Use > Hardening > Data Flow Probe Hardening > Enable SSL between UCMDB Server and Data Flow Probe > Enable SSL with Server (One-Way) Authentication

Enable SSL with Server (One-Way) Authentication

This uses SSL, and the Probe authenticates the Server's certificate.

Note The certificate on the Probe will not be used in the one-way authentication.

This task includes:

  1. Prerequisites

  2. UCMDB Server Configuration

  3. Data Flow Probe Configuration

  4. Restart the Machines

  1. Prerequisites

    1. Verify that both UCMDB and the Data Flow Probe are running.

      Note If the Probe is installed in separate mode, these instructions refer to the Probe Gateway.

    2. If UCMDB or the Data Flow Probe are not installed in the default folders, note the correct location, and change the commands accordingly.
  2. UCMDB Server Configuration

    1. Export the UCMDB server keystore

      To export the UCMDB server keystore (server.keystore) to a file (server.cert), do the following:

      1. Open the command prompt and run the following command:

        Non-FIPS mode:

        C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -export -alias <certificate alias> -keystore <Keystore file path> -file C:\UCMDB\UCMDBServer\conf\security\server.cert

        FIPS mode only:

        where:

        • certificate alias is the name given to the certificate.

        • Keystore file path is the full path of the location of the keystore file.

        For example, for the out-of-the-box server.keystore use the following command:

        Non-FIPS mode:

        C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -export -alias hpcert -keystore C:\ucmdb\ucmdbserver\conf\security\server.keystore -file C:\UCMDB\UCMDBServer\conf\security\server.cert

        FIPS mode only:

        Note If self-signed certificate is not used, but a company generated certificate, use the following command to get the alias for this certificate:

        C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -list -keystore c:\ucmdb\ucmdbserver\conf\security\server.keystore

        Keystore type: JKS

        Keystore provider: SUN

        Your keystore contains 1 entry.

        <alias>, 14 Sept. 2012, PrivateKeyEntry.

        Certificate fingerprint (SHA1): 2A:52:DF:17:D9:A5:37:2D:1F:1D:BA:4B:41:46:33:A8:18:42:5B:D7

        The alias , will look like: {45789-15478-1236-7895}

        Use this alias to export the certificate.

      2. Enter the keystore password.

      3. Verify that the certificate was created in the following directory: C:\UCMDB\UCMDBServer \conf\security\server.cert

    2. (Optional) Harden the Data Flow Probe connector in UCMDB

      Note The probe connection is already hardened out-of-the-box. The steps below are valid only if you have changed the out-of-the-box probe connection to basic authentication, and need to revert back to a SSL connection.

      1. Access the UCMDB JMX console: In your Web browser, enter the following URL: https://<ucmdb machine name or IP address>:8443/jmx-console. You may have to log in with a user name and password.

      2. Select the service: Ports Management Services.

      3. Invoke the PortsDetails method, and note the port number for HTTPS. (Default: 8443) Ensure that the value in the Is Enabled column is True.

      4. Return to Ports Management Services.

      5. To map the Data Flow Probe connector to server authentication mode, invoke the mapComponentToConnectors method with the following parameters:

        • componentName: mam-collectors

        • isHTTPS: true

        • All other flags: false

        The following message is displayed:

        Operation succeeded. Component mam-collectors is now mapped to: HTTPS ports.
        Note: If you want to use multiple authentication methods, make sure you check the ports used by each of them and set them to true (when mapping both cm and mam-collectors).
      6. Return to Ports Management Services.

      7. To map the Confidential Manager connector to server authentication mode, invoke the mapComponentToConnectors method with the following parameters:

        • componentName: cm

        • isHTTPS: true

        • All other flags: false

        The following message is displayed:

        Operation succeeded. Component cm is now mapped to: HTTPS ports.
        Note: If you want to use multiple authentication methods, make sure you check the ports used by each of them and set them to true (when mapping both cm and mam-collectors).
    3. Copy the UCMDB certificate to each Probe machine

      Copy the certificate file, C:\UCMDB\UCMDBServer \conf\security\server.cert, on the UCMDB Server machine to the following folder on each Data Flow Probe machine C:\UCMDB\DataFlowProbe\conf\security\

  3. Data Flow Probe Configuration

    Note You must configure each Data Flow Probe machine.

    1. Import the server.cert file, created in Export the UCMDB server keystore, to the Probe’s Truststore.

      1. Open the command prompt and run the command:

        C:\UCMDB\DataFlowProbe\bin\jre\bin\keytool.exe -import -v -keystore C:\UCMDB\DataFlowProbe\conf\security\HPProbeTrustStore.jks -file C:\UCMDB\DataFlowProbe\conf\security\server.cert -alias hpcert
      2. Enter the keystore password: logomania

      3. When asked Trust this certificate?, press y and then Enter.

        The following message is displayed:

        Certificate was added to keystore.
    2. Open the DataFlowProbe.properties file located in: C:\UCMDB\DataFlowProbe\conf\

      1. Check and make sure the appilog.agent.probe.protocol property is set to HTTPS.

      2. Update the serverPortHttps property to the relevant port number. (Use the port number from step 2c of UCMDB Server Configuration.)

  4. Restart the Machines

    Restart both the UCMDB server and the Probe machines.