Management

 View Only

On-prem Netcool Omnibus probe certificate.

By JULIUS WAHIDIN posted Thu May 26, 2022 11:28 AM

  
Recently I had to create a certificate for an on-premises Netcool Omnibus probe. IBM provides online documentation, and a support guide is also available; however, I still felt it would be good if there were a quick step by step to follow, especially if you need to configure the certificate quickly. This blog aims to provide a quick step by step instruction on setting up a certificate on an Omnibus probe.

Many cloud data providers need to send alerts to a webhook receiver these days. So I will take an example of configuring the certificate for a message bus probe; as the Message Bus probe is one of the most flexible ways for the Netcool Operation Insight to provide webhook incoming integration. We wanted to create a certificate and assign it to the message bus probe to make it more secure. Many cloud-based data providers will not send alerts if it is not through TLS.

While I am using a message bus probe as an example, you can use the same steps for most other Netcool probes.

So we have our message bus probes installed. The following steps show one way to generate and assign a Certificate to the probe.

1. OpenSSL or Java Keytool?
Two general ways to create and manage Certificates are through the OpenSSL utility or the Java keytool. As the Omnibus Probes requires a Certificate in the JKS format, we will mainly use keytool.

2. Setting the path.
As keytool is a Java Application, the first step is to ensure that the Java binary is in your path.

If your java binary is not in the path, then perform the following:

export PATH=$PATH:$NCHOME/platform/linux2x86/jre64_1.8.0/jre/bin

(If you are configuring the LogAnalysis component, then perform the following:
export PATH=$PATH:/opt/netcool/LogAnalysis/ibm-java/jre/bin )

3. Create the private key.
You only need to create the private key once, and it should be reusable.
First, get the host's Fully Qualified Domain Name (FQDN).

$ hostname -A

Copy this FQDN, and ensure that the Dname (Distinguish Name) has the Common Name (CN) field matching this FQDN.

Assuming your FQDN is waiops.ibm.com then you can generate the private key named waiops.keystore using the following command:

keytool -genkeypair \
-keysize 2048 \
-validity 397 \
-alias waiops.ibm.com \
-keystore waiops.keystore \
-keyalg RSA \
-storepass 'Netcool_23' \
-keypass 'Netcool_23' \
-dname 'CN=waiops.ibm.com,O=ibm,ST=Armonk,C=US'

Note that the dname is essential. It should have a CN the same as the host's full path.

Also note that the certificate has two passwords: the Keystore password and the password for the key itself. They can be different or the same.
A Keystore can contain multiple keys, and the key is referred to by its alias.

4. Create the CSR (Certificate Signing Request).
Using the private key created in the previous step, you can create a CSR using the following command:

keytool -certreq \
-alias waiops.ibm.com \
-keystore waiops.keystore \
-storepass 'Netcool_23'
-file waiops.csr

You can check the CSR as follow:

