Using SSL between NNMi and OMi

  • Document ID:KM03599282
  • Creation Date:12-Feb-2020
  • Modified Date:12-Feb-2020
    • Micro Focus Products:
      network node manager 10.00

Summary

Some customers due policy restrictions prefer to use a SSL connection between applications to ensure the data sent is encrypted.

Error

When trying to integrate NNMi with OMi using SSL there is an error message displayed in the web form about: Unable to access BSM host, check the host, port and credentials for BSM.

 

in nnm-trace.log when the form is submitted:

 

CONFIG [com.hp.ov.nnm.bsm.im.BsmClient] (tomcat-exec-16) Exception occured attempting to connection to BSM server.: com.hp.ucmdb.api.CommunicationException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.

 

 

Cause

To enable the integration succesfully the steps to exchange certificates must be followed, there is a certificate that needs to be exported from NNMi and two files from OMi to be imported in NNM side.

Fix

a. NNMi certificate import in the OMi gateway server:

   1. export certificate from nnm-keystore.p12

/opt/OV/bin/nnmkeytool.ovpl -export -alias nnmi_server -storetype PKCS12 -keystore nnm-key.p12 -file nnmi_server.crt -storepass nnmkeypass

   2. import in OMi gateway server:

<drive>:\HPBSM\JRE\bin\keytool.exe -import -alias <NNMi_FQDN>.selfsigned –keystore <drive>:\HPBSM\JRE\lib\security\cacerts -storepass changeit -trustcacerts -file <drive>:\bsm_temp\nnmi_server.crt

Note: In this particular case, in the OMi gateway server, the JRE64 folder doesn´t exist, so the step mentioned in the integration guide, to also import to the JRE64 cannot be done

b. Import OMi gateway certificate and client (root) certificate in NNMi

   1. export the hpcert certificate in OMi gateway server:

<drive>:\HPBSM\JRE\bin\keytool.exe -export -alias hpcert -file <path>\keystore -keystore drive>:\HPBSM\odb\conf\security\server.keystore -storepass hppass

   2.export the clientcert in OMi gateway server:

c:\HPBSM\bin\opr-cert-mgmt.bat -e "OMi Webserver CA Certificate" PEM c:\omi_ca.crt

Note: since we were not able to find the password to export the clientcert from the client.keystore in OMi - we have tried with all the known ones-, we found that we can use the opr-cert-mgmt.bat to do it. (for Linux, it is opr-cert-mgmt.sh)

   3. import both certificates in NNMi nnm-trust.p12:

/opt/OV/bin/nnmkeytool.ovpl -import -alias hpcert –keystore $NnmDataDir/shared/nnm/certificates/nnm-trust.p12

-storetype PKCS12 -storepass ovpass -file /nnmi_tmp/keystore

/opt/OV/bin/nnmkeytool.ovpl -import -alias CARoot -storetype PKCS12 -keystore /var/opt/OV/shared/nnm/certificates/nnm-trust.p12 -file <directory>\omi_ca.crt -storepass ovpass

   4. restart NNMi