX console: Launch a Web browser and enter the following address: https://<UCMDB machine name or IP address>:8443/jmx-console. You may have to log in with a user name and password (default is sysadmin/sysadmin).

    2. Locate UCMDB:service=Ports Management Services and click the link to open the Operations page.

    3. Locate the PortsDetails operation and click Invoke. Make a note of the HTTPS with client authentication port number. The default is 8444 and it should be enabled.

    4. Return to the Operations page.

    5. To map the ucmdb-api connector to the mutual authentication mode, invoke the mapComponentToConnectors method with the following parameters:

      • componentName: ucmdb-api

      • isHTTPSWithClientAuth: true

      • All other flags: false

      The following message is displayed:

      Operation succeeded. Component ucmdb-api is now mapped to: HTTPS_CLIENT_AUTH ports.

    6. Return to the Operations page.

  2. Repeat step 1 for the ping component.
  3. Make sure the JRE that runs the UCMDB-API client has a keystore containing a client certificate.

    Note The UCMDB-API client certificate must have the minimum size key no less than 2048 bits.

  4. Export the UCMDB-API client certificate from its keystore.
  5. Import the exported UCMDB-API client certificate to the UCMDB Server Truststore.

    1. On the UCMDB machine, copy the created UCMDB-API client certificate file to the following directory on UCMDB:


    2. Run the following command:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -import -v -keystore
      C:\UCMDB\UCMDBServer\conf\security\server.truststore -file <exported UCMDB-api client certificate> -alias ucmdb-api
    3. Enter the UCMDB Server Truststore password.

    4. When asked, Trust this certificate?, press y and then Enter.

    5. Make sure the output Certificate was added to the keystore.

  6. Export the UCMDB server certificate from the server keystore.

    1. On the UCMDB machine, run the following command:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -export -alias hpcert 
      C:\UCMDB\UCMDBServer\conf\security\server.keystore -file C:\UCMDB\UCMDBServer\conf\security\server.cert
    2. Enter the UCMDB Server keystore password.

    3. Verify that the certificate is created in the following directory:


  7. Import the exported UCMDB certificate to the JRE of the UCMDB-API client truststore.
  8. The certificate used by the API Client must contain in it's Common Name (CN) field the name of a user that's present in UCMDB.

    This user MUST have an EMPTY password and all required permissions for SDK access.

    To set an empty password to an existing UCMDB user,

    1. Go to JMX Console > UCMDB:service=URM Services > listResourceTypes.
    2. Click Auth_USER.

    3. Click your user and wait for the XML to load.

    4. In the XML, replace the password with s39t3O*tfoZXg30xd/nvJGL5is8=.

    5. Click Save resource.

  9. Restart the UCMDB Server and the UCMDB-API client.
  10. To connect from the UCMDB-API client to UCMDB-API server, use the following code:

    UcmdbServiceProvider provider = UcmdbServiceFactory.getServiceProvider
    UcmdbService ucmdbService = provider.connect(provider.createCertificateCredentials(<TheClientKeystore. e.g: "c:\\client.keystore">, <KeystorePassword>), provider.createClientContext(<ClientIdentification>));