Enable HTTPS for NetOps Portal Using the SSL Configuration Tool and Generate a Self-Signed Certificate
You can enable Hypertext Transfer Protocol Secure (HTTPS) for
NetOps Portal
using the SSL Configuration tool (SslConfig) and generate a self-signed certificate.Use this procedure if you do not have a certificate and you want to generate a self-signed certificate.
Use the following process to enable HTTPS for
NetOps Portal
:The following video examines how to create and install a self-signed certificate in
NetOps Portal
:For further HTTPS concepts, see the HTTPS courses in DX NetOps Education Resources.
Generate the Self-Signed Certificate and Configure NetOps Portal to Use HTTPS
NetOps Portal
to Use HTTPSIf you encounter issues using SslConfig, use the debug log that is available in the directory.
<installation_directory>
Follow these steps:
- Open a terminal session on theNetOps Portalhost.
- Launch SslConfig by running the./SslConfigcommand in thedirectory.<installation_directory>
- installation_directoryThe default installation directory forNetOps Portal.Default:/opt/CA/PerformanceCenter
The following image shows the prompts:(22.2.8 and higher)Options
(22.2.7 and lower)Options
- At theSelect your preferred languageprompt, enter the number for the language for SslConfig.TheOptionsline displays, and a list of options display.
- At theSelect your optionprompt, enter the number for the option to configure SSL (enable HTTPS) forNetOps Portal.TheConfigure SSLline displays.The following images show this line and the prompts for enabling HTTPS forNetOps Portal:(22.2.8 and higher)
(22.2.7 and lower)
- At the (22.2.8 and higher)Are you sure you want to configure DX NetOps Portal to use https? This will stop all the DX NetOps Portal processes [y/n]?(22.2.7 and lower)Are you sure you want to configure Performance Center to use SSL. This will stop all the Performance Center processes [y/n]?prompt, confirm your selection by enteringyfor yes.The (22.2.8 and higher)Configuring DX NetOps Portal to use https(22.2.7 and lower)Configuring Performance Center to use SSLline displays.
- Complete the following prompts:
- Enter the port for Single Sign On: [8382]Specifies the port that the web clients use to access the Single Sign-On service. For example, for HTTPS, specify8382.
- (22.2.8 and higher)Are you using a reverse proxy for DX NetOps Portal that only allows access from 1 port? ([y/n]):If you are using a reverse proxy forNetOps Portal, enteryfor yes.
- (22.2.7 and lower)Are you using a reverse proxy for Performance Center that only allows access from 1 port ([y/n]):If you are using a reverse proxy forNetOps Portal, enteryfor yes.
- Enter the port for Single Sign On for Data Sources: [8382]Specifies the port that the data sources use to access the Single Sign-On service. For example, for HTTPS, specify8382.For more information about the ports that are required for secured communication, see Review Installation Requirements and Considerations.
- (22.2.8 and higher)Enter the port for DX NetOps Portal Console: [8182]Specifies the port forNetOps Portal. For example, for HTTPS, specify8182.
- (22.2.7 and lower)Enter the port for Performance Center (Example: 8182):Specifies the port forNetOps Portal. For example, for HTTPS, specify8182.
- (22.2.8 and higher)Enter the port for DX NetOps Portal Event Manager: [8282]Specifies the port for the event manager. For example, for HTTPS, specify8282.
- (22.2.8 and higher)Enter the port for DX NetOps Portal Device Manager: [8482]Specifies the port for the device manager. For example, for HTTPS, specify8482.
- Do you have an existing certificate [y/n]?:Specify that you donothave a certificate and that you want to generate a self-signed certificate by enteringnfor no.
- Enter the full host name for this server:Specifies the fully-qualified host name for theNetOps Portalserver.Example:yourHost.yourDomain.net
- Enter the organization for the certificate:Specifies the organization for the certificate, for example, YourCompany.
- Enter the organizational unit for the certificate:Specifies the organization unit for the certificate.Example:YourDivision
- Enter the city for the certificate:Specifies the city for the organization related to the certificate.Example:YourCity
- Enter the state for the certificate:Specifies the state or province for the organization related to the certificate.Example:Alaska
- Enter the two letter country code for the certificate:Specifies the country code for the organization related to the certificate.Example:US
- (22.2.8 and higher)Enter a password for the new keystore:Specifies the password to use for importing the certificate into the Jetty keystore.
- (22.2.8 and higher)Confirm the keystore password:Enter the password again.
- (22.2.7 and lower)Enter a password to use for importing the certificate:Specifies the password for importing the certificate.
- This password is stored in jetty configuration files. Do you want to obfuscate the value so it is not human-readable? ([y/n])If you want to obscure the password in the Jetty configuration files, enteryfor yes.
- Enter the password to the Java CA truststore:Specifies the password to the Java CA truststore ().<installation_directory>/lib/security/cacerts
- installation_directoryThe default JRE installation directory forNetOps Portal.Default:/opt/CA/jre
Default:changeit
Entered Valuesline displays, and the entered values display below this line. - At theDo you want to change any information before proceeding? ([y/n/b])prompt, review the entered values, and enter one of the following values:
- n:The entered values are correct, you want to save them, and you want to continue with enabling HTTPS.HTTPS is enabled forNetOps Portal, and a self-signed certificate is generated.
