You must enable security for the IBM® WebSphere® Simple
Network Management Protocol (SNMP) Capability (also referred to as
the IBM WebSphere Snmp Agent) to connect to a security-enabled WebSphere Application Server
environment. You need not follow these steps if
global security is not enabled on WebSphere Application Server.
Before you begin
Note: For more information about the IBM WebSphere SNMP
Capability, read the "SNMP based performance monitoring for WebSphere Application Server" topic.
Before
you enable security for the IBM WebSphere SNMP Capability,
you must first have installed and configured it. Read the "Installing
and configuring the IBM WebSphere SNMP Capability" topic
for more information.
You should enable security on the IBM WebSphere Snmp Agent after
first enabling global security. Verify that the connection is
established successfully and you are able to obtain the metrics and
traps.
About this task
To enable security for the SOAP Connector Type, perform
the following steps:
Procedure
- In the administrative console, click Security > SSL
certificate and key management.
- Under Related items, click keystores and certificates.
- Click CellDefaultTrustStore. Under Additional properties,
click Signer Certificates.
- Select the check box next to root and click extract.
- Select the data type as Binary DER Data and supply
a filename ending with .DER.
- Click ok and the certificate is extracted to a location
on the dmgr. Note the location to which the .DER certificate was extracted.
- Copy the certificate to the machine on which the WebSphere Snmp Agent runs
(you do not have to do this if the WebSphere Snmp
Agent has been installed on the dmgr node itself).
- Go to the <WAS_HOME>/bin directory
on the machine where the WebSphere Snmp
Agent is installed. Run the ikeyman.sh utility.
- Go to Key Database File > open. The
truststore you use should be the JKS file. PKCS12 should
not be used. For the default truststore, use key
database type = jks, filename = DummyClientTrustFile.jks,
and location = <was_profile>/etc.
Note: The key database type must be JKS for
both the keystore and trustore used by the SNMPAgent (as configured
in the jmxConfig.xml file).
Once you click ok,
you are prompted for the password. Enter the password as WebAS.
- In the choices for personal certificates, select signer
certificates. Click add, and supply the filename and location
of the .DER certificate that you extracted from the administrative
console earlier.
Results
The following attributes should be configured
to enable security on the IBM WebSphere Snmp Agent: connectorType,
Security, UserName, Password, connectorSOAPcon-fig/connectorRMIconfig,
sslRMIConfig, trustStore, tsPassword, keyStore and ksPassword.
For
more information about these attributes, read "Installing and configuring
the IBM WebSphere SNMP Capability", referenced
later in this topic.
What to do next
If the connector type is RMI, there is no need to extract
any certificates. You must ensure that the values for all attributes
under RMImbeanServer are correct
However, if your IBM WebSphere Snmp
Agent is running on a machine different from the dmgr you want to
connect to, you are prompted to accept a certificate from the WebSphere Application Server
dmgr machine when you connect to it for the first time. Click yes and
accept that certificate. In some instances, when you start the IBM WebSphere Snmp Agent, a window is displayed
that prompts you for a username and password. Enter the username and
password for the WebSphere Application
Server dmgr in this window.