[8.5.0.1 or later]

Enabling security for the IBM WebSphere SNMP Capability

You must enable security for the IBM® WebSphere® Simple Network Management Protocol (SNMP) Capability (also referred to as the IBM WebSphere Snmp Agent) to connect to a security-enabled WebSphere Application Server environment.

Before you begin

Note: For more information about the IBM WebSphere SNMP Capability, read the "SNMP based performance monitoring for WebSphere Application Server" topic.

Before you enable security for the IBM WebSphere SNMP Capability, you must first have installed and configured it. Read the "Installing and configuring the IBM WebSphere SNMP Capability" topic for more information.

You should enable security on the IBM WebSphere Snmp Agent without enabling administrative security. Verify that the connection is established successfully and you are able to obtain the metrics and traps. The following attributes should be configured to enable security on the IBM WebSphere Snmp Agent: connectorType, Security, UserName, Password, connectorSOAPcon-fig/connectorRMIconfig, sslRMIConfig, trustStore, tsPassword, keyStore and ksPassword. For more information about these attributes, read the "Installing and configuring the IBM WebSphere SNMP Capability" topic.

About this task

To enable security for the SOAP Connector Type, perform the following steps:

Procedure

  1. In the administrative console, click Security > SSL certificate and key management.
  2. Under Related items, click keystores and certificates.
  3. Click CellDefaultTrustStore. Under Additional properties, click Signer Certificates.
  4. Select the check box next to root and click extract.
  5. Select the data type as Binary DER Data and supply a filename ending with .DER.
  6. Click ok and the certificate is extracted to a location on the dmgr. Note the location to which the .DER certificate was extracted.
  7. Copy the certificate to the machine on which the WebSphere Snmp Agent runs (you do not have to do this if the WebSphere Snmp Agent has been installed on the dmgr node itself).
  8. Go to the <WAS_HOME>/bin directory on the machine where the WebSphere Snmp Agent is installed. Run the ikeyman.sh utility.
  9. Go to Key Database File > open. Supply the details for the truststore you plan to use. For the default truststore it is key database type = jks, filename = DummyClientTrustFile.jks and location = <was_profile>/etc. Once you click ok, you are prompted for the password. Enter the password as WebAS.
  10. In the choices for personal certificates, select signer certificates. Click add, and supply the filename and location of the .DER certificate that you extracted from the administrative console earlier.

What to do next

If the connector type is RMI, there is no need to extract any certificates. You must ensure that the values for all attributes under RMImbeanServer are correct

However, if your IBM WebSphere Snmp Agent is running on a machine different from the dmgr you want to connect to, you are prompted to accept a certificate from the WebSphere Application Server dmgr machine when you connect to it for the first time. Click yes and accept that certificate. In some instances, when you start the IBM WebSphere Snmp Agent, a window is displayed that prompts you for a username and password. Enter the username and password for the WebSphere Application Server dmgr in this window.

Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 08:46 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=tprf_snmp_enabling
File name: tprf_snmp_enabling.html