Enabling security for the IBM WebSphere SNMP Capability

You must enable security for the IBM® WebSphere® Simple Network Management Protocol (SNMP) Capability (also referred to as the IBM WebSphere Snmp Agent) to connect to a security-enabled WebSphere Application Server environment. You need not follow these steps if global security is not enabled on WebSphere Application Server.

Before you begin

Note: For more information about the IBM WebSphere SNMP Capability, read the SNMP based performance monitoring for WebSphere Application Server topic.

Before you enable security for the IBM WebSphere SNMP Capability, you must first have installed and configured it. Read the Installing and configuring the IBM WebSphere SNMP Capability topic for more information.

You should enable security on the IBM WebSphere Snmp Agent after first enabling global security. Verify that the connection is established successfully and you are able to obtain the metrics and traps.

About this task

To enable security for the SOAP Connector Type, perform the following steps:

Procedure

  1. In the administrative console, click Security > SSL certificate and key management.
  2. Under Related items, click keystores and certificates.
  3. Click CellDefaultTrustStore. Under Additional properties, click Signer Certificates.
  4. Select the check box next to root and click extract.
  5. Select the data type as Binary DER Data and supply a filename ending with .DER.
  6. Click ok and the certificate is extracted to a location on the dmgr. Note the location to which the .DER certificate was extracted.
  7. Copy the certificate to the machine on which the WebSphere Snmp Agent runs (you do not have to do this if the WebSphere Snmp Agent has been installed on the dmgr node itself).
  8. Go to the <WAS_HOME>/bin directory on the machine where the WebSphere Snmp Agent is installed. Run the ikeyman.sh utility.
  9. Go to Key Database File > open. The truststore you use should be the JKS file. PKCS12 should not be used. For the default truststore, use key database type = jks, filename = DummyClientTrustFile.jks, and location = <was_profile>/etc.
    Note: The key database type must be JKS for both the keystore and trustore used by the SNMPAgent (as configured in the jmxConfig.xml file).
    Once you click ok, you are prompted for the password. Enter the password as WebAS.
  10. In the choices for personal certificates, select signer certificates. Click add, and supply the filename and location of the .DER certificate that you extracted from the administrative console earlier.

Results

The following attributes should be configured to enable security on the IBM WebSphere Snmp Agent: connectorType, Security, UserName, Password, connectorSOAPcon-fig/connectorRMIconfig, sslRMIConfig, trustStore, tsPassword, keyStore and ksPassword.

For more information about these attributes, read Installing and configuring the IBM WebSphere SNMP Capability, referenced later in this topic.

What to do next

If the connector type is RMI, there is no need to extract any certificates. You must ensure that the values for all attributes under RMImbeanServer are correct

However, if your IBM WebSphere Snmp Agent is running on a machine different from the dmgr you want to connect to, you are prompted to accept a certificate from the WebSphere Application Server dmgr machine when you connect to it for the first time. Click yes and accept that certificate. In some instances, when you start the IBM WebSphere Snmp Agent, a window is displayed that prompts you for a username and password. Enter the username and password for the WebSphere Application Server dmgr in this window.