Submit a ticketCall us

Announcing NPM 12.2
With NPM 12.2 you can monitor your Cisco ASA firewalls, to monitor VPN tunnels for basic visibility and troubleshooting tunnels. NPM 12.2 also uses the SolarWinds Orion Installer so you can easily install and upgrade one or more Orion Platform products simultaneously.
See new features and improvements.

Home > Success Center > Database Performance Analyzer (DPA) > Custom trust store in DPA

Custom trust store in DPA

Created by Anthony.Rinaldi_ret, last modified by Anthony.Rinaldi_ret on Jul 01, 2016

Views: 26 Votes: 0 Revisions: 3

Updated July 5, 2016

Overview

You can use a dedicated DPA trust store for storing trusted certificates. DPA will consider a certificate as trusted if the certificate is trusted by any of the following trust stores:

  • Java trust store. You can change the path to the Java trust store by editing the javax.net.ssl.trustStore in the system.properties file.
  • DPA trust store, if enabled.

Environment

  • DPA 10.2 and later

Detail

Set up the DPA trust store

If this is new installation of DPA 10.2 or later, the DPA trust store is enabled by default. If you upgraded from an older version, you can configure the DPA trust store as follows:

  • If the javax.net.ssl.trustStore property in system.properties was not specified in the installation you are upgrading from, the DPA trust store will be enabled with default values.
  • If the javax.net.ssl.trustStore property in system.properties was set to NONE in the installation you are upgrading from, the DPA trust store will be disabled after upgrading.
  • If the javax.net.ssl.trustStore property in system.properties contained a path in the installation you are upgrading from, the DPA trust store will be enabled and all of the javax.net.ssl.trustStore properties will be migrated to the com.confio.security.trustStore properties. DPA will continue to trust certificates imported in the previous installation. The properties will be migrated as follows:
    com.confio.security.trustStoreEnabled=true
    com.confio.security.trustStore=<value of javax.net.ssl.trustStore property>
    com.confio.security.trustStorePassword=<value of javax.net.ssl.trustStorePassword property>
    com.confio.security.trustStoreType=<value of javax.net.ssl.trustStoreType property>
    com.confio.security.trustStoreProvider=<value of javax.net.ssl.trustStoreProvider property>
    

Notes:

  • All javax.net.ssl.trustStore properties will be removed after migration.
  • If the DPA trust store is enabled but the file does not exist, DPA will create an empty one.

Use the trust store

If the DPA trust store is enabled, DPA will use the trust store specified by the com.confio.security.trustStore property for storing all trusted certificates.

If you want to configure DPA to use Active Directory/LDAP user authentication, and you want to use an SSL connection to the AD/LDAP server, you must enable the DPA trust store. Otherwise, DPA cannot import the certificate from the AD/LDAP server as trusted.

Import a certificate as trusted

You can import certificates to the DPA trust store if you want to make a certificate trusted by DPA.

  1. Use the keytool utility in the following directory:
    • Windows: dpafolder\iwc\jre\bin\
    • Linux: dpafolder/iwc/jre_linux/bin/
    • Solaris: dpafolder/iwc/jre_unix/bin/
  2. Run the following command:
    <path to keytool>/keytool -import -keystore <path to DPA trust store> -alias <specify alias for the certificate> -<filepath to the certificate> -storepass <password to the DPA trust store>
  3. Restart DPA for the changes to take effect.

Manually configure the trust store

The DPA trust store can be configured manually.

  1. Edit system.properties in the following directory:
    • Windows: {installation directory}\iwc\tomcat\ignite_config\idc\
    • Linux or UNIX: {installation directory}/iwc/tomcat/ignite_config/idc/
  2. Edit the properties as instructed by the comments:
    # Set to "false" (without quotes) to disable the additional trust store.
    com.confio.security.trustStoreEnabled=true
    
    # File path of the additional trust store file.
    # The path should be relative to the "<DPA>/iwc/tomcat" directory if the trust
    # store file is contained inside the tomcat directory. Otherwise, use an absolute path.
    # The default path is "ignite_config/security/dpa-truststore.jks".
    com.confio.security.trustStore=ignite_config/security/dpa-truststore.jks
    
    # Password of the additional trust store. Enter as plain text, and DPA will encrypt
    # the password the next time it starts.
    # The default value is "changeit" (without quotes).
    com.confio.security.trustStorePassword=changeit
    
    # Type of the additional trust store.
    com.confio.security.trustStoreType=JKS
    
    # Trust store provider used for the additional trust store.
    # If empty, DPA uses the default Java provider.
    com.confio.security.trustStoreProvider=
    
  3. Restart DPA for the changes to take effect.

 

 

 

Last modified
13:50, 1 Jul 2016

Tags

Classifications

Public