Enable HTTPS for NetOps Portal Using the SSL Configuration Tool and Import an Existing Certificate

You can enable Hypertext Transfer Protocol Secure (HTTPS) for
NetOps Portal
using the SSL Configuration tool (SslConfig) and import an existing certificate.
Use this procedure if you want to use an existing certificate and private key that a trusted Certificate Authority (CA) has signed (a CA-signed certificate).
Store the certificate and private key files, such as *.pem, *.cer, *.crt, *.key files, that are referenced in configuration files during this process in a secure location. If the certificate and private key files are temporary files that are not referenced in configuration files after this process is complete, move or delete them.
Use the following process to enable HTTPS for
NetOps Portal
:

Verify the Prerequisites

Before enabling HTTPS using the configuration tool, ensure that you have obtained a certificate for the
NetOps Portal
host from a trusted Certificate Authority (CA), and the private key associated with it.
The certificate and private key files must be in unencrypted PEM (PKCS8) or PKCS12 format.

Configure
NetOps Portal
to Use HTTPS

If you encounter issues using the configuration tool, use the debug log that is available in the
<installation_directory>
/PerformanceCenter
directory.
Follow these steps:
  1. Open a terminal session on the
    NetOps Portal
    host.
  2. Launch the configuration tool by issuing the
    ./SslConfig
    command in the
    <installation_directory>
    directory.
    • installation_directory
      The installation directory for
      NetOps Portal
      .
      Default:
      /opt/CA/PerformanceCenter
    The following image shows the prompts:
    (22.2.7 and lower)
    Options
    Options
  3. At the
    Preferred Language
    prompt, specify a language for the configuration tool.
    The
    Options
    line displays, and a list of options display.
    The following image shows the prompts:
    (22.2.8 and higher)
    Configure SSL
    Options
  4. At the
    Select your option
    prompt, enter the number for the
    Configure SSL
    option.
    The
    Configure SSL
    line displays.
  5. At the (22.2.8 and higher)
    Are you sure you want to configure DX NetOps Portal to use https? This will stop all the DX NetOps Portal processes [y/n]?
    (22.2.7 and lower)
    Are you sure you want to configure Performance Center to use SSL. This will stop all the Performance Center processes [y/n]?
    prompt, confirm your selection by entering
    y
    for yes.
    The
    Configuring Performance Center to use SSL
    line displays.
  6. Complete the following prompts:
    • Enter the port for Single Sign On (Example: 8382)
      Specifies the port that web clients use to access the Single Sign-On service. For example, for HTTPS, specify 8382.
    • (22.2.8 and higher)
      Are you using a reverse proxy for DX NetOps Portal that only allows access from 1 port? ([y/n]):
      If you are using a reverse proxy for
      NetOps Portal
      , enter
      y
      for yes.
    • (22.2.7 and lower)
      Are you using a reverse proxy for Performance Center that only allows access from 1 port ([y/n]):
      If you are using a reverse proxy for
      NetOps Portal
      , enter
      y
      for yes.
    • Enter the port for Single Sign On for Data Sources: [8382]
      Specifies the port that the data sources use to access the Single Sign-On service. For example, for HTTPS, specify
      8382
      .
      For more information about the ports that are required for secured communication, see Review Installation Requirements and Considerations.
    • (22.2.8 and higher)
      Enter the port for DX NetOps Portal Console: [8182]
      Specifies the port for
      NetOps Portal
      console.
    • (22.2.8 and higher)
      Enter the port for DX NetOps Portal Event Manager: [8282]
      Specifies the port for the event manager. For example, for HTTPS, specify
      8282
      .
    • (22.2.8 and higher)
      Enter the port for DX NetOps Portal Device Manager: [8482]
      Specifies the port for the device manager. For example, for HTTPS, specify
      8482
      .
    • Do you have an existing certificate [y/n]?
      Specify that you have a certificate and that you want to import it by entering
      y
      for yes.
    • Enter the location and filename of the certificate
      Specifies the full path and name of the certificate file. This file must be in unencrypted PEM (PKCS8) or PKCS12 format, for example
      /tmp/sample.p12
      .
    • Enter the location and filename of the key
      Specifies the full path and name of the private key file for the certificate. This file must be in unencrypted PEM (PKCS8) or PKCS12 format, for example,
      /tmp/sample.p12
      .
    • Enter a password for the new keystore
      Specifies the password for the keystore.
    • Confirm the keystore password
      Enter the password again.
    • This password is stored in jetty configuration files. Do you want to obfuscate the value so it is not human-readable [y/n]?
      If you want to obscure the password in the Jetty configuration files, enter
      y
      for yes.
    • Enter the password to the Java CA trust store
      Specifies the password for the Java CA truststore.
      Default:
      changeit
    The
    Entered Values
    line displays, and the entered values display below this line.
  7. At the
    Do you want to change any information before proceeding [y/n/b]?
    prompt, review the entered values, and enter one of the following values:
    • n:
      The entered values are correct, you want to save them, and you want to continue with enabling HTTPS.
      HTTPS is enabled for
      NetOps Portal
      using the certificate and private key files that you specified.
    • y:
      You want to return to the prompts for enabling HTTPS for
      NetOps Portal
      , and reenter the values.
    • b:
      You want to cancel enabling HTTPS for
      NetOps Portal
      and return to the main menu.

