5.1 Configuring Communications Security

Standard communication settings for Operations Center, as well as the dashboard and CMS, are configured using the Configuration Manager for each component. In some cases, configuration changes on one server might require changes in another. In all cases, enabling SSL requires Keystore and Trust Store configuration.

For more information about configuring Keystore and Trust Stores, see Section 5.2, Keystore and Trust Store Configuration.

The following sections describe the standard configuration options available and their interdependencies:

5.1.1 Understanding Options in the Operations Center Configuration Manager

In the Operations Center server’s Configuration Manager, use the settings on the Security pane to establish the type of communications security for the Operations Center server and between the dashboard, CMS, and Web services.

For information on accessing the Operations Center Configuration Manager, see the Operations Center 5.6 Server Configuration Guide.

Figure 5-1 Operations Center Configuration Manager Security Pane

Table 5-1 describes the Security pane settings.

Table 5-1 Operations Center Configuration Manager Security Pane Settings

Setting	Default	Description
Client/Server Communication Mode	Unsecured Communication	Specifies the level of security for communications used between the Operations Center clients and server: Unsecured Communication: The server only accepts access via Hypertext Transfer Protocol (HTTP) and bidirectional Internet Inter-ORB Protocol (IIOP) communications protocols, and does not use SSL to encrypt these data streams. Secured Communication using SSL: The server only accepts access via HTTPS and bidirectional-IIOP-over-SSL communications protocols, using the Secure Sockets Layer to encrypt these data streams. Support Both Unsecured and Secured Communication: Operations Center supports both secured and unsecured access. When you make selections for this option, there are various dependencies you need to be aware of. For details on each of these selections and dependent settings, see Section 5.1.4, Understanding Dependency Requirements for Operations Center Client/Server Communications. IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.
Remote Services Security (RMI)	Unsecured communication	Specifies the level of security used for the RMI (Remote Services Port) communications between Operations Center and the dashboard, and between Operations Center and CMS. Select from: Unsecured communication Secured communication using SSL Secured communication using SSL and Client Certificates IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.
Web Services Communication Security	Unsecured communication	Specifies the level of security used for communications between third-party applications and the Operations Center Web Services Application Programmer Interface (WSAPI): Unsecured communication Secured communication using SSL Secured communication using SSL and Client Certificates This setting governs the level of security for communications through the port as defined with the Web Services Port setting on the NOC Server page. IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration. See the Operations Center 5.6 Web Services Guide for more information on Web Services.

Setting

Default

Description

Client/Server Communication Mode

Unsecured Communication

Specifies the level of security for communications used between the Operations Center clients and server:

Unsecured Communication: The server only accepts access via Hypertext Transfer Protocol (HTTP) and bidirectional Internet Inter-ORB Protocol (IIOP) communications protocols, and does not use SSL to encrypt these data streams.
Secured Communication using SSL: The server only accepts access via HTTPS and bidirectional-IIOP-over-SSL communications protocols, using the Secure Sockets Layer to encrypt these data streams.
Support Both Unsecured and Secured Communication: Operations Center supports both secured and unsecured access.

When you make selections for this option, there are various dependencies you need to be aware of. For details on each of these selections and dependent settings, see Section 5.1.4, Understanding Dependency Requirements for Operations Center Client/Server Communications.

IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.

Remote Services Security (RMI)

Unsecured communication

Specifies the level of security used for the RMI (Remote Services Port) communications between Operations Center and the dashboard, and between Operations Center and CMS.

Select from:

Unsecured communication
Secured communication using SSL
Secured communication using SSL and Client Certificates

IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.

Web Services Communication Security

Unsecured communication

Specifies the level of security used for communications between third-party applications and the Operations Center Web Services Application Programmer Interface (WSAPI):

Unsecured communication
Secured communication using SSL
Secured communication using SSL and Client Certificates

This setting governs the level of security for communications through the port as defined with the Web Services Port setting on the NOC Server page.

IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.

See the Operations Center 5.6 Web Services Guide for more information on Web Services.

5.1.2 Understanding Options in the Dashboard’s Configuration Manager

The dashboard has it’s own Configuration Manager to configure communication options with Operations Center and the Web browsers through which users access the dashboard:

In the dashboard’s Configuration Manager, use the settings on the NetIQ Operations Center pane to establish the type of communications security between the Operations Center server and the dashboard. The settings on the NetIQ Operations Center pane must match the settings in the Operations Center Configuration Manager.

For more information about these dependencies, see Section 5.1.4, Understanding Dependency Requirements for Operations Center Client/Server Communications.
Use the settings on the Dashboard pane to establish the type of communications security between Web clients and the dashboard.

Table 5-2 describes the settings that govern communications with Web browsers.

Figure 5-2 Dashboard Configuration Manager, Dashboard Pane

Table 5-2 Dashboard Configuration Manager Dashboard Pane Settings

Setting	Default	Description
Dashboard Communication Mode	Unsecured Communication	Specifies the level of security for communications used when Web clients access the dashboard: Unsecured Communication: The server only accepts access via Hypertext Transfer Protocol (HTTP) communications protocol, and does not use SSL to encrypt these data streams. Secured Communication using SSL: The server only accepts access via HTTPS communications protocol, using the Secure Sockets Layer to encrypt these data streams. Secured Communication using SSL and Client Certificates: The server only accepts access via HTTPS communications protocol, using the Secure Sockets Layer to encrypt these data streams. Support Both Unsecured and Secured Communication: Operations Center supports both secured and unsecured access. IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.
Dashboard Web Server Port (HTTP)	8080	Port used when Web browser access to the dashboard is unsecure. Enabled when the Dashboard Communication Mode is set to unsecure communication or Support both unsecure and secure communication.
Dashboard Web Server Port (HTTPS)	8443	Port used when Web browser access to the dashboard is secure. Enabled when the Dashboard Communication Mode is set to Secure communication using SSL or Secure communication using SSL and Client Certificates.

