IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Agent-based services > EIF events > Sending private situation events by using TLS/SSL communication

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2


Certificate management

If the Netcool/Omnibus EIF probe uses a CA-signed digital certificate and channel_nameSSLRequireClientAuthentication=YES is specified in the probe’s configuration file, you must ensure that the monitoring agent’s key database has imported a corresponding CA-signed digital certificate.

Configure a monitoring agent’s key database requires using a certificate management tool, which can be run in either GUI or CLI mode. Both modes of operation require a Java Runtime Environment available on the local system where the management tool is invoked. Typical environments require a minimum of IBM JRE V6. You also must ensure that the JAVA_HOME environment variable points to the IBM Java location. See Set the JRE for GSKit and starting Key Manager.

IBM Tivoli Monitoring and Netcool/OMNIbus rely on GSKit for their SSL implementations. IBM Tivoli Monitoring V6.3 or later installs GSKit V8, which provides the GUI utility in the gsk8ikm binary and the CLI utility in the <gskittoolcmd> binary. Netcool/OMNIbus is based on GSKit V8, which runs only in CLI mode; for GUI mode, use the iKeyman utility, which is included in IBM JRE V6 or later.

IBM Tivoli Monitoring requires a CMS-type key database, whereas Netcool/OMNIbus requires a Java Key Store (JKS) database. The keyfile.kdb CMS key database file is installed in the install_dir\keyfiles directory. However, you cannot use this database in its current form if you require a CA-signed digital certificate when sending events over an SSL connection to the Netcool/OMNIbus EIF probe.

Complete agent certificate management tasks using the iKeyman utility. Instructions in the example show how to do the following tasks:


Example

The example monitoring agent runs on a Windows system and includes a key database file called omnieif.kdb with a password of ITMPWD, a previously configured Netcool/OMNIbus keystore file called omni.jks with a password of EIFPWD, and a certificate label named eifca. A copy of the omni.jks file is locally available in the install_dir\keyfiles directory.

GSKit keystroke configuration (GUI mode): To invoke the GSKit GUI tool on a Windows system, complete the following steps:

  1. Run the install_dir\GSK8\bin\gsk8ikm.exe command file. The IBM Key Management GUI is displayed. If an error occurs, verify that a JRE is installed and that JAVA_HOME is set correctly.

  2. In the menu bar, click Key Database File > New. Enter the following information and click OK:

    • Key database type: CMS

    • File Name: omnieif.kdb

    • Location: install_dir\keyfiles\

  3. Set the keystore password and click OK:

    • Password: ITMPWD

    • Confirm Password: ITMPWD

    •     Expiration time: 366 Days

    •     Stash the password to a file

  4. Ensure that Personal Certificates is displayed in the Key database content menu. Import and then click OK:

    • Key file type: JKS

    • File Name: omni.jks

    • Location: OMNIbus_keystroke_dir\

  5. Enter the password to open the source key database: EIFPWD. Click OK.

  6. Select keys from the key list of the source key database. Select the label eifca. Click OK.

  7. When prompted with, Would you like to change any of these labels before completing the import process? click OK without changing any labels.

  8. Exit the IBM Key Management window.

  9. Edit the monitoring agent’s environment file and set the following values:

    • KDEBE_KEYRING_FILE=install_dir\keyfiles\omnieif.kdb

    • KDEBE_KEYRING_STASH=install_dir\keyfiles\omnieif.sth

    • KDEBE_KEY_LABEL=eifca

  10. Restart the agent and the new CMS key database is used.

GSKit keystore configuration (CLI mode): If an "IBM Key Management" GUI utility is not available, you can use the GSKit’s CLI tool on Windows to perform the certificate import function. By using the same values chosen in the GUI example, the commands are as follows:

  1. From the command line, cd to the install_dir\keyfiles directory and create the database file:

    install_dir\GSK8\bin\gsk8cmd.exe -keydb -create -db omnieif.kdb -pw ITMPWD -type CMS -stash -expire 366

  2. Run the following command to import the Netcool/OMNIbus certificate:

    install_dir\GSK8\bin\gsk8cmd.exe -cert -import -file OMNIbus_keystore_dir\omni.jks –pw EIFPWD -label eifca -type JKS -target omnieif.kdb -target_pw ITMPWD

    As in the GUI example, you must update these values in the agent’s environment file.

    • KDEBE_KEYRING_FILE=install_dir\keyfiles\omnieif.kdb

    • KDEBE_KEYRING_STASH=install_dir\keyfiles\omnieif.sth

    • KDEBE_KEY_LABEL=eifca


Parent topic:

Sending private situation events by using TLS/SSL communication

+

Search Tips   |   Advanced Search