Import the
NetOps Portal
CA-Signed Certificate into the Data Sources

Use the following process to import the
NetOps Portal
CA-signed certificate into the data sources:
  1. Import the
    NetOps Portal
    CA-signed certificate into the following data sources:

Export the
NetOps Portal
CA-Signed Certificate

Export the
NetOps Portal
CA-signed certificate from
NetOps Portal
so that you can import it into the data sources.
Follow these steps:
  1. From an open terminal session on the
    NetOps Portal
    host, export the
    NetOps Portal
    CA-signed certificate into the data aggregator by issuing the following command:
    keytool -exportcert -keystore
    <installation_directory>
    /jre/lib/security/cacerts -rfc -alias
    <alias_name>
    -file
    <filename>
    .cer
    Example:
    keytool -exportcert -keystore /opt/CA/jre/lib/security/cacerts -rfc -alias capc -file /tmp/NetOps_Portal_Cert.cer
    • installation_directory
      The installation directory for the data aggregator.
      Default:
      /opt/CA
    • alias_name
      Specifies the same alias when creating the CA-signed certificate.
      Example:
      capc
    • filename.cer
      Specifies the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.
      Example:
      /tmp/NetOps_Portal_Cert.cer
    The following prompt displays:
    Enter keystore password:
  2. Enter the password to the Java CA truststore (
    <installation_directory>
    /jre/lib/security/cacerts
    ).
    • installation_directory
      The default installation directory for
      NetOps Portal
      .
      Default:
      /opt/CA
    Default:
    changeit
    The following line appears:
    Certificate stored in file </tmp/NetOps_Portal_cert>
  3. Copy the exported file (
    /tmp/NetOps_Portal_cert
    ) to the data sources (for example, the data aggregator and Spectrum).
The
NetOps Portal
CA-signed certificate is exported and is ready for import.

Import the Certificates into the Data Aggregator cacerts File

Complete this procedure if the data aggregator is using HTTP. In a fault-tolerant environment, complete this procedure on both data aggregators.
Follow the steps:
  1. From an open terminal session on the data aggregator host, import the root and intermediate certificates into the Java trusted certificate keystore by issuing the following command for each certificate:
    keytool -importcert -keystore
    <installation_directory>
    /jre/lib/security/cacerts -storepass
    <cacertspassword>
    -alias
    <alias_name>
    -file
    <filename>
    .cer
    Example:
    keytool -importcert -keystore /opt/IMDataAggregator/jre/lib/security/cacerts -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
    • installation_directory
      The installation directory for the data aggregator.
      Default:
      /opt/IMDataAggregator
    • cacertspassword
      Specifies the password for the CA keystore.
      Default:
      changeit
    • alias_name
      Specifies the same alias when creating the CA-signed certificate.
      Example:
      MyAlias
    • filename.cer
      Specifies the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.
      Example:
      /tmp/DA_Cert.cer
  2. Restart the data aggregator.
The certificate is imported into the
cacerts
file.
In a fault-tolerant environment, if you have not already completed this procedure for both data aggregators, repeat these steps for the other data aggregator.

Import the Certificates into the Data Aggregator Truststore

Complete this procedure if HTTPS is enabled for the data aggregator.
Follow the steps:
  1. From an open terminal session on the data aggregator host, import the root and intermediate certificates into the Java trusted certificate keystore by issuing the following command:
    keytool -importcert -keystore
    <installation_directory>
    /apache-karaf/etc/truststore -storepass
    <cacertspassword>
    -alias
    <alias_name>
    -file
    <filename>
    .cer
    Example:
    keytool -importcert -keystore /opt/IMDataAggregator/apache-karaf/etc/truststore -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
    • installation_directory
      The installation directory of the data aggregator.
      Default:
      /opt/IMDataAggregator
    • cacertspassword
      Specify the password for the certificate authority keystore.
      Default:
      changeit
    • alias_name
      Specify a unique alias for the CA-signed certificate.
      Example:
      MyAlias
    • filename.cer
      Specify the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.
      Example:
      /tmp/DA_Cert.cer
  2. Restart the data aggregator.
The certificate is imported into the
truststore
file.

Import the Certificate into the Spectrum and NFA Truststores

Complete this step from an open terminal session on the data source hosts if you have integrated with Spectrum and NFA.
For more information:

Check for Configuration Issues

You can check the security configuration for any potential issues using SslConfig. Common issues include certificate errors.
Follow these steps:
  1. From an open terminal session on the
    NetOps Portal
    host, relaunch SslConfig.
    The
    SSL Configuration
    line appears.
    The following image shows the options:
    (22.2.8 and higher)
    Options
    (22.2.7 and lower)
    Options
    Options
  2. At the
    Select your preferred language
    prompt, enter the number for the language for SslConfig.
    The
    Options
    line displays, and a list of options display.
  3. At the
    Select your option
    prompt, enter the number for the option to perform an SSL health check.
  4. When prompted, confirm your selection by entering
    y
    for yes.
  5. Review the output. Verify that all tests show as "Passed" (succeeded).
    The following image shows example output:
    (22.2.8 and higher)
    SslConfig example output