IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Securing communications
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Configure TLS/SSL communication with the Authorization Policy Server
To use HTTPS, you can configure TLS/SSL communication with the Tivoli Authorization Policy Server.
There are two IBM Tivoli Monitoring components which communicate with the Authorization Policy Server using either Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS):
- The tivcmd Command-Line Interface for Authorization Policy sends HTTP/HTTPS requests to the Authorization Policy Server to process CLI commands.
- The Tivoli Enterprise Portal Server sends HTTP/HTTPS requests to the Authorization Policy Server to obtain the latest policy store.
HTTPS is intended to run on top of Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL). These layers provide encryption using key exchanges.
Roadmap
In order to use HTTPS and its security encryption features, complete the following tasks in the roadmap.
The following instructions assume that the portal server and the tivcmd CLI send requests directly to the IBM Dashboard Application Services Hub application server, and not to a HTTP server that might be used in conjunction with the dashboard hub. If you are using a HTTP server with IBM Dashboard Application Services Hub, then you must also update the certificates that the HTTP server uses.
Roadmap for setting up TLS/SSL for the Authorization Policy Server
Step Description and information provided 1 Use the WebSphere Application Server administrative console for the Dashboard Application Services Hub where the Authorization Policy Server is installed, you can choose one of the following options to obtain a public-private key pair:
- Use the WebSphere generated certificates to configure TLS/SSL for the Authorization Policy Server
During installation, the WebSphere Application Server generates a public signer certificate and a default private signed certificate. These certificates can be used if desired.
- Use third party certificates to configure TLS/SSL for the Authorization Policy Server
Add the third party's signer certificate to the WebSphere Application Server trust store. A certificate request is created at the WebSphere Application Server and forwarded to the certificate authority for signing. Once signed, it is added to the WebSphere Application Server key store. The private signed certificate must be set as the default certificate.
2 At each tivcmd Command-Line Interface for Authorization Policy installation:
- Create a new clean key database.
- Add the public signer certificate used by the Authorization Policy Server to the new key database.
- Set an environment variable to enable validation of the server certificate. By default, HTTPS used between the tivcmd CLI and the Authorization Policy Server does not exchange certificates or use security encryption. This environment variable must be set to make this happen.
Follow the steps in Configure the tivcmd CLI for TLS/SSL.
3 At each portal server configured to communicate with the Authorization Policy Server, add the public signer certificate used by the Authorization Policy Server to the TEPS/e trust store. Follow the steps in Configure TLS/SSL communication between the portal server and the Authorization Policy Server. 4 Use the -s argument for the tivcmd login command to indicate that the HTTPS protocol is used when sending requests to the Authorization Policy Server. If the tivcmd CLI environment variable ITM_AUTHENTICATE_SERVER_CERTIFICATE is set to Y, then the tivcmd CLI will validate the certificate of the Authorization Policy Server before accepting the connection. The public key of the Authorization Policy Server must be imported into the client keystore.
- Use the WebSphere generated certificates to configure TLS/SSL for the Authorization Policy Server
During the installation of the WebSphere Application Server used by the Authorization Policy Server and Dashboard Application Services Hub, a public signer certificate and a default private signed certificate are generated. You can use these certificates for TLS/SSL communication by extracting the public signer certificate.
- Use third party certificates to configure TLS/SSL for the Authorization Policy Server
You can use third party certificates to configure TLS/SSL for the Authorization Policy Server.
- Configure the tivcmd CLI for TLS/SSL
In order to use TLS/SSL with the Authorization Policy Server you must prepare the tivcmd Command-Line Interface, create a new key database, add the public signer certificate used by the Authorization Policy Server to the new key database, and then modify the tivcmd CLI environment variable file.
- Configure TLS/SSL communication between the portal server and the Authorization Policy Server
Add the public signer certificate used by the Tivoli Authorization Policy Server to the portal server's TEPS/e trust store to configure TLS/SSL.
Parent topic:
Securing communications