Enable HTTPS for NetOps Portal Using the SSL Configuration Tool and Generate a Self-Signed Certificate

You can enable Hypertext Transfer Protocol Secure (HTTPS) for
NetOps Portal
using the SSL Configuration tool (SslConfig) and generate a self-signed certificate.
Use this procedure if you do not have a certificate and you want to generate a self-signed certificate.
Use the following process to enable HTTPS for
NetOps Portal
:
The following video examines how to create and install a self-signed certificate in
NetOps Portal
:

For further HTTPS concepts, see the HTTPS courses in DX NetOps Education Resources.

Generate the Self-Signed Certificate and Configure
NetOps Portal
to Use HTTPS

If you encounter issues using SslConfig, use the debug log that is available in the
<installation_directory>
directory.
Follow these steps:
  1. Open a terminal session on the
    NetOps Portal
    host.
  2. Launch SslConfig by running the
    ./SslConfig
    command in the
    <installation_directory>
    directory.
    • installation_directory
      The default installation directory for
      NetOps Portal
      .
      Default:
      /opt/CA/PerformanceCenter
    The following image shows the prompts:
    (22.2.8 and higher)
    Options
    Options
    (22.2.7 and lower)
    Options
    Options
  3. At the
    Select your preferred language
    prompt, enter the number for the language for SslConfig.
    The
    Options
    line displays, and a list of options display.
  4. At the
    Select your option
    prompt, enter the number for the option to configure SSL (enable HTTPS) for
    NetOps Portal
    .
    The
    Configure SSL
    line displays.
    The following images show this line and the prompts for enabling HTTPS for
    NetOps Portal
    :
    (22.2.8 and higher)
    Configure SSL
    (22.2.7 and lower)
    Configure SSL
  5. At the (22.2.8 and higher)
    Are you sure you want to configure DX NetOps Portal to use https? This will stop all the DX NetOps Portal processes [y/n]?
    (22.2.7 and lower)
    Are you sure you want to configure Performance Center to use SSL. This will stop all the Performance Center processes [y/n]?
    prompt, confirm your selection by entering
    y
    for yes.
    The (22.2.8 and higher)
    Configuring DX NetOps Portal to use https
    (22.2.7 and lower)
    Configuring Performance Center to use SSL
    line displays.
  6. Complete the following prompts:
    • Enter the port for Single Sign On: [8382]
      Specifies the port that the web clients use to access the Single Sign-On service. For example, for HTTPS, specify
      8382
      .
    • (22.2.8 and higher)
      Are you using a reverse proxy for DX NetOps Portal that only allows access from 1 port? ([y/n]):
      If you are using a reverse proxy for
      NetOps Portal
      , enter
      y
      for yes.
    • (22.2.7 and lower)
      Are you using a reverse proxy for Performance Center that only allows access from 1 port ([y/n]):
      If you are using a reverse proxy for
      NetOps Portal
      , enter
      y
      for yes.
    • Enter the port for Single Sign On for Data Sources: [8382]
      Specifies the port that the data sources use to access the Single Sign-On service. For example, for HTTPS, specify
      8382
      .
      For more information about the ports that are required for secured communication, see Review Installation Requirements and Considerations.
    • (22.2.8 and higher)
      Enter the port for DX NetOps Portal Console: [8182]
      Specifies the port for
      NetOps Portal
      . For example, for HTTPS, specify
      8182
      .
    • (22.2.7 and lower)
      Enter the port for Performance Center (Example: 8182):
      Specifies the port for
      NetOps Portal
      . For example, for HTTPS, specify
      8182
      .
    • (22.2.8 and higher)
      Enter the port for DX NetOps Portal Event Manager: [8282]
      Specifies the port for the event manager. For example, for HTTPS, specify
      8282
      .
    • (22.2.8 and higher)
      Enter the port for DX NetOps Portal Device Manager: [8482]
      Specifies the port for the device manager. For example, for HTTPS, specify
      8482
      .
    • Do you have an existing certificate [y/n]?:
      Specify that you do
      not
      have a certificate and that you want to generate a self-signed certificate by entering
      n
      for no.
    • Enter the full host name for this server:
      Specifies the fully-qualified host name for the
      NetOps Portal
      server.
      Example:
      yourHost.yourDomain.net
    • Enter the organization for the certificate:
      Specifies the organization for the certificate, for example, YourCompany.
    • Enter the organizational unit for the certificate:
      Specifies the organization unit for the certificate.
      Example:
      YourDivision
    • Enter the city for the certificate:
      Specifies the city for the organization related to the certificate.
      Example:
      YourCity
    • Enter the state for the certificate:
      Specifies the state or province for the organization related to the certificate.
      Example:
      Alaska
    • Enter the two letter country code for the certificate:
      Specifies the country code for the organization related to the certificate.
      Example:
      US
    • (22.2.8 and higher)
      Enter a password for the new keystore:
      Specifies the password to use for importing the certificate into the Jetty keystore.
    • (22.2.8 and higher)
      Confirm the keystore password:
      Enter the password again.
    • (22.2.7 and lower)
      Enter a password to use for importing the certificate:
      Specifies the password for importing the certificate.
    • This password is stored in jetty configuration files. Do you want to obfuscate the value so it is not human-readable? ([y/n])
      If you want to obscure the password in the Jetty configuration files, enter
      y
      for yes.
    • Enter the password to the Java CA truststore:
      Specifies the password to the Java CA truststore (
      <installation_directory>
      /lib/security/cacerts
      ).
      • installation_directory
        The default JRE installation directory for
        NetOps Portal
        .
        Default:
        /opt/CA/jre
      Default:
      changeit
    The
    Entered Values
    line displays, and the entered values display below this line.
  7. At the
    Do you want to change any information before proceeding? ([y/n/b])
    prompt, review the entered values, and enter one of the following values:
    • n:
      The entered values are correct, you want to save them, and you want to continue with enabling HTTPS.
      HTTPS is enabled for
      NetOps Portal
      , and a self-signed certificate is generated.
    • y:
      You want to return to the prompts for enabling HTTPS for
      NetOps Portal
      , and reenter the values.
    • b:
      You want to cancel enabling HTTPS for
      NetOps Portal
      and return to the main menu.
NetOps Portal
is configured to use HTTPS.

