IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Securing communications > Configure TLS/SSL communication between Dashboard Application Services Hub and the dashboard data provider

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Use third party certificate authority signed certificates for the portal server

You can use third party certificates to configure TLS/SSL for the dashboard data provider by adding the signer certificate and private digital certificate to the key database managed by GSKit, and to the trust and key stores used by TEPS/e.

Obtain the certificate authority's signer certificate.

Ensure the TEPS/e administration console is enabled. For detailed steps, including information on how to log on, see Start the TEPS/e administration console.


Procedure

  1. Use either the TEPS/e administration console or the GSKit command-line interface to create a private certificate request to be signed by the certificate authority. The following instructions explain how to perform this step using the TEPS/e administration console.

    1. Log on to the TEPS/e administration console.

    2. Select Security → SSL certificate and key management.

    3. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultKeyStore link.

    4. In the Additional Properties area, click the Personal certificate requests link and in the page that is displayed, click New.

    5. In the page that is displayed specify the following information:

      • Set File name to the location to store the private certificate request. For example, C:\dashboardcerts\TEPSCertRequest.arm.

      • Set the Key label to the desired label for the certificate. For example, TEPS Certificate.

      • Set the Key size to 2048.

      • Leave the Signature algorithm as SHA1withRSA.

      • Set the Common name to a unique name for the TEPS/e computer. Typically, this is a hostname.

      • Set Organization to a meaningful value. Typically, this is a company name.

      • Set Organization unit to a meaningful name. For example, TEPS.

      • Set Country or region to desired value. For example, US.

    6. Click OK, then Save.

  2. Send the certificate request generated above to the certificate authority to request a new digital certificate. The certificate authority can take two to three weeks to generate the new digital certificate.

  3. After the certificate authority returns your new digital certificate, save it to a location on the computer where the portal server and TEPS/e are installed. For example, C:\dashboardcerts\TEPSSignedCert.arm.

  4. Use the GSKit command-line interface to create a new key database of type CMS and save the key database's password to a stash file. Then import the certificate authority's signer certificate and the new digital certificate into the new key database. This key database is used by the portal server's embedded HTTP server.

  5. You must also add the certificate authority public signer certificate into the TEPS/e trust store using the TEPS/e administration console.

    1. Log on to the TEPS/e administration console.

    2. Select Security → SSL certificate and key management.

    3. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultTrustStore link.

    4. In the Additional Properties area, click the Signer certificates link and in the page that is displayed, click Add.

    5. In the page that is displayed specify the following information:

      • Set Alias to the desired label for the certificate. For example, TEPS Signer Certificate.

      • Set File name to the location of the extracted certificate authority signer certificate. For example, C:\dashboardcerts\CASignerCert.arm.

      • Leave the Data type as Base64-encoded ASCII data.

    6. Click OK, then Save.

  6. Receive the signed digital certificate into the TEPS/e key store using the TEPS/e administration console.

    1. Log on to the TEPS/e administration console.

    2. Select Security → SSL certificate and key management.

    3. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultKeyStore link.

    4. In the Additional Properties area, click the Personal certificates link and in the page that is displayed, click Receive from a certificate authority.

    5. In the page that is displayed specify the following information:

      • Set File name to the location of the signed digital certificate. For example, C:\dashboardcerts\TEPSSignedCert.arm.

      • Leave the Data type as Base64-encoded ASCII data.

    6. Click OK, then Save.

  7. Set the new private certificate as the default server certificate for TEPS/e.

    1. Log on to the TEPS/e administration console.

    2. Select Security → SSL certificate and key management.

    3. In the Related Items area, click the SSL configurations link and in the table click the NodeDefaultSSLSettings link.

    4. In the page that is displayed, click Default server certificate alias and choose the signed TEPS/e certificate. For example, TEPS Certificate.

    5. Click OK, then Save.

    6. Select Security → SSL certificate and key management again.

    7. Click on the Manage endpoint security configurations link.

    8. Click on the node name link under Inbound → thecellname → nodes.

    9. Click Certificate alias in key store and choose the signed TEPS/e certificate. For example, TEPS Certificate.

    10. Click OK, then Save.


Parent topic:

Configure TLS/SSL communication between Dashboard Application Services Hub and the dashboard data provider

+

Search Tips   |   Advanced Search