6 Enabling SSL for HTTPS

This chapter provides the following procedures for configuring the IBM Tivoli Netcool/OMNIbus Connector to use the HTTPS protocol:

Configure Oracle Enterprise Manager to Use SSL

If the web service for Netcool/OMNIbus was configured to run using the HTTPS protocol, you must perform the following steps to set up SSL:

  1. Install an SSL certificate in the web service for Netcool/OMNIbus keystore. You must either install a self-signed certificate or install a certificate obtained from a Certificate Authority (CA).

  2. Restart the web service for Netcool/OMNIbus for the changes to take effect.

  3. Import the SSL certificate from the web service for Netcool/OMNIbus keystore into the Enterprise Manager keystore as specified in Importing the Web Service Certificate into Enterprise Manager.

Installing a Self-Signed Certificate

To generate and install a self-signed SSL certificate for the Netcool/OMNIbus adapter web service:

  1. Open a command prompt window and change the working directory to the adapters/conf directory in the web service for Netcool/OMNIbus installation directory.

  2. Enter the following command to delete the default SSL entry from the web service Netcool/OMNIbus keystore:

    • Unix

      $JAVA_HOME/bin/keytool -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      
    • Windows

      "%JAVA_HOME%\bin\keytool" -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      
  3. Enter the following command to generate a new certificate and place it in the web service for Netcool/OMNIbus keystore. You will need to replace <hostname> with the host name or IP address of the system where the web service for Netcool/OMNIbus is installed.

    Note:

    The host name in the certificate must match the host name or IP address the web service uses. If they do not match, a failure occurs when Enterprise Manager attempts to invoke the web service.
    • Unix

      $JAVA_HOME/bin/keytool -genkey -alias iwave -keyalg RSA -keysize 1024 -dname "CN=<hostname>, OU=Development, O=iWave Software, L=Frisco, ST=TX, C=US" -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      
    • Windows

      "%JAVA_HOME%\bin\keytool" -genkey -alias iwave -keyalg RSA -keysize 1024 -dname "CN=<hostname>, OU=Development, O=iWave Software, L=Frisco, ST=TX, C=US" -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      

Installing a Certificate from a Certified Authority

To request and install a signed SSL certificate for the web service for Netcool/OMNIbus:

  1. Request a certificate for the web service for Netcool/OMNIbus from a Certificate Authority, such as VeriSign.

    Note:

    In the certificate request, make sure to specify the host name or IP address of the system where the web service for Netcool/OMNIbus is installed. The host name in the certificate must match the host name or IP address the web service uses. If they do not match, a failure occurs when Enterprise Manager attempts to invoke the web service.
  2. After you obtain the certificate from the Certificate Authority, open a command prompt window and change the working directory to the adapters/conf directory in the web service for Netcool/OMNIbus installation directory.

  3. Enter the following command to delete the default SSL entry from the web service for Netcool/OMNIbus keystore:

    • Unix

      $JAVA_HOME/bin/keytool -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      
    • Windows

      "%JAVA_HOME%\bin\keytool" -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      
  4. Enter the following command to install the certificate, where <certificateFile> is the full path name of the file provided by the Certificate Authority:

    • Unix

      $JAVA_HOME/bin/keytool -importcert -alias iwave -file <certificateFile> -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      
    • Windows

      "%JAVA_HOME%\bin\keytool" -importcert -alias iwave -file <certificateFile> -keypass iwavepw -storepass iwavepw -keystore keystore.jks
      

Importing the Web Service Certificate into Enterprise Manager

To import the web service for Netcool/OMNIbus SSL certificate into the Enterprise Manager keystore:

  1. Open a command prompt window and change the working directory to the adapters/conf directory in the web service for Netcool/OMNIbus installation directory.

  2. Issue the following command to extract the SSL certificate from the web service Netcool/OMNIbus keystore and place it in the OMNIbusws.cer certificate file:

    • Unix

      $JAVA_HOME/bin/keytool -exportcert -rfc -alias iwave -file OMNIbusws.cer -keystore keystore.jks -storepass iwavepw
      
    • Windows

      "%JAVA_HOME%\bin\keytool" -exportcert -rfc -alias iwave -file OMNIbusws.cer -keystore keystore.jks -storepass iwavepw
      
  3. Transfer the certificate file OMNIbusws.cer to the system where Enterprise Manager is installed.

  4. Append the contents of the OMNIbusws.cer file to:

    $INSTANCE_HOME/sysman/config/b64LocalCertificate.txt
    
  5. Ensure that only the following lines are appended to the b64LocalCertificate.txt file (that is, do not include blank lines, comments, or any other special characters):

    -----BEGIN CERTIFICATE-----
    <<<Certificate in Base64 format>>>
    -----END CERTIFICATE-----
    
  6. Restart OMS by running the following commands:

    emctl stop oms
    emctl start oms
    

    Note:

    Do not run the emctl secure oms/agent command after adding the external certificate to the b64LocalCertificate.txt file. If you run the emctl secure command later, then repeat steps 4 through 6 to make sure the external certificate exists in the b64LocalCertificate.txt file.