Enable Mutual (Two-Way) Certificate Authentication

This mode uses SSL and enables both Server authentication by the Probe and client authentication by the Server. Both the Server and the Probe send their certificates to the other entity for authentication.

Note It is possible to enable mutual certificate authentication using certificate chain. For details about generating certificate chain, see (Optional) Generate the UCMDB Certificate Chain.

This task includes:

  1. Prerequisites

    1. Verify that both UCMDB and the Data Flow Probe are running.

      Note If the Probe is installed in separate mode, these instructions refer to the Probe Gateway.

    2. If UCMDB or the Data Flow Probe are not installed in the default folders, note the correct location, and change the commands accordingly.

  2. Initial UCMDB Server Configuration

    1. Export the UCMDB Certificate

      1. Open the command prompt and run the command:

        C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -export -alias <keystore alias> -keystore <Keystore file path> -file C:\UCMDB\UCMDBServer\conf\security\server.cert

        where:

        • keystore alias is the name given to the keystore.

        • Keystore file path is the full path of the location of the keystore file.

        For example, for the out-of-the-box server.keystore use the following command:

        C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -export -alias hpcert -keystore C:\ucmdb\ucmdbserver\conf\security\server.keystore -file C:\UCMDB\UCMDBServer\conf\security\server.cert
      2. Enter the keystore password.

      3. Verify that the certificate was created in the following directory: C:\UCMDB\UCMDBServer \conf\security\server.cert

    2. Harden the Data Flow Probe connector in UCMDB

      1. Access the UCMDB JMX console: In your Web browser, enter the following URL: https://localhost:8443/jmx-console. You may have to log in with a user name and password.

      2. Select the service: Ports Management Services.

      3. Invoke the PortsDetails method, and note the port number for HTTPS with client authentication. (Default: 8444) Ensure that the value in the Is Enabled column is True.

      4. Return to Ports Management Services.

      5. To map the Data Flow Probe connector to mutual authentication mode, invoke the mapComponentToConnectors method with the following parameters:

        • componentName: mam-collectors

        • isHTTPSWithClientAuth: true

        • All other flags: false

        The following message is displayed:

        Operation succeeded. Component mam-collectors is now mapped to: HTTPS_CLIENT_AUTH ports.

        Note: If you want to use multiple authentication methods, make sure you check the ports used by each of them and set them to true (when mapping both cm and mam-collectors).
      6. Return to Ports Management Services.

      7. To map the Confidential Manager connector to mutual authentication mode, invoke the mapComponentToConnectors method with the following parameters:

        • componentName: cm

        • isHTTPSWithClientAuth: true

        • All other flags: false

        The following message is displayed:

        Operation succeeded. Component cm is now mapped to: HTTPS_CLIENT_AUTH ports.

        Note: If you want to use multiple authentication methods, make sure you check the ports used by each of them and set them to true (when mapping both cm and mam-collectors).
    3. Copy the UCMDB certificate to each Probe machine

    4. Copy the certificate file, C:\UCMDB\UCMDBServer\conf\security\server.cert, on the UCMDB Server machine to the following folder on each Data Flow Probe machine: C:\UCMDB\DataFlowProbe\conf\security\

  3. Data Flow Probe Configuration

    Note You must configure each Data Flow Probe machine.

    1. Import the server.cert file, created in step 2.a. Export the UCMDB Certificate, to the Probe’s Truststore.

      1. Open the command prompt and execute the following command:

        C:\UCMDB\DataFlowProbe\bin\jre\bin\keytool.exe -import -v -keystore C:\UCMDB\DataFlowProbe\conf\security\HPProbeTrustStore.jks -file C:\UCMDB\DataFlowProbe\conf\security\server.cert -alias hpcert
      2. Enter the keystore password: logomania

      3. When asked Trust this certificate?, press y and then Enter.

        The following message is displayed:

        Certificate was added to keystore.

