NetFlow Logic Documentation
NetFlow Logic Documentation
Home
Downloads
PDF Documents
Free Trial
NetFlow Logic Documetation
NetFlow Optimizer™ and External Data Feeder Overview
Core Products
NetFlow Optimizer™ Installation Guide
NetFlow Optimizer™ Administration Guide
NetFlow Optimizer™ User Guide
External Data Feeder for NFO Installation Guide
External Data Feeder for NFO Administration Guide
Authentication Configuration
Proxy Server Configuration
Copying External Data Feeder for NFO Configuration
Working with External Data Feeder for NFO Service
NetFlow Optimizer™ and External Data Feeder Release Notes
Integrations and Apps
NetFlow Analytics for Splunk
Network Metrics Content Pack for VMware vRealize Log Insight
Solutions
V2P Network Visibility
NetFlow-based DDoS Detection
FAQ
Frequently Asked Questions
Powered by GitBook

Authentication Configuration

External Data Feeder for NFO is authenticated to NetFlow Optimizer as updater user. This user has only access to a data set maintenance and the ability to change password. This user can login using X509 certificate or using user/password authentication method. Default password for this user is changeme. Please change it after the installation.

By default External Data Feeder for NFO logins into NetFlow Optimizer using X509 certificate. We highly recommend changing default self-signed certificate to a new one or switching to a user/password authentication method. In any case default password changing is required.

X509 authentication

Procedure

Create a Certificate Signing Request (CSR) with keytool and generate a Signed Certificate for the CSR:

  1. Delete previous certificate: 

    $UPD_HOME/java/jre8/bin/keytool -delete -alias updater -storepass password ‑keystore 
    $UPD_HOME/conf/.updater_keystore
    $NFO_HOME/java/jre8/bin/keytool -delete -alias updater -storepass password
    $NFO_HOME/tomcat/conf/.trust_keystore

  2. Generate the key pair: 

    $UPD_HOME/java/jre8/bin/keytool keytool -genkey -alias updater -dname "CN=updater, OU=, O=, L=, ST=, C=" -validity 365 -keyalg RSA -keysize 1024 ‑storepass password -keypass password -keystore
    $UPD_HOME/conf/.updater_keystore

  3. Generate the Certificate Signing Request: 

    $UPD_HOME/java/jre8/bin/keytool -certreq -alias updater -keyalg rsa -storepass password -keystore 
    $UPD_HOME/conf/.updater_keystore -file updater.csr

  4. Generate a signed certificate for the associated Certificate Signing Request.

  5. Import the CA certificate into the NetFlow Optimizer keystore: 

    $NFO_HOME/java/jre8/bin/keytool -import -alias root -file CA.crt -keystore ‑storepass password 
    $NFO_HOME/tomcat/conf/.trust_keystore

  6. Import the signed certificate for the associated updater alias in the keystore: 

    $NFO_HOME/java/jre8/bin/keytool -import -alias updater -file updater.crt ‑keystore -storepass password 
    $NFO_HOME/tomcat/conf/.trust_keystore

Self-Signed certificate can be exported instead of steps 3-5:

$UPD_HOME/java/jre8/bin/keytool -export -alias updater -storepass password ‑keystore 
$UPD_HOME/conf/.updater_keystore -file updater.crt

Notes:

  1. Certificate CN field value must be updater.

  2. If keystore type, keystore password, key password or key algorithm were changed, these changes have to be added to the $UPD_HOME/conf/updater.properties file:

keystoreFile = ../conf/.updater_keystore
keystoreType = jks
keystorePass = password
keyPass = password
keyAlgorithm = SunX509

User/password authentication

Procedure

Username/password authentication can be enabled by commenting certificate-related properties and adding following lines into updater.properties:

user = updater

password = changeme

# keystoreFile = ../conf/.updater_keystore
# keystoreType = jks
# keystorePass = password
# keyPass = password
# keyAlgorithm = SunX509

User password can be changed in the NetFlow Optimizer: login as updater user, go to “admin” section, and enter old password (changeme) and a new password.

Import the Certificate into External Data Feeder for NFO truststore

NFO and External Data Feeder for NFO use secure connection (https) for communication. Tomcat certificate and root chain are imported automatically into $UPD_HOME/conf/.updater_truststore during first connection. If tomcat certificate is changed, it should be reimported into .updater_truststore file manually or .updater_truststore can be removed (it will be recreated after External Data Feeder for NFO service restart).

Procedure

To reimport the certificate perform the following:

  1. Enter the following commands to delete previous certificate(s):

    1. Get list of current trusted certificates: $UPD_HOME/java/jre8/jre/bin/keytool –list -keystore $UPD_HOME/conf/.updater_truststore

    2. Delete all certificates from the previous step: $UPD_HOME/java/jre8/jre/bin/keytool –delete –alias <crtAlias> -keystore $UPD_HOME/conf/.updater_truststore

  2. Enter the following command to import the chain certificate into the External Data Feeder for NFO truststore: # $UPD_HOME/java/jre8/jre/bin/keytool -import -alias root -keystore $UPD_HOME/conf/.updater_truststore -trustcacerts -file rootCA.crt

  3. Enter the following command to import tomcat certificate into the External Data Feeder for NFO truststore: # $UPD_HOME/java/jre8/jre/bin/keytool -import -alias tomcat -keystore $UPD_HOME/conf/.updater_truststore -file srv.crt

  4. After these actions External Data Feeder for NFO service should be restarted.

What to do next

If certificate is imported automatically (.updater_trustore created automatically), certificate fingerprint (md5) can be verified using following command:

$UPD_HOME/java/jre8/jre/bin/keytool -list -keystore $UPD_HOME/conf/.updater_truststore

.updater_truststore type, password and path configuration can be changed in the $UPD_HOME/conf/updater.properties file.

Core Products - Previous
External Data Feeder for NFO Administration Guide
Next
Proxy Server Configuration
Last updated 5 months ago
Contents
X509 authentication
Procedure
User/password authentication
Procedure
Import the Certificate into External Data Feeder for NFO truststore
Procedure
What to do next