Configuring the SSL transport for the IBM Operations Analytics - Log Analysis

If you are using an SSL connection between the gateway and IBM Operations Analytics - Log Analysis, you must create a truststore file to store the IBM Operations Analytics - Log Analysis digital certificate and point the gateway to the location of the truststore.

Configuring the SSL connection

To configure the SSL connection, perform the following steps:

  1. Obtain the certificate from Log Analysis.

    • Either copy the certificate from Log Analysis to the OMNIbus server:
      scp /opt/IBM/LogAnalysis/LogAnalysis/wlp/usr/servers/Unity/resources/security/client.crt netcool@sidr30eoisnco01:
    • Or export the certificate from the browser. See Exporting the server certificate from the SCALA server

  2. Create the following keystore directory.

    $OMNIHOME/java/security

  3. Create a keystore.

    $NCHOME/platform/arch/jre_directory/jre/bin/keytool -genkey -alias MyOmnibus -keystore $OMNIHOME/java/security/client.jks

  4. Create a truststore.

    $NCHOME/platform/arch/jre_directory/jre/bin/keytool -genkey -alias MyLA -keystore $OMNIHOME/java/security/cacerts.jks

  5. Import client.crt from the Log Analysis server into the keystore (optional).

    Note: You only need to perform this step if you are also using this keystore as your truststore.
    $NCHOME/platform/arch/jre_directory/jre/bin/keytool -importcert -keystore /opt/IBM/tivoli/netcool/omnibus/java/security/client.jks -file ~/client.crt -alias scala

    When prompted, specify a password for the keystore.

    Note: If a CA signed certificate is installed in Log Analysis, the default certificate along with the root, intermediate, and any other certificate must also be imported to the gateway keystore or truststore.

  6. Import client.crt from the Log Analysis server into the truststore.

    See Importing the server certificate into the truststore

    Note: If a CA signed certificate is installed in Log Analysis, the default certificate along with the root, intermediate, and any other certificate must also be imported to the gateway keystore or truststore.

  7. Configure the LOG_GATE.props properties file.

    MessageLog                        : '$OMNIHOME/log/LOG_GATE.log'
Name                              : 'LOG_GATE'
Gate.Reader.Server                : 'AGG_V'
Gate.Reader.TblReplicateDefFile   : '$OMNIHOME/gates/xml/scala/xml.reader.tblrep.def'
Gate.MapFile                      : '$OMNIHOME/gates/xml/scala/xml1302.map'
Gate.StartupCmdFile               : '$OMNIHOME/gates/xml/scala/xml.startup.cmd'
Gate.XMLGateway.TransformerFile   : '$OMNIHOME/java/conf/scalaTransformers.xml'
Gate.XMLGateway.TransportFile     : '$OMNIHOME/java/conf/scalaTransport.properties'
Gate.XMLGateway.TransportType     : 'SCALA'
Gate.XMLGateway.DateFormat        : 'yyyy-MM-dd\'T\'HH:mm:ssZ'

  8. Configure the scalaTransport.properties file.

    Note: Make sure the scalaURL matches the hostname in the client.crt that you copied from the Log Analysis server. When you import the crt file, you will see the name.
    scalaURL=https://<ip_address>:9987/Unity/DataCollector
 
keyStore=$OMNIHOME/java/security/client.jks
keyStorePassword=xxxxxxxx
 
trustStore=$OMNIHOME/java/security/cacerts.jks
trustStorePassword=xxxxxxxxxx
 
username = unityadmin
password = xxxxxxxxx
jsonMsgHostname = sidr30eoisnco01
jsonMsgPath = NCOMS

  9. Configure the scalaTransformers.xml file.

    Note: Edit the XML file and set the hostname to match the hostname in the client.crt that you copied from the Log Analysis server. When you import the crt file, you will see the name. 
    
<?xml version="1.0" encoding="UTF-8"?>
<tns:transformers
        xmlns:tns="http://item.tivoli.ibm.com/omnibus/netcool/transformer"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
 
        <!-- Northbound (gateway) transformer definitions -->
 
        <tns:transformer name="netcoolEvents" type="northbound" endpoint="https://<ip_address>:9987/Unity/DataCollector" className="com.ibm.tivoli.netcool.integrations.transformer.XSLTThreadTransformer">
               <tns:property name="xsltFilename" type="java.lang.String" value="$OMNIHOME/java/conf/netcool2scala.xsl" description="XSLT file for converting Netcool events to Scala Data Collector CSV format."/>
        </tns:transformer>
 
</tns:transformers>

Exporting the server certificate from the SCALA server

To export the server certificate from the SCALA server, perform the following steps:

  1. Open the Firefox web browser.
  2. Enter the following SCALA URL:

    https://analysis-server1:9987/Unity

  3. Click the padlock icon and select More Information.
  4. Click Security and select View Certificate.
  5. Select Details.
  6. Scroll to the bottom of the page and select Export.
  7. In the Save As bar, enter host1.cert and click Save.
  8. Copy host1.cert to the gateway machine.

Importing the server certificate into the truststore

To import the server certificate into the truststore, perform the following steps:

  1. Import the server certificate to the host where the gateway is running.
    $NCHOME/platform/arch/jre_directory/jre/bin/keytool -importcert -keystore $OMNIHOME/java/security/cacerts.jks -file ~/client.cert -alias scala-host
  2. When prompted for the password, specify the password for the truststore file.
    Note: Take note of this password as you will need to specify this password for the trustStorePassword property in the scalaTransport.properties file in the next step.

  3. Open the transport file specified by the Gate.XMLGateway.TransportFile property and modify the following transport file properties:

    1. Set the value of the keyStore property to the full path of the keystore file. For example, if you created a keystore file in the location $OMNIHOME/java/security/client.jks as in the previous example, you do not need to edit the keyStore property in the scalaTransport.properties file because that is the default value. Otherwise, if you created a keystore file in a different location specify that location and the keystore file in the keyStore property.
    2. Set the value of the trustStore property to the full path of the truststore file. For example, if you created a truststore file in the location $OMNIHOME/java/security/cacerts.jks as in the previous example, you do not need to edit the trustStore property in the scalaTransport.properties file because that is the default value. Otherwise, if you created a truststore file in a different location specify that location and the truststore in the trustStore property.
    3. Set the value of the keyStorePassword property to the password that you set for your client keystore file.
    4. Set the value of the trustStorePassword property to the password that you set for your truststore file.