Enable secure Corba with self-signed certificates.
Article ID: 392849
Updated On: 05-05-2025
Products
Network Observability
Spectrum
Issue/Introduction
How to enable secure Corba with self-signed certificates.
Environment
The following procedure assumes the OneClick is hosted on server <host-oc1> and SpectroServer on <host-ss1>.
Replace hostname references as needed.
Resolution
Generation of certificates
- OneClick side
export SPECROOT=/opt/CA/Spectrum
$SPECROOT/Java/bin/keytool -genkeypair -alias <host-oc1> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "cn=<host-oc1>, o=<org name>, c=<country code>" -validity 730 -keypass <keypass> -keystore $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -storetype PKCS12 -storepass <storepass>
Resulting in:
$SPECROOT/custom/VBNS/identities/<host-oc1>.p12
- SpectroServer side
export SPECROOT=/opt/CA/Spectrum
$SPECROOT/Java/bin/keytool -genkeypair -alias <host-ss1> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "cn=<host-ss1>, o=<org name>, c=<country code>" -validity 730 -keypass <keypass> -keystore $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -storetype PKCS12 -storepass <storepass>
Export the private key and certicate
mkdir $SPECROOT/custom/VBNS/identities/<host-ss1>
openssl pkcs12 -in $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -out $SPECROOT/custom/VBNS/identities/<host-ss1>/cert0 -nokeys
openssl pkcs12 -in $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -out $SPECROOT/custom/VBNS/identities/<host-ss1>/key -nocerts
Note: Remove lines before -----BEGIN CERTIFICATE----- on $SPECROOT/custom/VBNS/identities/<host-ss1>/cert0
Note: Remove lines before -----BEGIN ENCRYPTED PRIVATE KEY----- on $SPECROOT/custom/VBNS/identities/<host-ss1>/key
Resulting in:
$SPECROOT/custom/VBNS/identities/<host-ss1>/cert0
$SPECROOT/custom/VBNS/identities/<host-ss1>/key
$SPECROOT/custom/VBNS/identities/<host-ss1>.p12
Configuring certificates and trust relationship
- OneClick side
export SPECROOT=/opt/CA/Spectrum
Export the certicate
openssl pkcs12 -in $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -out $SPECROOT/custom/VBNS/trustpoints/<host-oc1> -nokeys
Note: Remove lines before -----BEGIN CERTIFICATE----- on $SPECROOT/custom/VBNS/trustpoints/<host-oc1>
Copy the $SPECROOT/custom/VBNS/identities/<host-ss1>/cert0 from SpectroServer to OneClick as $SPECROOT/custom/VBNS/trustpoints/<host-ss1>
Note: The name of the file must match the CN value on the certificate
Expected files:
$SPECROOT/custom/VBNS/identities/<host-oc1>.p12
$SPECROOT/custom/VBNS/trustpoints/<host-oc1>
$SPECROOT/custom/VBNS/trustpoints/<host-ss1>
File $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml
useSSL="true"
vbroker.security.requireAuthentication=true
vbroker.security.peerAuthenticationMode=REQUIRE_AND_TRUST
vbroker.security.wallet.identity=<host-oc1>
vbroker.security.wallet.password=<keypass>
vbroker.security.alwaysSecure=true
vbroker.security.trustpointsRepository=Directory:/opt/CA/OneClick/custom/VBNS/trustpoints
vbroker.security.wallet.type=PKCS12:/opt/CA/OneClick/custom/VBNS/identities
Restart the OneClict Tomcat
- SpectroServer side
cp $SPECROOT/custom/VBNS/identities/<host-ss1>/cert0 $SPECROOT/custom/VBNS/trustpoints/<host-ss1>
Copy the $SPECROOT/custom/VBNS/trustpoints/<host-oc1> from OneClick to SpectroServer as $SPECROOT/custom/VBNS/trustpoints/<host-oc1>
Note: The name of the file must match the CN value on the certificate
Expected files:
$SPECROOT/custom/VBNS/identities/<host-ss1>.p12
$SPECROOT/custom/VBNS/identities/<host-ss1>/cert0
$SPECROOT/custom/VBNS/identities/<host-ss1>/key
$SPECROOT/custom/VBNS/trustpoints/<host-oc1>
$SPECROOT/custom/VBNS/trustpoints/<host-ss1>
File $SPECROOT/.jcorbarc
vbroker.security.disable=false
vbroker.naming.security.disable=false
vbroker.security.secureTransport=true
vbroker.security.trustpointsRepository=Directory:/opt/CA/Spectrum/custom/VBNS/trustpoints
vbroker.security.wallet.type=PKCS12:/opt/CA/Spectrum/custom/VBNS/identities
vbroker.security.wallet.identity=<host-ss1>
vbroker.security.wallet.password=<keypass>
vbroker.security.alwaysSecure=true
vbroker.security.peerAuthenticationMode=REQUIRE_AND_TRUST
vbroker.security.requireAuthentication=true
File $SPECROOT/.corbarc
vbroker.security.disable=false
vbroker.security.secureTransport=true
vbroker.security.trustpointsRepository=Directory:/opt/CA/Spectrum/custom/VBNS/trustpoints
vbroker.security.wallet.type=Directory:/opt/CA/Spectrum/custom/VBNS/identities
vbroker.security.wallet.identity=<host-ss1>
vbroker.security.wallet.password=<keypass>
vbroker.security.alwaysSecure=true
vbroker.security.peerAuthenticationMode=REQUIRE_AND_TRUST
vbroker.security.requireAuthentication=true
Restart the SpectroServer and processd
Feedback
Was this article helpful?
Yes
No
Powered by
