Authentication Configuration
Default instalation directories are:
$NFO_HOME - /opt/flowintegrator
$EDFN_HOME - /opt/nfi-updater
Self-signed certificate is already installed in $EDFN_HOME/conf/.updater_keystore, the keystore password is password
and private key password is the same.
To change the default password, see Changing the Keystore Password section below.
External Data Feeder for NFO is authenticated to NetFlow Optimizer as the user updater
using X509 certificate. This user only has access to data sets maintenance. This X509 certificate is generated during the first NFO installation or upgrade to release 2.10.
If you need to change it, follow the instructions below.
X509 Authentication
Procedure
Create a Certificate Signing Request (CSR) with keytool and generate a Signed Certificate for the CSR:
- Delete previous certificate:
$EDFN_HOME/java/jre/bin/keytool -delete -alias updater -storepass password ‑keystore
$EDFN_HOME/conf/.updater_keystore
$NFO_HOME/java/jre/bin/keytool -delete -alias updater -storepass password
$NFO_HOME/tomcat/conf/.truststore - Generate the key pair:
$EDFN_HOME/java/jre/bin/keytool keytool -genkey -alias updater -dname "CN=updater, OU=, O=, L=, ST=, C=" -validity 365 -keyalg RSA -keysize 1024 ‑storepass password -keypass password -keystore
$EDFN_HOME/conf/.updater_keystore - Generate the Certificate Signing Request:
$EDFN_HOME/java/jre/bin/keytool -certreq -alias updater -keyalg rsa -storepass password -keystore
$EDFN_HOME/conf/.updater_keystore -file updater.csr - Generate a signed certificate for the associated Certificate Signing Request.
- Import the CA certificate into the NetFlow Optimizer keystore:
$NFO_HOME/java/jre/bin/keytool -import -alias root -file CA.crt -keystore ‑storepass password
$NFO_HOME/tomcat/conf/.truststore - Import the signed certificate for the associated updater alias in the keystore:
$NFO_HOME/java/jre/bin/keytool -import -alias updater -file updater.crt ‑keystore -storepass password
$NFO_HOME/tomcat/conf/.truststore
Self-Signed certificate can be exported instead of steps 3-5:
$EDFN_HOME/java/jre/bin/keytool -export -alias updater -storepass password ‑keystore
$EDFN_HOME/conf/.updater_keystore -file updater.crt
Notes:
- Certificate CN field value must be updater.
- If keystore type, keystore password, key password or key algorithm were changed, these changes have to be added to the
$EDFN_HOME/conf/updater.properties
file:
keystoreFile = ../conf/.updater_keystore
keystoreType = jks
keystorePass = password
keyPass = password
keyAlgorithm = SunX509
Import the Certificate into External Data Feeder for NFO truststore
NFO and External Data Feeder for NFO use secure connection (https) for communication. Tomcat certificate and root chain are imported automatically into $EDFN_HOME/conf/.updater_truststore
during first connection. If tomcat certificate is changed, it should be reimported into .updater_truststore
file manually or .updater_truststore
can be removed (it will be recreated after External Data Feeder for NFO service restart).
Procedure
To reimport the certificate perform the following:
- Enter the following commands to delete previous certificate(s):
- Get list of current trusted certificates:
$EDFN_HOME/java/jre/bin/keytool -list -keystore $EDFN_HOME/conf/.updater_truststore
- Delete all certificates from the previous step:
$EDFN_HOME/java/jre/bin/keytool –delete –alias <crtAlias> -keystore $EDFN_HOME/conf/.updater_truststore
- Enter the following command to import the chain certificate into the External Data Feeder for NFO truststore:
# $EDFN_HOME/java/jre/bin/keytool -import -alias root -keystore $EDFN_HOME/conf/.updater_truststore -trustcacerts -file rootCA.crt
- Enter the following command to import tomcat certificate into the External Data Feeder for NFO truststore:
# $EDFN_HOME/java/jre/bin/keytool -import -alias tomcat -keystore $EDFN_HOME/conf/.updater_truststore -file srv.crt
- After these actions External Data Feeder for NFO service should be restarted.
Changing the Keystore Password
This section outlines the procedure for updating the keystore passwords used by the External Data Feeder for NFO (EDFN).
Prerequisites
- Administrative access to the server where EDFN is installed.
- Knowledge of the current keystore passwords. Default passwords are
password
.
- Backup: Before making any changes, it is highly recommended to create a backup of both the
.updater_keystore
,.updater_truststore
,.cacerts
, andupdater.properties
files in/opt/nfi-updater/conf
directory. - Upgrades: When performing an NFO/EDFN upgrade, the
updater.properties
files may be overwritten. You will need to re-apply these password changes and other custom configurations after the upgrade is complete. - Consistency: Ensure that the new passwords in the
updater.properties
file exactly match the passwords you set usingkeytool
.
Instructions
-
Navigate to the EDFN configuration directory:
cd /opt/nfi-updater/conf/
-
To change the password for the
.updater_keystore
, use thekeytool
command. You will be prompted to enter the current password and then the new password./opt/flowintegrator/java/jre/bin/keytool -storepasswd -keystore .updater_keystore
-
Similarly, change the password for the
.updater_truststore
usingkeytool
. You will be prompted for the current and new passwords.keytool -storepasswd -keystore .updater_truststore
-
Finally, if you have
.cacerts
file, change the password for the.cacerts
usingkeytool
. You will be prompted for the current and new passwords.keytool -storepasswd -keystore .cacerts
-
Update the
updater.properties
file to reflect the new passwords. Open the file for editing:vi updater.properties
-
Change
updater.properties
parameters keystorePass, keyPass, truststorePass, and cacertsPass to your new password. -
Save the
updater.properties
file and exit the editor. -
Restart the EDFN service for the changes to take effect.
- On Linux, use the appropriate command for your system (e.g.,
systemctl restart nfi_updd.service
). - On Windows, restart the
NFOUSvc
service.
- On Linux, use the appropriate command for your system (e.g.,
What to do next
If certificate is imported automatically (.updater_trustore
created automatically), certificate can be verified using following command:
$NFO_HOME/java/jre/bin/keytool -list -v -keystore $EDFN_HOME/conf/.updater_truststore
You can change .updater_truststore
type, password and path configuration in the $EDFN_HOME/conf/updater.properties
file.