5.1.3 Understanding Options in the CMS’ Configuration Manager

The CMS has it’s own Configuration Manager to configure communication options with Operations Center and the Web browsers through which users access CMS:

Use the settings on the Configuration Manager NetIQ Operations Center pane to establish the type of communications security between the Operations Center server and the CMS. The settings on the NetIQ Operations Center pane must match the settings in the Operations Center Configuration Manager.

For more information about these dependencies, see Section 5.1.4, Understanding Dependency Requirements for Operations Center Client/Server Communications.
Use the settings on the Configuration Management System pane to establish the type of communications security between Web clients and the CMS.

Table 5-3 describes the settings that govern communications with Web clients.

Figure 5-3 Configuration Management System Configuration Manager, Configuration Management System Pane

Table 5-3 Configuration Management System Configuration Manager, Configuration Management System Pane Settings

Setting	Default	Description
Configuration Management System Communication Mode	Unsecured Communication	Specifies the level of security for communications used when Web clients access the CMS: Unsecured Communication: The server only accepts access via Hypertext Transfer Protocol (HTTP) communications protocol, and does not use SSL to encrypt these data streams. Secured Communication using SSL: The server only accepts access via HTTPS communications protocol, using the Secure Sockets Layer to encrypt these data streams. Support Both Unsecured and Secured Communication: Operations Center supports both secured and unsecured access. IMPORTANT:When SSL communications are used, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.
Configuration Management System Web Server Port (HTTP)	8080	Port used when client access to the CMS is unsecure. Enabled when Configuration Management System Communication Mode is set to unsecure communication or Support both unsecure and secure communication.
Configuration Management System Web Server Port (HTTPS)	8443	Port used when client access to the CMS is secure. Enabled when the Configuration Management System Communication Mode is set to Secure communication using SSL or Secure communication using SSL and Client Certificates.

5.1.4 Understanding Dependency Requirements for Operations Center Client/Server Communications

The level of security for communications used between the Operations Center clients and server is set in the Configuration Manager for the Operations Center server by using the Client/Server Communication Mode option.

Figure 5-4 Client/Server Communications Mode Option in the Operations Center Configuration Manager

Each selection for this option requires other settings to be configured in order to properly set up the level of security for communications. Sometimes these corresponding settings are made in the Configuration Managers for other Operations Center components.

Both the dashboard’s and CMS’ Configuration Managers contain settings for the Operations Center server that must match the same settings in the Operation Center Configuration Manager. These settings govern communications between Operations Center and these components.

Figure 5-5 shows the NetIQ Operations Center page that contains these settings and is present in both the dashboard’s and CMS’ Configuration Managers.

Figure 5-5 Dashboard Configuration Manager, NetIQ Operations Center page

The following sections describe the various dependencies for each security level selection:

Unsecured Communications

When the Client/Server Communication Mode is set to Unsecured communication on the Security page in the Operations Center Configuration Manager:

The HTTP Web Server port is open. Note the value set for the Web Server Port (HTTP) on the Web Server page in the Configuration Manager.
In both the dashboard’s and CMS’ Configuration Managers, set the following in the NetIQ Operations Center pane:
- Set NetIQ Operations Center Communication Mode to Unsecured communication.
- Verify the setting for NetIQ Operations Center Web Server Port matches the value set in the Operations Center Configuration Manager for (Web Server Port (HTTP)).

Secured Communications Using SSL

When the Client/Server Communication Mode is set to Secured communication using SSL on the Security page in the Operations Center Configuration Manager:

The HTTPS Web Server port is open. Note the value set for the Web Server Port (HTTPS) on the Web Server page in the Configuration Manager.
In both the dashboard’s and CMS’ Configuration Managers, set the following in the NetIQ Operations Center pane:
- Set NetIQ Operations Center Communication Mode to Secured communication using SSL.
- Verify the setting for NetIQ Operations Center Web Server Port matches the value set in the Operations Center Configuration Manager for (Web Server Port (HTTPS)).

IMPORTANT:When SSL communications are used for the Operations Center server, dashboard or CMS, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.

Unsecured and Secured Communications

When the Client/Server Communication Mode is set to Support both unsecured and secured communications on the Security page in the Operations Center onfiguration Manager:

Both the HTTP and HTTPS Web Server ports are open. Note the value set for the Web Server Port (HTTP) and Web Server Port (HTTPS) on the Web Server page in the Configuration Manager.
In the dashboard’s and/or CMS’ Configuration Manager, set the following:
- To use secure communications do the following:
  - Set NetIQ Operations Center Communication Mode to Secured communication using SSL.
  - Verify the setting for NetIQ Operations Center Web Server Port matches the value set in the Operations Center Configuration Manager for (Web Server Port (HTTPS)).
- To use unsecure communications do the following:
  - Set NetIQ Operations Center Communication Mode to Unsecured communication.
  - Verify the setting for NetIQ Operations Center Web Server Port matches the value set in the Operations Center Configuration Manager for (Web Server Port (HTTP)).

IMPORTANT:When SSL communications are used for the Operations Center server, dashboard or CMS, you must set up a Keystore and Trust Store. See Section 5.2, Keystore and Trust Store Configuration.

5.1.5 Understanding Security Requirements for the Image Server

An Image Server allows Web clients (including the Operations Center console and dashboard) to render dynamic and 3‑D charts. It is important to secure the image server port .

For more information about the Image Server and the Image Server port, see Image Server in the Operations Center 5.6 Server Configuration Guide