    2. Create a new client.keystore file

      1. Open the command prompt and run the command:

        C:\UCMDB\DataFlowProbe\bin\jre\bin\keytool.exe –genkey –alias <ProbeName> -keyalg RSA –sigalg SHA256withRSA –keysize 2048 –keystore 
        c:\UCMDB\DataFlowProbe\conf\security\client.keystore

        where ProbeName is the unique alias of the Data Flow Probe.

        Note To ensure that this alias is unique, use the Probe Name identifier that was given to the Probe when defining the Probe.

      2. Enter password for the keystore, of at least 6 characters, and make a note of it.

      3. Enter the password again for confirmation.

      4. Press Enter after answering each of the following questions:

        What is your first and last name? [Unknown]:

        What is the name of your organizational unit?[Unknown]:

        What is the name of your organization?[Unknown]:

        What is the name of your City or Locality?[Unknown]:

        What is the name of your State or Province?[Unknown]:

        What is the two-letter country code for this unit?[Unknown]:

      5. Type yes when asked Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

      6. Press Enter after answering the following question:

        Enter key password for <probekey> (RETURN if same as keystore password):

      7. Verify the file was created in the following folder, and ensure its file size is greater than 0: C:\UCMDB\DataFlowProbe\conf\security\client.keystore

    3. Export the new Client Certificate

      1. Open the command prompt and run the command:

        C:\UCMDB\DataFlowProbe\bin\jre\bin\keytool.exe -export -alias <ProbeName> -keystore C:\UCMDB\DataFlowProbe\conf\security\client.keystore -file C:\UCMDB\DataFlowProbe\conf\security\<ProbeName>.cert
      2. When asked, enter the keystore password. (The password from ‎step 3.b.ii above.)

        The following message is displayed:

        Certificate stored in file <C:\UCMDB\DataFlowProbe\conf\security\<ProbeName>.cert>

    4. Open the DataFlowProbe.properties file located in: C:\UCMDB\DataFlowProbe\conf\

      1. Update the appilog.agent.probe.protocol property to HTTPS.

      2. Update the serverPortHttps property to the relevant port number. (Use the port number from step 2.b.iii.)

    5. Open the ssl.properties file located in: C:\UCMDB\DataFlowProbe\conf\security\

      1. Update the javax.net.ssl.keyStore property to client.keystore.

      2. Encrypt the password from ‎step 3.b.ii above:

        1. Start the Data Flow Probe (or make sure it is already running).

        2. Access the Probe JMX. On the probe machine, browse to: https://localhost:8453

        3. Press the type=MainProbe link.

        4. Scroll down to the operation getEncryptedKeyPassword.

        5. Enter the password in the Key Password field.

        6. Press the getEncryptedKeyPassword button.

      3. Copy and paste the encrypted password to update the javax.net.ssl.keyStorePassword property.

        Note Numbers are separated by commas. For example: -20,50,34,-40,-50.)

    6. Copy the Probe certificate to the UCMDB machine

      Copy the file C:\UCMDB\DataFlowProbe\conf\security\<ProbeName>.cert from the Data Flow Probe machine to the UCMDB machine at C:\UCMDB\UCMDBServer\conf\security\<ProbeName>.cert.

  4. Further UCMDB Server Configuration

    1. Add each Probe certificate to the Truststore of UCMDB

      Note You must complete the following steps for each Probe certificate.

      1. Open the command prompt and run the command:

        C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -import -v -keystore C:\UCMDB\UCMDBServer\conf\security\server.truststore -file C:\UCMDB\UCMDBServer\conf\security\<ProbeName>.cert -alias <ProbeName>
      2. Enter the keystore password.

      3. When asked Trust this certificate?, press y and then Enter.

        The following message is displayed:

        Certificate was added to keystore

  5. Restart the Machines

    Restart the UCMDB server and the Probe services.

(Optional) Generate the UCMDB Certificate Chain

  1. Generate the keystore

    Before starting the following procedure, remove the old server.keystore located in the C:\UCMDB\UCMDBServer\conf\security\server.keystore directory.

    1. Open the command prompt and run the command:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool -genkey -alias <keystore alias> -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore <Keystore file path>

      where:

      • keystore alias is the name given to the keystore.
      • Keystore file path is the full path of the location of the keystore file.

