IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Securing communications
To secure communication between Tivoli Enterprise Monitoring Agents, Tivoli Enterprise Monitoring Servers, and the Tivoli Enterprise Portal Server, use SPIPE as the protocol when you configure communications between the portal server and the hub monitoring server, between hub and remote monitoring servers, and between monitoring agents and monitoring servers.
Two additional protocols are used to secure communication between Tivoli Enterprise Portal clients and the portal server:
- Secure Hypertext Transport Protocol (HTTPS) to retrieve files and Interoperable Object Reference (IOR)
- Internet Inter-ORB Protocol (IIOP) to secure the communications between the portal server and client
By default, both protocols are used. However, you can configure a portal client to use just HTTPS to communicate with the portal server.
HTTPS can also be used to secure communication between these components:
- Dashboard Application Services Hub and the IBM Tivoli Monitoring dashboard data provider
- tacmd Command-Line Interface and the hub Tivoli Enterprise Monitoring Server
- tivcmd CLI> Command-Line Interface for Authorization Policy and the Dashboard Application Services Hub where the Tivoli Authorization Policy Server is installed
- The Open Services Lifecycle Collaboration Performance Monitoring service provider and Registry Services, Security Services, and OSLC clients
- Tivoli Integrated Portal and the portal server's IBM Tivoli Monitoring charting web service
In addition, these types of secure communication are also supported:
- Use TLS/SSL to secure communication between the hub monitoring server and an LDAP server
- Use TLS/SSL to secure communication between the portal server and an LDAP server
- Use TLS/SSL to secure communication between a monitoring agent and the IBM IBM Tivoli Netcool/OMNIbus Probe for Tivoli EIF Version 12 or later
In addition to choosing a protocol such as IP.SPIPE or HTTPS that supports secure communications, you set up TLS/SSL asymmetric encryption through the use of public-private key files, which involves performing the following tasks:
- Work with a key database
- Requesting a new public-private key pair if you do not want to use the self-signed certificate shipped with the product
- Add a certificate authority signer certificate and signed digital certificate to your key database if you do not want to use the self-signed certificates shipped with the product
- Add the signer certificates for the applications that IBM Tivoli Monitoring components send requests to
- Enable components to perform certificate authentication
Requesting new certificates is best practice, but you can also use the self-signed certificates shipped with the product in a test environment to become familiar with the procedures for setting up secure communications.
IBM Tivoli Monitoring provides two applications that are used to work with keys and certificate stores when setting up secure communications:
- The Global Security Toolkit (GSKit) program is installed with IBM Tivoli Monitoring components on distributed platforms. It includes the iKeyman utility and a command-line interface for working with certificates and keys.
- The Tivoli Enterprise Portal Server extended services (TEPS/e) administration console (also called ISCLite) is used with the portal server to secure communications for the services running in TEPS/e.
A default self-signed certificate and key are provided when you install IBM Tivoli Monitoring. If you prefer to use a certificate authority signed certificate, use the GSKit utilities to create a certificate request, and then create a key database and import the certificates. A stash file provides the key database password for unattended operation. When GSKit is installed with an IBM Tivoli Monitoring component, the key file names are specified using the following environment variables:
- KDEBE_KEYRING_FILE=C:\IBM\ITM\keyfiles\keyfile.kdb
- KDEBE_KEYRING_STASH=C:\IBM\ITM\keyfiles\keyfile.sth
- KDEBE_KEY_LABEL=IBM_Tivoli_Monitoring_Certificate
If the keyring file, stash file, or label used for the new certificate in the key store is changed, you must complete the following steps:
- Update all configuration files with the respective environment variable. For example, with the environment variable KDEBE_KEY_LABEL=Custom_Certificate_Label_Name, you would update the following files:
On Linux and UNIX, update the agent configuration files (.ini) files directly.
On Windows, update the variables using Manage Tivoli Enterprise Monitoring Services or update the agent environment files (*ENV) files directly.
- Update the Tivoli Enterprise Monitoring Server ms_<hub_monitoring_server>.config file with the same variables but with the values in single quotes ('). For example, KDEBE_KEY_LABEL='Custom_Certificate_Label_Name'.
- Restart each component.