$ openssl req -text -in waiops.csr -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=California, O=ibm, CN=waiops.ibm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:a7:68:92:63:f0:db:cb:ac:42:fa:84:b5:ae:
37:14:68:3c:d1:98:84:e9:40:f5:b5:2a:9f:51:ec:
a2:cc:65:08:15:5c:32:b5:f6:5c:12:88:c5:44:0f:
26:4c:8f:2c:87:d6:20:95:a3:54:1f:ae:1a:f3:f5:
19:4f:89:3b:16:2f:7d:55:93:d4:31:39:75:eb:c6:
d8:3f:54:e3:69:e2:01:4d:b5:f9:19:40:64:22:ca:
84:72:0c:e7:d7:06:7a:47:cb:1e:a7:bd:bc:89:ee:
c1:1c:e9:0f:7b:d9:81:d8:f3:bf:9d:20:fa:0c:8d:
f4:85:c1:76:2c:0a:bd:89:e2:89:83:bd:b2:d6:55:
44:dd:24:1a:ac:50:4e:23:7d:e9:35:46:eb:1a:3e:
f7:af:72:df:0a:25:0a:5b:23:8c:7a:6e:86:34:0f:
21:65:1e:58:4c:76:1d:31:4b:76:99:43:f1:48:e0:
d7:3f:53:ab:72:bd:8f:db:65:67:e6:04:04:6c:6a:
6c:50:dd:6d:81:70:9a:58:28:70:d8:82:9a:62:46:
68:00:52:04:4c:8e:00:fd:1d:2a:8a:02:23:59:69:
48:72:70:a5:48:09:39:33:9c:73:68:e7:a5:93:b6:
63:72:db:a2:7e:87:5a:1d:d6:f0:07:ac:ec:db:25:
e9:91
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
3F:5F:9F:49:90:D8:06:2B:92:57:1C:2E:1B:BB:95:4F:A1:EA:7B:B2
Signature Algorithm: sha256WithRSAEncryption
41:9a:cc:8a:6b:65:ee:36:9e:1e:b3:aa:2e:37:8d:35:e4:8f:
d0:24:d9:b4:c3:ac:9f:a9:04:11:2e:1b:42:d5:54:85:8e:9a:
47:99:28:87:32:4e:46:b1:4a:f2:35:8f:d5:23:a7:1b:21:03:
ef:8f:05:f8:e5:08:51:bf:08:15:8d:9f:47:9e:b9:a1:4e:6e:
44:d9:42:ad:53:c3:57:50:c7:8c:60:8a:07:9b:c4:c2:f6:68:
7c:fb:08:21:50:9c:6f:2c:bf:2d:12:37:e8:8e:5a:84:8c:8a:
b7:a8:a3:ba:83:53:b5:30:08:3a:85:4f:e5:5b:eb:c8:7a:b2:
0b:29:47:b4:cd:a1:13:be:6c:1a:6e:4f:cc:1f:44:26:6a:c8:
d9:4f:4d:1a:51:40:60:3e:4b:86:50:46:27:ae:a6:64:ec:70:
d0:58:34:11:97:7b:d0:bb:c7:ef:29:9b:3d:52:38:2f:ae:f5:
8e:a1:66:00:14:f0:eb:02:d9:97:6a:b9:cc:60:39:fd:bb:a2:
2e:1d:ef:a7:28:21:29:0f:5b:f1:04:c6:43:ed:81:fe:1b:ed:
41:54:19:6b:80:64:8b:69:eb:cf:fc:4b:7c:36:de:d3:87:a6:
96:b4:33:90:e7:5a:8d:26:92:17:d9:10:1a:a5:e7:46:4a:d0:
b7:d7:26:5b

5. Get the CSR signed
Send the CSR to the Certificate Authority (CA) to be signed, and then wait until the CSR is signed.

6. Download the Signed Certificate.
Depending on your CA, you can download the certificate in multiple formats; this is where things may get confusing. There are two generic formats: the Cryptography Standard format and the File Format.

The certificate may come in PKCS format. PKCS stands for Public-Key Cryptography Standards (PKCS). RSA Laboratories create it. There are at least 15 PKCSs numbered from #1 to #15.

The certificate may also come in DER or PEM format. DER and PEM are file formats.

Some CA allows you to download the certificate in the form of a java key store. In the software tool that I use, If I download the certificate as the JKS, I can also specify the following:
  • Include Root Chain options.
  • Specify the alias.
  • Specify the Keystore password (and confirm it).


7. Import the signed certificate.
Assuming that the signed certificate comes in a file named waiops.ibm.com.cer, you can import the signed certificate through this command.

$ keytool -import -trustcacerts -keystore waiops.keystore -alias default -file waiops.ibm.com.cer
Enter Keystore password:
Certificate reply was installed in keystore

8. Import the Intermediate Certificate in the chain (optional).
If you downloaded the Intermediary certificate chain, you could import the certificate into the same Keystore.

$ keytool -import -trustcacerts -keystore waiops.keystore -alias theIntermediate -file theIntermediate.cer
Enter keystore password:
Certificate was added to keystore

9. Placed the Certificate in the configuration file.
Copy your certificate to the probes configuration directory $OMNIHOME/probes/linux2x86 and edit your message bus property file to point to this certificate.

For example, your property file $OMNIHOME/probes/linux2x86/message_bus.props may contain the following. I have not encrypted the password in the property file so that you can relate the password with the previous command.

# SSL
EnableSSL : 'true'
KeyStore : '/opt/netcool/netcool/omnibus/probes/linux2x86/waiops.keystore'
KeyStorePassword : 'Netcool_23' # You can encrypt this if you want

10. Restart the probes, and it should now have the certificate configured.


Summary.
The steps to create, sign and install a certificate for an OMNIbus Netcool probe have been described.  If there are interest I may write more on certificates for the Netcool product.

#certificate
#HowTo
#Install
#Netcool
#omnibus
0 comments
44 views

Permalink