Configuring server-to-server SSL in multiple-cell CEI environments

You must configure the server-to-server Secure Sockets Layer (SSL) if your secure environment has a remote event source or if your dashboard server is not in the same cell as your IBM® Business Monitor server. When server-to-server SSL is not configured, the monitor model deployment fails or the IBM Business Monitor dashboards are unable to retrieve data.

About this task

This procedure applies when the configuration between cells uses Remote Method Invocation (RMI).
Important: CEI is deprecated in IBM Business Monitor V8.5.5 and later. This procedure does not apply to a remote Business Monitor event source (table-based event delivery) in an IBM Business Monitor cell or an IBM Business Process Manager cell. The configuration between the cells in such an environment uses a REST service and not the server-to-server RMI.

Procedure

To configure cross-cell SSL, complete the following steps:

  1. From the administrative console where IBM Business Monitor is installed, click Security > SSL certificate and key management > Related items > Key Stores and certificates.
  2. Click the appropriate trust store.
  3. Under Additional properties, click Signer certificates.
  4. Click Retrieve from port. The Configuration panel is displayed.
  5. Complete the following general properties fields:
    1. In the Host field, enter the name of the host for the remote Process Server or CEI server.
    2. In the Port field, enter the SOAP port number for the remote Process Server or CEI server.
    3. In the Alias field, enter an appropriate alias; for example, enter Remote.
    4. Click Retrieve signer information.
    5. Click OK and save your changes to the master configuration.
  6. From the navigation panel, click Security > SSL Certificate and key management > Manage endpoint security configurations.
    1. For both inbound and outbound, ensure that the cell SSL settings are configured to use the default SSL settings and the default certificate alias under Specific SSL configuration for this endpoint.
    2. For each node under the cell, ensure that the Override inherited values check box is cleared.
    3. Click OK and save your changes to the master configuration.
  7. From the navigation panel, click Security > Global security. Under RMI/IIOP security, click CSIv2 outbound communications.
    1. Click Trusted authentication realms - outbound.
    2. Select Trust realms as indicated below. Click Add external realm and add the realm of the remote cell. Click Apply. To obtain the realm of the remote cell, from the administrative console, click Security > Global security. The realm name is listed under User account repository.
  8. Verify that the Use identity assertion setting is enabled.
  9. Stop and restart all servers, node agents, and deployment managers.

What to do next

You must repeat these steps on the remote CEI event source, Process Server, WebSphere® Portal server, or dashboard server administrative console using the host and SOAP port of the IBM Business Monitor server.
Parent topic: Configuring server security
Related tasks:
Configuring Business Monitor to receive events from IBM BPM V8.5.0 and earlier
Sharing LTPA keys
Enabling identity assertion
Deploying monitor models