Setting up secure communications with Ops Center Common Services

Ops Center Automator Installation and Configuration Guide

Version

11.0.x

Audience

anonymous

Part Number

MK-99AUT000-24

Ops Center Automator and Ops Center Common Services must communicate over an SSL connection. If you want to enable the certificate verification, you must import the certificates into the Common Component truststore. You can also change the cipher suites to be used.

Tip: If Common Services is on the same server as Ops Center Automator, the cssslsetup command is available. By using the cssslsetup command, you can configure SSL communication for Hitachi Ops Center products installed on the same management server using a common private key and server certificate. For more information on the usage and support scope of the cssslsetup command, refer to "Configuring SSL communications by using the cssslsetup command" in the Hitachi Ops Center Installation and Configuration Guide.

Set up SSL on the Ops Center Automator server between the management server and management client. For details, see "Setting up SSL on the server for secure client communication (Windows OS)" or Setting up SSL on the server for secure client communication (Linux OS).
Set up SSL on the Common Services server. For details, see “Configuring SSL for a multi-server configuration" in the Hitachi Ops Center Installation and Configuration Guide.

If you want to enable the certificate verification, do the following:
1. Import the certificates into the Common Component truststore by running the following command:
  For Windows:
```
Common-Component-installation-folder\bin\hcmds64keytool -import -alias
alias-name -keystore Common-Component-installation-folder\uCPSB11
\hjdk\jdk\lib\security\jssecacerts -file certificate-file -storetype JKS
```
  For Linux:
```
Common-Component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -keystore Common-Component-installation-directory/uCPSB11/
hjdk/jdk/lib/security/jssecacerts -file certificate-file -storetype JKS
```
  To import the certificates in Java, ensure that the truststore password includes six or more characters. In addition, ensure that the new alias name does not conflict with an existing alias name. Since the certificates used vary depending on the environment and configuration, import either or both RSA and ECDSA certificates into the Common Component truststore based on the certificates available in the Ops Center Common Services server.
2. Edit the sso.https.certification parameter to true in the config_user.properties file in the following location:
  In Windows (non-cluster): Automation-software-installation-folder\conf
  In Windows (cluster): shared-folder_name\Automation\conf
  
  In Linux: Automation-software-installation-directory/conf
(Optional) If you want to change the cipher suites to be used for communication with the Ops Center Common Services server, do the following:
1. Open the config_user.properties file from the following location.
  In Windows (non-cluster): Automation-software-installation-folder\conf
  In Windows (cluster): shared-folder_name\Automation\conf
  
  In Linux: Automation-software-installation-directory/conf
2. Edit the tls.client.cipherSuites line. If the tls.client.cipherSuites line does not exist, add it.
  
  One of the cipher suites in the tls.client.cipherSuites line is used in the communication. Specify the cipher suites you want to use in the tls.client.cipherSuites line. If there are multiple cipher suites you want to use, specify the cipher suites separated by commas.
  
  For available cipher suites, see Cipher suites supported as a client.
  
  For details about the tls.Client.cipherSuites property, see Changing the system configuration.
Restart the services by running the hcmds64srv command.