IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Agent-based services > EIF events

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Sending private situation events by using TLS/SSL communication

You can now send your private situation events to a Netcool/OMNIbus EIF receiver probe using TLS/SSL communication. The destination Netcool/OMNIbus Probe for Tivoli EIF must be at version 12.0 or later.

To send private situation events by using TLS/SSL communication:

  1. For any monitoring agent, define one or more private situations in the agent’s situation XML file. See Private situations.

  2. Define one or more Netcool/OMNIbus event destinations (type="M") in the monitoring agent’s event destination XML file. Specify SSL="Y" for the associated <Server> element. See EIF event destination configuration XML specification.

    For more information about configuring TLS/SSL in Netcool/OMNIbus, see "Configuring an EIF receiver application for SSL" in the IBM Tivoli Netcool/OMNIbus Event Integration Facility Reference.

  3. Edit the monitoring agent’s environment file, where pc is the two-character product code:

    • install_dir\TMAITM6\kpccma.ini.

    • install_dir/config/pc.ini. For system monitoring agents, the configuration file is pc.environment.

    • member name KPCENV in &hilev.&rte.RKANPARU.

    Set the following environment variables in the monitoring agent’s environment file:

    The indicated environment variable settings apply to every secure connection that the agent establishes with all target destinations (such as the monitoring server and the Warehouse Proxy agent), and not just the TLS/SSL connection established with the destination Netcool/OMNIbus EIF probe.

    • IRA_EVENT_EXPORT_EIF=Y (Default)

    • KDEBE_FIPS_MODE_ENABLED=Y or N (Default)

      Specify the comparable value as defined for channel_nameSSLFIPSMode=ON|OFF in the EIF probe’s configuration file. For example, if channel_nameSSLFIPSMode=ON, then set KDEBE_FIPS_MODE_ENABLED=Y.

    • ITM_AUTHENTICATE_SERVER_CERTIFICATE=Y or N (Default)

      Specify the comparable value as defined for channel_nameSSLRequireClientAuthentication=ON|OFF in the EIF probe’s configuration file. For example, if channel_nameSSLRequireClientAuthentication=ON, then set ITM_AUTHENTICATE_SERVER_CERTIFICATE=Y.

      Enable server certificate authentication ensures that the EIF probe is a trusted entity because it is required to present a CA-signed digital certificate.

      Enabling server certificate authentication for the monitoring agent means that any secure connection initiated by the agent requires that all target destinations (such as the monitoring server and the Warehouse Proxy agent) to present a valid CA-signed digital certificate in order for the connection to be established.

  4. IBM Tivoli Monitoring Version 6.3 and higher support TLSv1.1 and TLSv1.2 in addition to SSL V3 and TLSv1.0. The default ciphers supported for each protocol are:

    TLSv1.0 and TLSv1.1 (in preference order):

    • TLS_RSA_WITH_AES_128_CBC_SHA

    • TLS_RSA_WITH_AES_256_CBC_SHA

    • SSL_RSA_WITH_3DES_EDE_CBC_SHA

    TLSv1.2 (in preference order):

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_RSA_WITH_AES_128_GCM_SHA256

    • TLS_RSA_WITH_AES_256_GCM_SHA384

    • TLS_RSA_WITH_AES_128_CBC_SHA256

    • TLS_RSA_WITH_AES_256_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    To override the TLSv1.0, 1.1, or 1.2 cipher specs, use the correlating environment variable, GSK_TLSV10_CIPHER_SPECS, GSK_TLSV11_CIPHER_SPECS, or GSK_TLSV12_CIPHER_SPECS, to provide a list of comma separated ciphers. This override action is different than overriding the SSL V3 cipher list. Refer to the relevant TLS RFCs for the cipher spec name. In the following example the ciphers are separated by commas with no other spaces appearing on one line: 

      GSK_TLSV11_CIPHER_SPECS=TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA
_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_
RSA_WITH_AES_256_CBC_SHA

    Ensure that at least one of these ciphers has been specified in the channel_nameSSLcipherList parameter of the EIF probe’s configuration file. If this parameter value does not match any of the default TLS and SSL ciphers, specify a cipher override using the KDEBE_V3_CIPHER_SPECS environment variable defined in the agent’s environment file.

    By default, the EIF probe's configuration file specifies SSL_RSA_WITH_3DES_EDE_CBC_SHA, which matches one of the monitoring agent ciphers and therefore you typically do not need to customize your agent's cipher list. However, if the EIF probe's channel_nameSSLCipherList parameter does not match any of the monitoring agent's ciphers, then use KDEBE_V3_CIPHER_SPECS to specify the same cipher so that the TLS/SSL exchange can complete. The format of the environment variable is as follows:

    • KDEBE_V3_CIPHER_SPECS=nn

    where nn is the cipher’s short name.

    The following table lists the cipher’s short name and corresponding long name that would be defined for the channel_nameSSLCipherList parameter.

    Short name Long name
    01 SSL_RSA_WITH_NULL_MD5
    02 SSL_RSA_WITH_NULL_SHA
    03 SSL_RSA_EXPORT_WITH_RC4_40_MD5
    04 SSL_RSA_WITH_RC4_128_MD5
    05 SSL_RSA_WITH_RC4_128_SHA
    06 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    09 SSL_RSA_WITH_DES_CBC_SHA
    0A SSL_RSA_WITH_3DES_EDE_CBC_SHA
    2F TLS_RSA_WITH_AES_128_CBC_SHA
    35 TLS_RSA_WITH_AES_256_CBC_SHA

    For example, if channel_nameSSLCipherList=SSL_RSA_WITH_DES_CBC_SHA is defined in the EIF probe's configuration file, set KDEBE_V3_CIPHER_SPECS=09 in the agent’s environment file.

    The KDEBE_V3_CIPHER_SPECS variable is ignored when KDEBE_FIPS_MODE_ENABLED=Y is defined. As a result, the default TLS and SSL ciphers are used.

  5. Recycle the monitoring agent to process the changes to the agent’s environment file, the private situation XML file, and the event destination XML file.


Parent topic:

EIF events

+

Search Tips   |   Advanced Search