Authentication Configuration
info
Default instalation directories are:
$NFO_HOME - /opt/flowintegrator
$EDFN_HOME - /opt/nfi-updater
External Data Feeder for NFO is authenticated to NetFlow Optimizer as the user updater
. This user has only access to a data set maintenance and the ability to change password. This user can login using X509 certificate or using user/password authentication method. Default password for this user is changeme
. Please change it after the installation.
By default External Data Feeder for NFO logins into NetFlow Optimizer using X509 certificate. We highly recommend changing default self-signed certificate to a new one or switching to a user/password authentication method. In any case default password changing is required.
X509 Authentication​
Procedure​
Create a Certificate Signing Request (CSR) with keytool and generate a Signed Certificate for the CSR:
- Delete previous certificate:
$EDFN_HOME/java/jre/bin/keytool -delete -alias updater -storepass password ‑keystore
$EDFN_HOME/conf/.updater_keystore
$NFO_HOME/java/jre/bin/keytool -delete -alias updater -storepass password
$NFO_HOME/tomcat/conf/.truststore - Generate the key pair:
$EDFN_HOME/java/jre/bin/keytool keytool -genkey -alias updater -dname "CN=updater, OU=, O=, L=, ST=, C=" -validity 365 -keyalg RSA -keysize 1024 ‑storepass password -keypass password -keystore
$EDFN_HOME/conf/.updater_keystore - Generate the Certificate Signing Request:
$EDFN_HOME/java/jre/bin/keytool -certreq -alias updater -keyalg rsa -storepass password -keystore
$EDFN_HOME/conf/.updater_keystore -file updater.csr - Generate a signed certificate for the associated Certificate Signing Request.
- Import the CA certificate into the NetFlow Optimizer keystore:
$NFO_HOME/java/jre/bin/keytool -import -alias root -file CA.crt -keystore ‑storepass password
$NFO_HOME/tomcat/conf/.truststore - Import the signed certificate for the associated updater alias in the keystore:
$NFO_HOME/java/jre/bin/keytool -import -alias updater -file updater.crt ‑keystore -storepass password
$NFO_HOME/tomcat/conf/.truststore
Self-Signed certificate can be exported instead of steps 3-5:
$EDFN_HOME/java/jre/bin/keytool -export -alias updater -storepass password ‑keystore
$EDFN_HOME/conf/.updater_keystore -file updater.crt
Notes:
- Certificate CN field value must be updater.
- If keystore type, keystore password, key password or key algorithm were changed, these changes have to be added to the
$EDFN_HOME/conf/updater.properties
file:
keystoreFile = ../conf/.updater_keystore
keystoreType = jks
keystorePass = password
keyPass = password
keyAlgorithm = SunX509
User/password Authentication​
Procedure​
Username/password authentication can be enabled by commenting certificate-related properties and adding following lines into updater.properties
:
user = updater
password = changeme
# keystoreFile = ../conf/.updater_keystore
# keystoreType = jks
# keystorePass = password
# keyPass = password
# keyAlgorithm = SunX509
User password can be changed in the NetFlow Optimizer: login as updater user, go to “admin” section, and enter old password (changeme) and a new password.
Import the Certificate into External Data Feeder for NFO truststore​
NFO and External Data Feeder for NFO use secure connection (https) for communication. Tomcat certificate and root chain are imported automatically into $EDFN_HOME/conf/.updater_truststore
during first connection. If tomcat certificate is changed, it should be reimported into .updater_truststore
file manually or .updater_truststore
can be removed (it will be recreated after External Data Feeder for NFO service restart).
Procedure​
To reimport the certificate perform the following:
- Enter the following commands to delete previous certificate(s):
- Get list of current trusted certificates:
$EDFN_HOME/java/jre/bin/keytool –list -keystore $EDFN_HOME/conf/.updater_truststore
- Delete all certificates from the previous step:
$EDFN_HOME/java/jre/bin/keytool –delete –alias <crtAlias> -keystore $EDFN_HOME/conf/.updater_truststore
- Get list of current trusted certificates:
- Enter the following command to import the chain certificate into the External Data Feeder for NFO truststore:
# $EDFN_HOME/java/jre/bin/keytool -import -alias root -keystore $EDFN_HOME/conf/.updater_truststore -trustcacerts -file rootCA.crt
- Enter the following command to import tomcat certificate into the External Data Feeder for NFO truststore:
# $EDFN_HOME/java/jre/bin/keytool -import -alias tomcat -keystore $EDFN_HOME/conf/.updater_truststore -file srv.crt
- After these actions External Data Feeder for NFO service should be restarted.
What to do next​
If certificate is imported automatically (.updater_trustore
created automatically), certificate can be verified using following command:
$NFO_HOME/java/jre/bin/keytool -list -v -keystore $EDFN_HOME/conf/.updater_truststore
note
You can change .updater_truststore
type, password and path configuration in the $EDFN_HOME/conf/updater.properties
file.