Export the
NetOps Portal
Self-Signed Certificate

Export the
NetOps Portal
self-signed certificate from
NetOps Portal
so that you can import it into the data sources.
Follow these steps:
  1. From an open terminal session on the
    NetOps Portal
    host, export the
    NetOps Portal
    self-signed certificate by issuing the following command:
    <installation_directory>
    /jre/bin/keytool -exportcert -rfc -keystore
    <installation_directory>
    /jre/lib/security/cacerts -alias capc -file
    </path/file.cer>
    Example:
    /opt/CA/jre/bin/keytool -exportcert -rfc -keystore
    <installation_directory>
    /jre/lib/security/cacerts -alias capc -file /tmp/NetOps_Portal_cert.cer
    • installation_directory
      The default installation directory for
      NetOps Portal
      .
      Default:
      /opt/CA
    • file
      The path and location for the exported certificate.
    The following prompt displays:
    Enter keystore password:
  2. Enter the password to the Java CA truststore (
    <installation_directory>
    /jre/lib/security/cacerts
    ).
    • installation_directory
      The default installation directory for
      NetOps Portal
      .
      Default:
      /opt/CA
    Default:
    changeit
    The following line appears:
    Certificate stored in file
    </path/file.cer>
  3. Copy the exported file (
    /tmp/NetOps_Portal_cert.cer
    ) to the data sources (for example, the data aggregator and Spectrum).
The
NetOps Portal
self-signed certificate is exported and is ready for import.

Import the
NetOps Portal
Certificate into the Data Sources

Import the
NetOps Portal
certificate into the following data sources:
  1. The data aggregator
    . Complete
    one
    of the following procedures based on your security settings:
  2. (If you have integrated with
    DX NetOps Spectrum
    (Spectrum) and
    NetOps Portal
    (NFA)) .

Import the Certificate into the Data Aggregator's cacerts Truststore

In a fault-tolerant environment, complete this procedure on both data aggregators.
Follow the steps:
  1. From an open terminal session on the data aggregator host, import the
    NetOps Portal
    self-signed certificate into the Java trusted certificate keystore by issuing the following command:
    <installation_directory>
    /jre/bin/keytool -importcert -keystore
    <installation_directory>
    /jre/lib/security/cacerts -storepass
    <cacertspassword>
    -alias
    <alias_name>
    -file
    </path/file.cer>
    Example:
    /opt/IMDataAggregator/jre/bin/keytool -importcert -keystore /opt/IMDataAggregator/jre/lib/security/cacerts -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
    • installation_directory
      The default installation directory for the data aggregator.
      Default:
      /opt/IMDataAggregator
    • cacertspassword
      Specifies the password for the certificate authority (CA) keystore.
      Default:
      changeit
    • alias_name
      Specifies the same alias when creating the self-signed certificate.
      Example:
      MyAlias
    • filename.cer
      Specifies the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.
      Example:
      /tmp/DA_Cert.cer
  2. Restart the data aggregator.
The certificate is imported into the
cacerts
file.
In a fault-tolerant environment, if you have not already completed this procedure for both data aggregators, repeat these steps for the other data aggregator.

Import the Certificate into the Data Aggregator's Jetty Truststore

Complete this procedure if HTTPS is enabled for the data aggregator.
Follow the steps:
  1. From an open terminal session on the data aggregator host, import the
    NetOps Portal
    self-signed certificate into the Java trusted certificate keystore by issuing the following command:
    <installation_directory>
    /jre/bin/keytool -importcert -keystore
    <installation_directory>
    /
    <apache-karaf-*>
    /etc/truststore -storepass
    <cacertspassword>
    -alias
    <alias_name>
    -file
    <filename>
    .cer
    Example:
    /opt/IMDataAggregator/jre/bin/keytool -importcert -keystore /opt/IMDataAggregator/apache-karaf-4.3.3/etc/truststore -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
    • installation_directory
      The installation directory of the data aggregator.
      Default:
      /opt/IMDataAggregator
    • apache-karaf-*
      The installation directory for Apache Karaf.
      Example:
      (21.2.6 and higher)
      apache-karaf-4.3.3
    • cacertspassword
      Specify the password for the certificate authority keystore.
      Default:
      changeit
    • alias_name
      Specify a unique alias for the self-signed certificate.
      Example:
      MyAlias
    • filename.cer
      Specify the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.
      Example:
      /tmp/DA_Cert.cer
  2. Restart the data aggregator.
The certificate is imported into the
truststore
file.

Check for Configuration Issues

You can check the security configuration for any potential issues using SslConfig. Common issues include certificate errors.
Follow these steps:
  1. Relaunch SslConfig.
  2. At the
    Select your preferred language
    prompt, enter the number for the language for SslConfig.
    The
    Options
    line displays, and a list of options display.
  3. At the
    Select your option
    prompt, enter the number for the option to perform an SSL health check.
  4. When prompted, confirm your selection by entering
    y
    for yes.
  5. Review the output. Verify that all tests show as "Passed".