6 Enabling SSL for HTTPS

This chapter contains information used in configuring the TEC connector to use the HTTPS protocol.

6.1 Configuring Enterprise Manager to use SSL

If the TEC web service was configured to run using the HTTPS protocol, you must perform the following steps to set up SSL:

1. Install a SSL certificate in the TEC web service keystore. You must either install a self-signed certificate or install a certificate obtained from a Certificate Authority (CA).

   • To install a self-signed certificate, perform the steps specified in Section 6.2, "Installing a Self-Signed Certificate".

   • To install a certificate from a CA, perform the steps specified in Section 6.3, "Installing a Certificate from a Certificate Authority".

2. Import the SSL certificate from the TEC web service keystore into the Enterprise Manager keystore as specified in Section 6.4, "Importing the Web Service Certificate into Enterprise Manager".

6.2 Installing a Self-Signed Certificate

Perform the following steps to generate and install a self-signed SSL certificate for the TEC adapter web service:

1. Open a command prompt window and change the working directory to the adapters/conf directory in the TEC web service installation directory.

2. Execute the following command to delete the default SSL entry from the TEC web service keystore.

   Unix

   $JAVA_HOME/bin/keytool -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks

   Windows

   "%JAVA_HOME%\bin\keytool" -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks

3. Enter the following command to generate a new certificate and place it in the TEC web service keystore. You will need to replace <hostname> with the host name or IP address of the system where the TEC web service is installed.

   Note:

   The host name in the certificate must match the host name or IP address used by the web service. If they do not match, a failure will occur when Enterprise Manager tries to invoke the web service

   Unix

   $JAVA_HOME/bin/keytool -genkey -alias iwave -keyalg RSA -keysize 1024 -dname "CN=<hostname>, OU=Development, O=iWave Software, L=Frisco, ST=TX, C=US" -keypass iwavepw -storepass iwavepw -keystore keystore.jks

   Windows

   "%JAVA_HOME%\bin\keytool" -genkey -alias iwave -keyalg RSA -keysize 1024 -dname "CN=<hostname>, OU=Development, O=iWave Software, L=Frisco, ST=TX, C=US" -keypass iwavepw -storepass iwavepw -keystore keystore.jks

6.3 Installing a Certificate from a Certificate Authority

Perform the following steps to request and install a signed SSL certificate for the TEC web service:

1. Request a certificate for the TEC web service from a Certificate Authority, such as VeriSign.

   Note:

   In the certificate request, make sure to specify the host name or IP address of the system where the TEC web service is installed. The host name in the certificate must match the host name or IP address used by the web service. If they do not match, a failure will occur when Enterprise Manager tries to invoke the web service.

2. After you obtain the certificate from the Certificate Authority, perform the following steps to install the certificate:

   • Open a command prompt window and change the working directory to the adapters/conf directory in the TEC web service installation directory.

   • Enter the following command to install the certificate, where <certificateFile> is the full path name of the file provided by the Certificate Authority:

     Unix

     $JAVA_HOME/bin/keytool -importcert -alias iwave -file <certificateFile> -keypass iwavepw -storepass iwavepw -keystore keystore.jks

     Windows

     "%JAVA_HOME%\bin\keytool" -importcert -alias iwave -file <certificateFile> -keypass iwavepw -storepass iwavepw -keystore keystore.jks

6.4 Importing the Web Service Certificate into Enterprise Manager

Perform the following steps to import the TEC web service SSL certificate into the Enterprise Manager keystore.

1. Open a command prompt window and change the working directory to the adapters/conf directory in the TEC web service installation directory.

2. Issue the following command to extract the SSL certificate from the TEC web service keystore and place in the TECws.cer certificate file.

   Unix:

   $JAVA_HOME/bin/keytool -exportcert –rfc -alias iwave -file TECws.cer -keystore keystore.jks -storepass iwavepw

   Windows:

   "%JAVA_HOME%\bin\keytool" -exportcert –rfc -alias iwave -file TECws.cer -keystore keystore.jks -storepass iwavepw

3. Transfer the certificate file TECws.cer to the system where Enterprise Manager is installed.

4. Append the contents of the TECws.cer file to:

   $INSTANCE_HOME/sysman/config/b64LocalCertificate.txt

5. Ensure that only the following is appended to the b64LocalCertificate.txt file (that is, do not include blank lines or comments or any other special characters):

   -----BEGIN CERTIFICATE-----

   <<<Certificate in Base64 format>>>

   -----END CERTIFICATE-----

6. Restart OMS by running the following commands:

   emctl stop oms

   emctl start oms

Note:

Do not run the emctl secure oms/agent command after adding the external certificate to the b64LocalCertificate.txt file. If you run the emctl secure command later, then repeat steps 4 through 6 to make sure the external certificate exists in the b64certificate.txt file.