- y:You want to return to the prompts for enabling HTTPS forNetOps Portal, and reenter the values.
- b:You want to cancel enabling HTTPS forNetOps Portaland return to the main menu.
NetOps Portal
is configured to use HTTPS.Export the NetOps Portal Self-Signed Certificate
NetOps Portal
Self-Signed CertificateExport the
NetOps Portal
self-signed certificate from NetOps Portal
so that you can import it into the data sources.Follow these steps:
- From an open terminal session on theNetOps Portalhost, export theNetOps Portalself-signed certificate by issuing the following command:<installation_directory>/jre/bin/keytool -exportcert -rfc -keystore<installation_directory>/jre/lib/security/cacerts -alias capc -file</path/file.cer>Example:/opt/CA/jre/bin/keytool -exportcert -rfc -keystore<installation_directory>/jre/lib/security/cacerts -alias capc -file /tmp/NetOps_Portal_cert.cer
- installation_directoryThe default installation directory forNetOps Portal.Default:/opt/CA
- fileThe path and location for the exported certificate.
The following prompt displays:Enter keystore password: - Enter the password to the Java CA truststore ().<installation_directory>/jre/lib/security/cacerts
- installation_directoryThe default installation directory forNetOps Portal.Default:/opt/CA
Default:changeitThe following line appears:Certificate stored in file</path/file.cer> - Copy the exported file (/tmp/NetOps_Portal_cert.cer) to the data sources (for example, the data aggregator and Spectrum).
The
NetOps Portal
self-signed certificate is exported and is ready for import.Import the NetOps Portal Certificate into the Data Sources
NetOps Portal
Certificate into the Data SourcesImport the
NetOps Portal
certificate into the following data sources:- The data aggregator. Completeoneof the following procedures based on your security settings:
- If the data aggregator is using HTTP, complete the following steps:
- In fault-tolerant data aggregator environment, secure the communication between the data aggregators and the proxy server.
- If the data aggregator is HTTPS-enabled, complete the following steps:
- In fault-tolerant data aggregator environment, secure the communication between the data aggregators and the proxy server.
- (If you have integrated withDX NetOps Spectrum(Spectrum) andNetOps Portal(NFA))The Spectrum and NFA truststores.
Import the Certificate into the Data Aggregator's cacerts Truststore
In a fault-tolerant environment, complete this procedure on both data aggregators.
Follow the steps:
- From an open terminal session on the data aggregator host, import theNetOps Portalself-signed certificate into the Java trusted certificate keystore by issuing the following command:<installation_directory>/jre/bin/keytool -importcert -keystore<installation_directory>/jre/lib/security/cacerts -storepass<cacertspassword>-alias<alias_name>-file</path/file.cer>Example:/opt/IMDataAggregator/jre/bin/keytool -importcert -keystore /opt/IMDataAggregator/jre/lib/security/cacerts -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
- installation_directoryThe default installation directory for the data aggregator.Default:/opt/IMDataAggregator
- cacertspasswordSpecifies the password for the certificate authority (CA) keystore.Default:changeit
- alias_nameSpecifies the same alias when creating the self-signed certificate.Example:MyAlias
- filename.cerSpecifies the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.Example:/tmp/DA_Cert.cer
- Restart the data aggregator.
The certificate is imported into the
cacerts
file.In a fault-tolerant environment, if you have not already completed this procedure for both data aggregators, repeat these steps for the other data aggregator.
Import the Certificate into the Data Aggregator's Jetty Truststore
Complete this procedure if HTTPS is enabled for the data aggregator.
Follow the steps:
- From an open terminal session on the data aggregator host, import theNetOps Portalself-signed certificate into the Java trusted certificate keystore by issuing the following command:<installation_directory>/jre/bin/keytool -importcert -keystore<installation_directory>/<apache-karaf-*>/etc/truststore -storepass<cacertspassword>-alias<alias_name>-file<filename>.cerExample:/opt/IMDataAggregator/jre/bin/keytool -importcert -keystore /opt/IMDataAggregator/apache-karaf-4.3.3/etc/truststore -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
- installation_directoryThe installation directory of the data aggregator.Default:/opt/IMDataAggregator
- apache-karaf-*The installation directory for Apache Karaf.Example:(21.2.6 and higher)apache-karaf-4.3.3
- cacertspasswordSpecify the password for the certificate authority keystore.Default:changeit
- alias_nameSpecify a unique alias for the self-signed certificate.Example:MyAlias
- filename.cerSpecify the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.Example:/tmp/DA_Cert.cer
- Restart the data aggregator.
The certificate is imported into the
truststore
file.Check for Configuration Issues
You can check the security configuration for any potential issues using SslConfig. Common issues include certificate errors.
Follow these steps:
- Relaunch SslConfig.
- At theSelect your preferred languageprompt, enter the number for the language for SslConfig.TheOptionsline displays, and a list of options display.
- At theSelect your optionprompt, enter the number for the option to perform an SSL health check.
- When prompted, confirm your selection by enteringyfor yes.
- Review the output. Verify that all tests show as "Passed".
If necessary, you can revert
NetOps Portal
to using HTTP.