Enable HTTPS for NetOps Portal Using the SSL Configuration Tool and Import an Existing Certificate
You can enable Hypertext Transfer Protocol Secure (HTTPS) for
NetOps Portal
using the SSL Configuration tool (SslConfig) and import an existing certificate.Use this procedure if you want to use an existing certificate and private key that a trusted Certificate Authority (CA) has signed (a CA-signed certificate).
Store the certificate and private key files, such as *.pem, *.cer, *.crt, *.key files, that are referenced in configuration files during this process in a secure location. If the certificate and private key files are temporary files that are not referenced in configuration files after this process is complete, move or delete them.
Use the following process to enable HTTPS for
NetOps Portal
:Verify the Prerequisites
Before enabling HTTPS using the configuration tool, ensure that you have obtained a certificate for the
NetOps Portal
host from a trusted Certificate Authority (CA), and the private key associated with it.The certificate and private key files must be in unencrypted PEM (PKCS8) or PKCS12 format.
Configure NetOps Portal to Use HTTPS
NetOps Portal
to Use HTTPSIf you encounter issues using the configuration tool, use the debug log that is available in the
<installation_directory>
/PerformanceCenter
directory.Follow these steps:
- Open a terminal session on theNetOps Portalhost.
- Launch the configuration tool by issuing the./SslConfigcommand in thedirectory.<installation_directory>
- installation_directoryThe installation directory forNetOps Portal.Default:/opt/CA/PerformanceCenter
The following image shows the prompts:(22.2.7 and lower)Options
- At thePreferred Languageprompt, specify a language for the configuration tool.TheOptionsline displays, and a list of options display.The following image shows the prompts:(22.2.8 and higher)Configure SSL

- At theSelect your optionprompt, enter the number for theConfigure SSLoption.TheConfigure SSLline displays.
- At the (22.2.8 and higher)Are you sure you want to configure DX NetOps Portal to use https? This will stop all the DX NetOps Portal processes [y/n]?(22.2.7 and lower)Are you sure you want to configure Performance Center to use SSL. This will stop all the Performance Center processes [y/n]?prompt, confirm your selection by enteringyfor yes.TheConfiguring Performance Center to use SSLline displays.
- Complete the following prompts:
- Enter the port for Single Sign On (Example: 8382)Specifies the port that web clients use to access the Single Sign-On service. For example, for HTTPS, specify 8382.
- (22.2.8 and higher)Are you using a reverse proxy for DX NetOps Portal that only allows access from 1 port? ([y/n]):If you are using a reverse proxy forNetOps Portal, enteryfor yes.
- (22.2.7 and lower)Are you using a reverse proxy for Performance Center that only allows access from 1 port ([y/n]):If you are using a reverse proxy forNetOps Portal, enteryfor yes.
- Enter the port for Single Sign On for Data Sources: [8382]Specifies the port that the data sources use to access the Single Sign-On service. For example, for HTTPS, specify8382.For more information about the ports that are required for secured communication, see Review Installation Requirements and Considerations.
- (22.2.8 and higher)Enter the port for DX NetOps Portal Console: [8182]Specifies the port forNetOps Portalconsole.
- (22.2.8 and higher)Enter the port for DX NetOps Portal Event Manager: [8282]Specifies the port for the event manager. For example, for HTTPS, specify8282.
- (22.2.8 and higher)Enter the port for DX NetOps Portal Device Manager: [8482]Specifies the port for the device manager. For example, for HTTPS, specify8482.
- Do you have an existing certificate [y/n]?Specify that you have a certificate and that you want to import it by enteringyfor yes.
- Enter the location and filename of the certificateSpecifies the full path and name of the certificate file. This file must be in unencrypted PEM (PKCS8) or PKCS12 format, for example/tmp/sample.p12.
- Enter the location and filename of the keySpecifies the full path and name of the private key file for the certificate. This file must be in unencrypted PEM (PKCS8) or PKCS12 format, for example,/tmp/sample.p12.
- Enter a password for the new keystoreSpecifies the password for the keystore.
- Confirm the keystore passwordEnter the password again.
- This password is stored in jetty configuration files. Do you want to obfuscate the value so it is not human-readable [y/n]?If you want to obscure the password in the Jetty configuration files, enteryfor yes.
- Enter the password to the Java CA trust storeSpecifies the password for the Java CA truststore.Default:changeit
Entered Valuesline displays, and the entered values display below this line. - At theDo you want to change any information before proceeding [y/n/b]?prompt, review the entered values, and enter one of the following values:
- n:The entered values are correct, you want to save them, and you want to continue with enabling HTTPS.HTTPS is enabled forNetOps Portalusing the certificate and private key files that you specified.
- y:You want to return to the prompts for enabling HTTPS forNetOps Portal, and reenter the values.
- b:You want to cancel enabling HTTPS forNetOps Portaland return to the main menu.
Import the NetOps Portal CA-Signed Certificate into the Data Sources
NetOps Portal
CA-Signed Certificate into the Data SourcesUse the following process to import the
NetOps Portal
CA-signed certificate into the data sources:- Import theNetOps PortalCA-signed certificate into the following data sources:
- Into the data aggregator by commpletingoneof the following procedures based on your security settings:
- If the data aggregator is using HTTP, import the CA root and intermediate certificates into the data aggregatorcacertsfile.
