NNMi - replacing LDAP SSL Certificate
NNMi can use LDAP for authenticating users, with or without SSL. Recently a customer changed the SSL certificate used on their LDAP server, which broke NNMi authentication. NNMi trusts one specific certificate for verifying SSL connectivity to the LDAP server, so changing the certificate broke the chain of trust. To save me time when this comes around again, I’ve documented the steps for fixing this:
- Get a copy of the public part of the certificate used on the LDAP server. This should be in DER format. Copy it to the NNMi server.
- NNMi uses Java keystores for storing certificates. Two files are used -
nnm.keystorefor storing keys used for SSL for the NNMi web interface, andnnm.truststorefor storing trusted certificates. Both are stored in/var/opt/OV/shared/nnm/certificates. For LDAP connection verification, NNMi looks in thennm.truststorefile for a certificate with an alias of nnmi_ldap You must use this alias. Check currently stored certificates with this command:
1
/opt/OV/nonOV/jdk/nnm/bin/keytool -list -v -keystore /var/opt/OV/shared/nnm/certificates/nnm.truststore -storepass ovpass
You must use the right version of
keytool to examine/update these stores. The default keytool in your path on a Linux server may not work - use the NNMi-provided copy of keytool.- Make a backup copy of nnm.truststore, then remove the existing key with alias nnmi_ldap:
1
/opt/OV/nonOV/jdk/nnm/bin/keytool -delete -alias nnmi_ldap -keystore /var/opt/OV/shared/nnm/certificates/nnm.truststore -storepass ovpass
- Import your new certificate
1
/opt/OV/nonOV/jdk/nnm/bin/keytool -import -alias nnmi_ldap -file ~/mynewcert.crt -keystore /var/opt/OV/shared/nnm/certificates/nnm.truststore -storepass ovpass
- restart NNMi with:
1
2
ovstop
ovstart
LDAP authentication should now be working again. You can use “nnmldap.ovpl -diagnose
It’s not enough to update the certificate, and run
nnmldap.ovpl -reload - you MUST restart NNMi for the new certificate to take effect.