Setting up secure communication with external web servers

Ops Center Automator Installation and Configuration Guide
Version
11.0.x
Audience
anonymous
Part Number
MK-99AUT000-24

You must import the certificates into the Common Component truststore to enable SSL communication between the external web server and Ops Center Automator over the following web service connections. You can also change the cipher suites to be used.

  • BNA
  • Brocade FC switch
  • DCNM
  • ServiceNow
  • Other web service connections
  1. Import the certificates into the Common Component truststore by running the following command:

    For Windows:

    Common-Component-installation-folder\bin\hcmds64keytool -import -alias alias-name -keystore Common-Component-installation-folder\uCPSB11
\hjdk\jdk\lib\security\jssecacerts -file certificate-file  -storetype JKS

    For Linux:

    Common-Component-installation-directory/uCPSB11/jdk/bin/keytool  -import -alias alias-name -keystore Common-Component-installation-directory/uCPSB11/hjdk/jdk/lib/security/jssecacerts -file certificate-file  -storetype JKS

    To import the certificates in Java, ensure that the truststore password includes six or more characters. In addition, ensure that the new alias name does not conflict with an existing alias name. Since the certificates used vary depending on the environment and configuration, import either or both RSA and ECDSA certificates into the Common Component truststore based on the certificates available in the external web server. Since the certificates used vary depending on the environment and configuration, import either or both RSA and ECDSA certificates into the Common Component truststore based on the certificates available in the external web server.

  2. (Optional) If you want to change the cipher suites to be used for communication with the external web servers, do the following:
    Note: For web service connections to Brocade FC switch with a category of FOS_PrimarySwitch, add the following cipher suites to use for communication with FOS.
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    1. Open the config_user.properties file from the following location.
      In Windows (non-cluster): Automation-software-installation-folder\conf

      In Windows (cluster): shared-folder_name\Automation\conf

      In Linux: Automation-software-installation-directory/conf

    2. Edit the tls.client.cipherSuites line. If the tls.client.cipherSuites line does not exist, add it.

      One of the cipher suites in the tls.client.cipherSuites line is used in the communication. Specify the cipher suites you want to use in the tls.client.cipherSuites line. If there are multiple cipher suites you want to use, specify the cipher suites separated by commas.

      For available cipher suites, see Cipher suites supported as a client.

      For details about the tls.client.cipherSuites property, see Changing the system configuration.

  3. Restart the services by running the hcmds64srv command.
  • For additional information on the security settings for another product, see the associated product documentation.
  • To obtain server certificates, see the associated product documentation for information on accessing server certificates.
  • After upgrading DCNM, the server certificate is initialized. You must do the steps described in "Restoring the certificates after an upgrade" in the Cisco DCNM Installation and Upgrade Guide for SAN Deployment.
  • If you use DCNM 11.5, create a certificate by specifying an appropriate hostname to Common Name by following the steps described in "Certificates" in the Cisco DCNM Installation and Upgrade Guide for SAN Deployment.
  • If you use a Brocade FC switch, complete the SSL settings by following the steps described in "Managing the Security Certificates Using the secCertMgmt Command" in the Brocade Fabric OS Administration Guide.