- If the data aggregator is HTTPS-enabled, import the CA root and intermediate certificates into the data aggregator truststore.
- (If you have integrated withDX NetOps Spectrum(Spectrum) andDX NetOps Network Flow Analysis(NFA) Into the Spectrum and NFA truststores.
Export the NetOps Portal CA-Signed Certificate
NetOps Portal
CA-Signed CertificateExport the
NetOps Portal
CA-signed certificate from NetOps Portal
so that you can import it into the data sources.Follow these steps:
- From an open terminal session on theNetOps Portalhost, export theNetOps PortalCA-signed certificate into the data aggregator by issuing the following command:keytool -exportcert -keystore<installation_directory>/jre/lib/security/cacerts -rfc -alias<alias_name>-file<filename>.cerExample:keytool -exportcert -keystore /opt/CA/jre/lib/security/cacerts -rfc -alias capc -file /tmp/NetOps_Portal_Cert.cer
- installation_directoryThe installation directory for the data aggregator.Default:/opt/CA
- alias_nameSpecifies the same alias when creating the CA-signed certificate.Example:capc
- filename.cerSpecifies the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.Example:/tmp/NetOps_Portal_Cert.cer
The following prompt displays:Enter keystore password: - Enter the password to the Java CA truststore ().<installation_directory>/jre/lib/security/cacerts
- installation_directoryThe default installation directory forNetOps Portal.Default:/opt/CA
Default:changeitThe following line appears:Certificate stored in file </tmp/NetOps_Portal_cert> - Copy the exported file (/tmp/NetOps_Portal_cert) to the data sources (for example, the data aggregator and Spectrum).
The
NetOps Portal
CA-signed certificate is exported and is ready for import.Import the Certificates into the Data Aggregator cacerts File
Complete this procedure if the data aggregator is using HTTP. In a fault-tolerant environment, complete this procedure on both data aggregators.
Follow the steps:
- From an open terminal session on the data aggregator host, import the root and intermediate certificates into the Java trusted certificate keystore by issuing the following command for each certificate:keytool -importcert -keystore<installation_directory>/jre/lib/security/cacerts -storepass<cacertspassword>-alias<alias_name>-file<filename>.cerExample:keytool -importcert -keystore /opt/IMDataAggregator/jre/lib/security/cacerts -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
- installation_directoryThe installation directory for the data aggregator.Default:/opt/IMDataAggregator
- cacertspasswordSpecifies the password for the CA keystore.Default:changeit
- alias_nameSpecifies the same alias when creating the CA-signed certificate.Example:MyAlias
- filename.cerSpecifies the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.Example:/tmp/DA_Cert.cer
- In a fault-tolerant environment, configure a proxy server (DAProxy) to send traffic fromNetOps Portalto the active data aggregator.
- Restart the data aggregator.
The certificate is imported into the
cacerts
file.In a fault-tolerant environment, if you have not already completed this procedure for both data aggregators, repeat these steps for the other data aggregator.
Import the Certificates into the Data Aggregator Truststore
Complete this procedure if HTTPS is enabled for the data aggregator.
Follow the steps:
- From an open terminal session on the data aggregator host, import the root and intermediate certificates into the Java trusted certificate keystore by issuing the following command:keytool -importcert -keystore<installation_directory>/apache-karaf/etc/truststore -storepass<cacertspassword>-alias<alias_name>-file<filename>.cerExample:keytool -importcert -keystore /opt/IMDataAggregator/apache-karaf/etc/truststore -storepass changeit -alias MyAlias -file /tmp/DA_Cert.cer
- installation_directoryThe installation directory of the data aggregator.Default:/opt/IMDataAggregator
- cacertspasswordSpecify the password for the certificate authority keystore.Default:changeit
- alias_nameSpecify a unique alias for the CA-signed certificate.Example:MyAlias
- filename.cerSpecify the file to which the certificate is exported. Use a full pathname that does not place the file in the current directory.Example:/tmp/DA_Cert.cer
- Restart the data aggregator.
The certificate is imported into the
truststore
file.Import the Certificate into the Spectrum and NFA Truststores
Complete this step from an open terminal session on the data source hosts if you have integrated with Spectrum and NFA.
For more information:
- About how to import the certificate into the Spectrum truststore, see Add Intermediate and Root Certificates in theDX NetOps Spectrumdocumentation.
- About how to import the certificate into the NFA truststore, see Enable HTTPS for Network Flow Analysis in theDX NetOps Network Flow Analysisdocumentation.
Check for Configuration Issues
You can check the security configuration for any potential issues using SslConfig. Common issues include certificate errors.
Follow these steps:
- From an open terminal session on theNetOps Portalhost, relaunch SslConfig.TheSSL Configurationline appears.The following image shows the options:(22.2.8 and higher)
(22.2.7 and lower)Options
- At theSelect your preferred languageprompt, enter the number for the language for SslConfig.TheOptionsline displays, and a list of options display.
- At theSelect your optionprompt, enter the number for the option to perform an SSL health check.
- When prompted, confirm your selection by enteringyfor yes.
- Review the output. Verify that all tests show as "Passed" (succeeded).The following image shows example output:(22.2.8 and higher)