Work with the administrators of the other products that IBM Tivoli Monitoring communicates with to setup secure communications. If you are using any of the Jazz for Service Management components (Dashboard Application Services Hub, Registry Services, or Security Services) with IBM Tivoli Monitoring, use the WebSphere Application Server administration console to work with their trust and certificate stores.
The following table lists the communication flows that can be secured and where to find information on how to secure the interaction.
Unless otherwise stated, the tasks below are used to setup TLS/SSL and server certificate authentication. When server certificate authentication is used, the client (the source of the request) authenticates the certificate it receives from the server (the target of the request).
Tasks to secure communication
Task to secure communication Where to find information Use TLS/SSL between the Tivoli Enterprise Portal clients and the portal server. See "Using SSL between the portal server and the client" in the IBM Tivoli Monitoring Installation and Setup Guide. Use IP.SPIPE with certificate validation to secure communication for these interactions:
- hub and remote monitoring server communication
- hub monitoring server and portal server communication
- monitoring server and monitoring agent communication
Use HTTPS with certificate validation to secure communications for these interactions:
- tacmd CLI or SOAP client to hub monitoring server communication
- requests to the monitoring server, portal server, and monitoring agent service console
See the ITM Certificate Authentication Configuration Guide for ITM V6.2.2 and later in the IBM Tivoli Monitoring Wiki. Use TLS/SSL between the hub monitoring server and a LDAP server. Configure TLS/SSL communication between the hub monitoring server and the LDAP server Use TLS/SSL between the portal server and a LDAP server. Configure TLS/SSL communication between the portal server and the LDAP server Use TLS/SSL when the IBM Dashboard Application Services Hub sends requests to the IBM Tivoli Monitoring dashboard data provider. Configure TLS/SSL communication between Dashboard Application Services Hub and the dashboard data provider Use TLS/SSL when the dashboard data provider sends requests to retrieve authorization policies from the Authorization Policy Server. Configure TLS/SSL communication with the Authorization Policy Server Use TLS/SSL when the tivcmd CLI> Command-Line Interface for Authorization Policy sends requests to the Authorization Policy Server. Configure TLS/SSL communication with the Authorization Policy Server Use TLS/SSL for sending private situation events from monitoring agents to the IBM Tivoli Netcool/OMNIbus Probe for Tivoli EIF. For this interaction, client certificate authentication is configured so that the probe uses certificates to authenticate the monitoring agents (the clients). Sending private situation events by using TLS/SSL communication Use TLS/SSL when Tivoli Business Service Manager or Tivoli Integrated Portal send HTTPS requests to the portal server's charting web service. "Tivoli Business Service Manager and Tivoli Enterprise Portal Server integration over SSL" in the IBM Tivoli Monitoring Installation and Setup Guide. Enable the Federal Information Processing Standard (FIPS) for IBM Tivoli Monitoring components. Enable FIPS for IBM Tivoli Monitoring After updating the IBM Tivoli Monitoring certificate, import the TEPS/e certificates into the portal server keyfile database to ensure the portal server web server plug-in and TEPS/e can continue to communicate securely. Import the TEPS/e certificates into the portal server keyfile database To use HTTPS in a dashboard environment that is using an HTTP server to load balance multiple portal servers, you must configure TLS/SSL communication from the HTTP server to the portal server. Configure TLS/SSL communication between the load balancing HTTP Server and each portal server's local HTTP server To use HTTPS in a dashboard environment that is using an HTTP server to load balance multiple portal servers, you must configure TLS/SSL communication from the Dashboard Application Services Hub to the HTTP server. Configure TLS/SSL communication between Dashboard Application Services Hub and an HTTP server used for load balancing multiple portal servers
See
- Configure TLS/SSL communication between the hub monitoring server and the LDAP server
- Configure TLS/SSL communication between Dashboard Application Services Hub and the dashboard data provider
- Configure TLS/SSL communication with the Authorization Policy Server
- Configure TLS/SSL communication between the load balancing HTTP Server and each portal server's local HTTP server
- Configure TLS/SSL communication between Dashboard Application Services Hub and an HTTP server used for load balancing multiple portal servers
- Enable FIPS for IBM Tivoli Monitoring
- Enable SP800-131a for IBM Tivoli Monitoring
- Import the TEPS/e certificates into the portal server keyfile database
- Use the GSKit command-line interface to work with key databases and certificates
- Use the GSKit iKeyman utility to work with key databases and certificates