Skip to Main Content
Return to Navigation

Setting Up SSL Client Authentication

SSL client authentication validates that the client is trusted by the server.

Note: Setting up SSL client authentication is optional.

To set up SSL client authentication:

  1. Set up SSL (as described in the previous section).

  2. Set up your own certificate authority.

    Remove all other certificate authorities from the monitoring web server's key store. All certificates that are signed by this authority will be trusted by the monitoring web server.

  3. Configure the monitoring web server so that client authentication is required and HTTP requests are disabled.

    Note: This configuration prevents web browser connections to the web server unless the browser has loaded the client certificate. In particular, the Ping buttons that you use when you set up the PPMI URL and the Monitor URL require the browser to have a trusted client certificate loaded.

  4. Configure Client Authentication on all elements that must access the monitoring system through HTTPS.

    The following internal elements must have client certificates in their key stores. Each of these certificates must be signed by your certificate authority. The client authentication ensures that the data that an element receives is authentic in that no third-party could have inserted any incorrect data.

Element

Description

Agents

Configuring client authentication ensures that performance information that is sent between agents and the monitoring system is authentic.

Monitor cluster members

Monitor cluster members exchange information regularly.

Configuring client authentication ensures that performance information that is sent between the cluster members is authentic.

Integration gateway

The gateway makes HTTP/S requests to notify the monitoring system of configuration changes.

Configuring client authentication ensures that configuration notifications that are sent through the gateway are authentic.

PSPPMSRV

PSPPMSRV instances make HTTP/S requests to register with the monitoring servlet.

Configuring client authentication ensures that the registration process is authentic.

PIA to Integration Gateway

During notification of configuration changes, PIA makes an HTTP/S request to the gateway.

Configuring client authentication ensures that data that is sent between PIA and the gateway is authentic.

The following client certificates are used by these elements. The PSPPMSRV instances and the Monitor Cluster members use the same certificate.

Certificate

Description

Agent certificate

This certificate resides in the key store in the database of the monitored system.

The agents use this certificate.

Monitor certificate

This certificate resides in the key store in the database of the monitoring system.

PSPPMSRV instances and monitor cluster members use this certificate.

Integration gateway certificate

This certificate resides in the monitoring system gateway.

This certificate is used during notification of configuration changes.

PIA to Integration Gateway Certificate

This certificate resides in the key store in the database of the monitoring system.

PIA uses this certificate to make a request to the gateway.

The following table describes where each certificate is configured.

Certificate

Procedure

Agent certificate

Create a client certificate in the key store in the monitored database, using the Digital Certificates page (PeopleTools, Security, Security Objects, Digital Certificates). The certificate type must be "Local Node" and the alias must be "PerfMon".

Monitor certificate

Create a client certificate in the key store in the monitoring database, using the Digital Certificates page (PeopleTools, Security, Security Objects, Digital Certificates). The certificate type must be "Local Node" and the alias must be "PerfMon".

Integration Gateway certificate

Create a client certificate in the key store for gateway, using the pskeymanager utility. Edit the integrationGateway.properties file to include the certificate alias and encrypted certificate password in the ig.certificateAlias and ig.certificatePassword properties.

PIA to Integration Gateway Certificate

Create a client certificate in the key store in the monitoring database, using the Digital Certificates page (PeopleTools, Security, Security Objects, Digital Certificates). The certificate type must be "Local Node" and the alias must be the name of the default local node (messaging node) in the monitoring database.

Discover the name of the local node by selecting select PeopleTools, then select Integration Broker, then select Node Definitions. ClickSearch and find the node marked as the default local node.

Note: While the alias of the certificate must be the same as the name of the default local node, the name of the certificate does not have to match. In particular, the certificate name can't contain the underscore character.

Configure the Integration Broker Gateway URL to use HTTPS.