Version: Next

Security & SSL Configuration

NetFlow Optimizer (NFO) uses HTTPS to secure all communications between the Web UI, the NFO engine, and External Data Feeder (EDFN) agents. By default, NFO is configured with a self-signed certificate. For production environments, it is highly recommended to replace this with a certificate signed by a trusted Certificate Authority (CA).

Default Configuration

Keystore Location: /opt/flowintegrator/tomcat/conf/.tomcat_keystore
Default Password: password (used for both the keystore and the private key).
Port: 8443 (Default secure management port).

Option 1: Using an Existing Key and Signed Certificate

If you already have a private key and a signed certificate from your security team, follow these steps to import them.

1. Prepare the Certificate Chain

Merge your server certificate, any intermediate certificates, and the root certificate into a single file. The order must be Server -> Intermediate(s) -> Root.

cat tomcat.pem [intermediate.pem [intermediate-2.pem ... ]] root.pem > chain

2. Convert to PKCS12 Format

Convert the chain and your private key into a PKCS12 keystore using OpenSSL:

openssl pkcs12 -export -in chain.pem -inkey tomcat_key.pem -out .tomcat_keystore -name tomcat

3. Validate

Verify the keystore content:

# Verify
/opt/flowintegrator/java/jre/bin/keytool -list -v -keystore .tomcat_keystore

The output is expected to look like following:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Jan 1, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
******* TOMCAT CERTIFICATE INFO IS HERE *******
Certificate[2]:
******* INTERMEDIATE CERTIFICATE INFO IS HERE *******
Certificate[3]:
******* ROOT CERTIFICATE INFO IS HERE *******

4. Backup and Replace

Backup and replace /opt/flowintegrator/tomcat/conf/.tomcat_keystore with the new .tomcat_keystore:

cp .tomcat_keystore /opt/flowintegrator/tomcat/conf/.tomcat_keystore

Option 2: Creating a New Certificate Signing Request (CSR)

If you do not have a certificate, you must generate a CSR to send to your Certificate Authority.

1. Generate a New Private Key and Keystore

Delete the preinstalled self-signed certificate and create a new local certificate:

/opt/flowintegrator/java/jre/bin/keytool -keysize 2048 -genkey -alias tomcat \
-ext "SAN=dns:${domain_name},ip:${host_ip}" \
-keyalg RSA -keystore /opt/flowintegrator/tomcat/conf/.tomcat_keystore

Note: ${domain_name} and ${host_ip} are your server's details. SAN is optional but recommended for modern browser compatibility.

2. Create the CSR

/opt/flowintegrator/java/jre/bin/keytool -certreq -keyalg RSA -alias tomcat \
-file certreq.csr -keystore /opt/flowintegrator/tomcat/conf/.tomcat_keystore

Submit the resulting certreq.csr to your CA.

3. Import the CA Reply

Once you receive the certificate from the CA, import the Root/Chain certificate first, followed by your server certificate:

# Import Chain/Root
/opt/flowintegrator/java/jre/bin/keytool -import -alias root \
-keystore /opt/flowintegrator/tomcat/conf/.tomcat_keystore \
-trustcacerts -file <filename_of_chain_certificate>

# Import Server Certificate
/opt/flowintegrator/java/jre/bin/keytool -import -alias tomcat \
-keystore /opt/flowintegrator/tomcat/conf/.tomcat_keystore \
-file <your_certificate_filename>

Important: Synchronizing with EDFN

When you update the NFO SSL certificate, you must import that certificate into the External Data Feeder for NFO (EDFN) truststore. Failure to do so will break the encrypted communication between NFO and the enrichment feeder.

Refer to the EDFN Administration Guide for specific instructions on importing certificates into the EDFN truststore.

Changing Keystore Passwords

To comply with security policies, you should change the default password (password) for the keystore and the truststore.

1. Update the Keystore Files

# Change .tomcat_keystore password
/opt/flowintegrator/java/jre/bin/keytool -storepasswd -keystore /opt/flowintegrator/tomcat/conf/.tomcat_keystore

# Change .truststore password
/opt/flowintegrator/java/jre/bin/keytool -storepasswd -keystore /opt/flowintegrator/tomcat/conf/.truststore

2. Update `server.xml`

You must update the Tomcat configuration to match the new passwords.

Open /opt/flowintegrator/tomcat/conf/server.xml.
Locate the Connector section.
Update the following attributes with your new password:

truststorePassword
certificateKeystorePassword
certificateKeyPassword

Save and exit.

3. Restart Service

Restart NFO to apply the changes:

Linux: systemctl restart flowintegrator
Windows: Restart the NFOSvc service.

warning

Backup Requirement: Always create a backup of .tomcat_keystore, .truststore, and server.xml before modifying passwords or certificates.

Security & SSL Configuration

Default Configuration​

Option 1: Using an Existing Key and Signed Certificate​

1. Prepare the Certificate Chain​

2. Convert to PKCS12 Format​

3. Validate​

4. Backup and Replace​

Option 2: Creating a New Certificate Signing Request (CSR)​

1. Generate a New Private Key and Keystore​

2. Create the CSR​

3. Import the CA Reply​

Important: Synchronizing with EDFN​

Changing Keystore Passwords​

1. Update the Keystore Files​

2. Update server.xml​

3. Restart Service​