Enabling Secure Communication

5 Enabling Secure Communication

By default, the Event Connector Web Service uses insecure communication. You can configure secure communication between the OMS and the Event Connector Web Service, the Event Connector Web Service and the Microsoft SCOM Web Service, or both. The appropriate setup for your environment depends on your network topology.

Configuration Scenario: Enabling SSL/TLS Between the OMS and the Event Connector Web Service

Navigate to <ECWS_HOME>/config/.
Create a keystore with a valid server certificate to be presented by the Event Connector Web Service. The keystore must include the following attributes:
- Type: PKCS12
- Filename: OemScomKeystore.p12
- Keystore location: <ECWS_HOME>/config/ directory
- Certificate alias: oemscomconnector
Note:
If any of the above attributes are missing or incorrect when secure communication is expected, the web service will fail to start and a message will be generated to ecws.log.

Although the approach for obtaining this may vary, the following is an example command:
```
"%JAVA_HOME%\bin\keytool" -importkeystore ^
  -srckeystore scom_server.pfx
  -srcstoretype PKCS12
  -srcstorepass "<password>"
  -srcalias "scomserver"
  -destkeystore OemScomKeystore.p12
  -deststoretype PKCS12
  -deststorepass "<password>"
  -destalias oemscomconnector
```
Import the certificate into the OMS truststore. For information, see Importing the Server Certificate in Oracle Enterprise Manager.

Configuration Scenario: Enabling SSL/TLS Between the Event Connector Web Service and the Microsoft SCOM Web Service

Navigate to the config/ directory that was populated when first executing WebService.jar.
Create a truststore and import the valid server certificate from the Microsoft SCOM Web Service. The truststore must include the following attributes:
- Type: PKCS12
- Filename: OemScomTruststore.p12
- Truststore location: <ECWS_HOME>/config/ directory
Note:
If any of the above attributes are missing or incorrect when secure communication is expected, the web service will fail to start and a message will be generated to ecws.log.

Although the approach for obtaining this may vary, the following is an example command:
```
keytool -importcert
  -alias scomserver
  -file scom_server.crt
  -keystore OemScomTruststore.p12
  -storetype PKCS12
  -storepass <password>
```

Importing the Server Certificate in Oracle Enterprise Manager

Obtain the certificate authority and any necessary intermediate certificates in Base64 format.
Log in to your OMS host and edit the following file after creating a backup: $INSTANCE_HOME/sysman/config/b64LocalCertificate.txt
Append the contents of your certificate to the end of the contents of the b64LocalCertificate.txt file. Do not include blank lines, comments, or any other special characters. Each new certificate in this file should only contain the following format:
```
-----BEGIN CERTIFICATE-----
<Certificate contents in Base64 format>
-----END CERTIFICATE-----
```
Restart OMS by running the following commands:
```
emctl stop oms
emctl start oms
```
Note:
Do not run the emctl secure oms/agent command after adding the external certificate to the b64LocalCertificate.txt file. If you run the emctl secure command later, then repeat these steps to make sure the external certificate exists in the b64LocalCertificate.txt file.