    2. Enter password for the keystore, of at least 6 characters, and make a note of it.

      Enter the keystore password,

      • If the password has changed, run the changeKeystorePassword JMX operation, in UCMDB:service=Security Services.
      • If the password has not changed, use the default hppass password.
    3. Enter the password again for confirmation.

    4. Press Enter after answering each of the following questions:

      • What is your first and last name?

        [Unknown]: [Common Name (CN)]

        The CN must be filled out correctly. The CN must be a fully-qualified domain name (FQDN). A single short name such as "sitename" or an IP address will not be accepted.

        Examples of valid FQDNs are:

        www.sitename.com

        sitename.com

        sitename.microfocus.com

        sitename.eds.com

      • What is the name of your organizational unit?

        [Unknown]: [Organizational Unit (OU)]

        Note: This field should NOT reference a company name in any form (for example, , Google, and so on). If your CSR will not allow you to leave this field blank (which is what we recommend), then you should reference some sort of department (for example, Online, Accounting, Finance, and so on). If this field is filled out incorrectly, it can cause your enrollment to fail!
      • What is the name of your organization?

        [Unknown]: [Organization (O)]

        Enter the name of your organization, for example, Hewlett-Packard.

      • What is the name of your City or Locality?

        [Unknown]: [City / Locality (L)]

        Enter the City or Locality of the server on which the SSL certificate will reside. This field CANNOT be blank.

      • What is the name of your State or Province?

        [Unknown]: [State / Province (S)]

        Enter the State/Province of the server on which the SSL certificate will reside. The State/Province must be spelled out in its entirety (more than two characters) and cannot be abbreviated (for example, enter Colorado, not CO). This field CANNOT be blank.

      • What is the two-letter country code for this unit?

        [Unknown]: [Country (C)]

        Enter the Country of the server on which the SSL certificate will reside. You must enter the two-character ISO 3166 Country Code. This field CANNOT be blank.

    5. Type y when asked Is CN=[XXX], OU=[XXXX], O=[XXXX], L=[XXXX], ST=[XXXX], C=[XXX] correct?

    6. Press Enter after answering the following questions:

      Enter key password for <serverkey> (RETURN if same as keystore password):

      Re-enter new password:

    7. Verify the file was created in the following folder, and ensure its file size is greater than 0: C:\UCMDB\UCMDBServer\conf\security\server.keystore.

  2. Generate the CSR

    Run the following command to generate the CSR:

    c:\UCMDB\UCMDBServer\bin\jre\bin\keytool -certreq -alias server -file c:\UCMDB\UCMDBServer\conf\security\certreq.csr -keystore c:\UCMDB\UCMDBServer\conf\security\server.keystore -sigalg SHA256withRSA
  3. Obtain the server private certification

    1. Download the CA root cert first, and install it as Trusted Root Certification Authorities.
    2. Modify the suffix into .cer or .crt.

    3. Put the certification file in the following directory: C:\UCMDB\UCMDBServer\conf\security\serverserver.cer.

  4. Generate the certificate chain

    1. Import Root certificates to the keystore using the following command:

      c:\UCMDB\UCMDBServer\bin\jre\bin\keytool -import -v -trustcacerts -alias root -keystore c:\UCMDB\UCMDBServer\conf\security\server.keystore –file c:\UCMDB\UCMDBServer\conf\security\server.cer
    2. Import Server certificate to the keystore using the following command:

      c:\UCMDB\UCMDBServer\bin\jre\bin\keytool -import -v -trustcacerts -alias server -keystore c:\UCMDB\UCMDBServer\conf\security\server.keystore -file c:\UCMDB\UCMDBServer\conf\security\server.cer
      Note: The alias name must equal to the alias name when you generate the keystore, and the importing order cannot be changed.
    3. The certificate chain is generated.

      Use the following command to view the details of the keystore:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -list -v -keystore C:\UCMDB\UCMDBServer\conf\security\server.keystore
Note: To generate the probe certificate chain, repeat the above steps. The only difference is to name the alias name as "client" and generate the client.keystore and client.cer files.