External Data Feeder for NFO is authenticated to NetFlow Optimizer as the user updater
. This user has only access to a data set maintenance and the ability to change password. This user can login using X509 certificate or using user/password authentication method. Default password for this user is changeme
. Please change it after the installation.
By default External Data Feeder for NFO logins into NetFlow Optimizer using X509 certificate. We highly recommend changing default self-signed certificate to a new one or switching to a user/password authentication method. In any case default password changing is required.
Create a Certificate Signing Request (CSR) with keytool and generate a Signed Certificate for the CSR:
Delete previous certificate:
$UPD_HOME/java/jre8/bin/keytool -delete -alias updater -storepass password ‑keystore$UPD_HOME/conf/.updater_keystore$NFO_HOME/java/jre8/bin/keytool -delete -alias updater -storepass password$NFO_HOME/tomcat/conf/.trust_keystore
Generate the key pair:
$UPD_HOME/java/jre8/bin/keytool keytool -genkey -alias updater -dname "CN=updater, OU=, O=, L=, ST=, C=" -validity 365 -keyalg RSA -keysize 1024 ‑storepass password -keypass password -keystore$UPD_HOME/conf/.updater_keystore
Generate the Certificate Signing Request:
$UPD_HOME/java/jre8/bin/keytool -certreq -alias updater -keyalg rsa -storepass password -keystore$UPD_HOME/conf/.updater_keystore -file updater.csr
Generate a signed certificate for the associated Certificate Signing Request.
Import the CA certificate into the NetFlow Optimizer keystore:
$NFO_HOME/java/jre8/bin/keytool -import -alias root -file CA.crt -keystore ‑storepass password$NFO_HOME/tomcat/conf/.trust_keystore
Import the signed certificate for the associated updater alias in the keystore:
$NFO_HOME/java/jre8/bin/keytool -import -alias updater -file updater.crt ‑keystore -storepass password$NFO_HOME/tomcat/conf/.trust_keystore
Self-Signed certificate can be exported instead of steps 3-5:
$UPD_HOME/java/jre8/bin/keytool -export -alias updater -storepass password ‑keystore$UPD_HOME/conf/.updater_keystore -file updater.crt
Notes:
Certificate CN field value must be updater.
If keystore type, keystore password, key password or key algorithm were changed, these changes have to be added to the $UPD_HOME/conf/updater.properties
file:
keystoreFile = ../conf/.updater_keystorekeystoreType = jkskeystorePass = passwordkeyPass = passwordkeyAlgorithm = SunX509
Username/password authentication can be enabled by commenting certificate-related properties and adding following lines into updater.properties
:
user = updater
password = changeme
# keystoreFile = ../conf/.updater_keystore# keystoreType = jks# keystorePass = password# keyPass = password# keyAlgorithm = SunX509
User password can be changed in the NetFlow Optimizer: login as updater user, go to “admin” section, and enter old password (changeme) and a new password.
NFO and External Data Feeder for NFO use secure connection (https) for communication. Tomcat certificate and root chain are imported automatically into $UPD_HOME/conf/.updater_truststore
during first connection. If tomcat certificate is changed, it should be reimported into .updater_truststore
file manually or .updater_truststore
can be removed (it will be recreated after External Data Feeder for NFO service restart).
To reimport the certificate perform the following:
Enter the following commands to delete previous certificate(s):
Get list of current trusted certificates:
$UPD_HOME/java/jre8/jre/bin/keytool –list -keystore $UPD_HOME/conf/.updater_truststore
Delete all certificates from the previous step:
$UPD_HOME/java/jre8/jre/bin/keytool –delete –alias <crtAlias> -keystore $UPD_HOME/conf/.updater_truststore
Enter the following command to import the chain certificate into the External Data Feeder for NFO truststore:
# $UPD_HOME/java/jre8/jre/bin/keytool -import -alias root -keystore $UPD_HOME/conf/.updater_truststore -trustcacerts -file rootCA.crt
Enter the following command to import tomcat certificate into the External Data Feeder for NFO truststore:
# $UPD_HOME/java/jre8/jre/bin/keytool -import -alias tomcat -keystore $UPD_HOME/conf/.updater_truststore -file srv.crt
After these actions External Data Feeder for NFO service should be restarted.
If certificate is imported automatically (.updater_trustore
created automatically), certificate fingerprint (md5) can be verified using following command:
$UPD_HOME/java/jre8/jre/bin/keytool -list -keystore $UPD_HOME/conf/.updater_truststore
.updater_truststore
type, password and path configuration can be changed in the $UPD_HOME/conf/updater.properties
file.