WAS v8.5 > Monitoring > Monitoring overall system health > SNMP based performance monitoring for WAS

Enabling security for the IBM WebSphere SNMP Capability

You must enable security for the IBM WebSphere Simple Network Management Protocol (SNMP) Capability (also referred to as the IBM WebSphere Snmp Agent) to connect to a security-enabled WAS environment.

For more information about the IBM WebSphere SNMP Capability, read the "SNMP based performance monitoring for WAS" topic.

Before you enable security for the IBM WebSphere SNMP Capability, first have installed and configured it. Read the "Installing and configuring the IBM WebSphere SNMP Capability" topic for more information.

You should enable security on the IBM WebSphere Snmp Agent without enabling administrative security. Verify the connection is established successfully and you are able to obtain the metrics and traps. The following attributes should be configured to enable security on the IBM WebSphere Snmp Agent: connectorType, Security, UserName, Password, connectorSOAPcon-fig/connectorRMIconfig, sslRMIConfig, trustStore, tsPassword, keyStore and ksPassword. For more information about these attributes, read the "Installing and configuring the IBM WebSphere SNMP Capability" topic. To enable security for the SOAP Connector Type, perform the following steps:

  1. In the dmgr console, click Security > SSL certificate and key management.

  2. Under Related items, click keystores and certificates.

  3. Click CellDefaultTrustStore. Under Additional properties, click Signer Certificates.

  4. Select the check box next to root and click extract.

  5. Select the data type as Binary DER Data and supply a filename ending with .DER.

  6. Click ok and the certificate is extracted to a location on the dmgr. Note the location to which the .DER certificate was extracted.
  7. Copy the certificate to the machine on which the WebSphere Snmp Agent runs (we do not have to do this if the WebSphere Snmp Agent has been installed on the dmgr node itself).

  8. Go to the <WAS_HOME>/bin directory on the machine where the WebSphere Snmp Agent is installed. Run the ikeyman.sh utility.

  9. Go to Key Database File > open. Supply the details for the truststore you plan to use. For the default truststore it is key database type = jks, filename = DummyClientTrustFile.jks and location = <was_profile>/etc. Once you click ok, you are prompted for the password. Enter the password as WebAS.
  10. In the choices for personal certificates, select signer certificates. Click add, and supply the filename and location of the .DER certificate that you extracted from the dmgr console earlier.

If the connector type is RMI, there is no need to extract any certificates. You must ensure the values for all attributes under RMImbeanServer are correct

However, if your IBM WebSphere Snmp Agent is running on a machine different from the dmgr to connect to, you are prompted to accept a certificate from the WAS dmgr machine when we connect to it for the first time. Click yes and accept that certificate. In some instances, when we start the IBM WebSphere Snmp Agent, a window is displayed that prompts you for a username and password. Enter the username and password for the WAS dmgr in this window.


Related concepts:

SNMP based performance monitoring for WAS


Related


Install and configure the IBM WebSphere SNMP Capability
Access the IBM WebSphere SNMP Capability
Monitoring performance with IBM Tivoli Composite Application Manager for WAS


+

Search Tips   |   Advanced Search