Configuring server-to-server SSL in multiple-cell environments

You must configure the server-to-server Secure Sockets Layer (SSL) if your secure environment has a remote common event infrastructure (CEI) server for either queue-based or table-based event delivery, or your dashboard server is not in the same cell as your IBM® Business Monitor server. When server-to-server SSL is not configured, the monitor model deployment fails at the CEI subscription step, or the IBM Business Monitor dashboards are unable to retrieve data.

About this task

To configure cross-cell SSL, complete the following steps:

Procedure

  1. From the administrative console where IBM Business Monitor is installed, click Security > SSL certificate and key management > Related items > Key Stores and certificates.
  2. Click the appropriate trust store.
  3. Under Additional properties, click Signer certificates.
  4. Click Retrieve from port. The Configuration panel is displayed.
  5. Complete the following general properties fields:
    1. In the Host field, enter the name of the host for the remote Process Server or CEI server.
    2. In the Port field, enter the SOAP port number for the remote Process Server or CEI server.
    3. In the Alias field, enter an appropriate alias; for example, enter CEI.
    4. Click Retrieve signer information.
    5. Click OK and save your changes to the master configuration.
  6. From the navigation panel, click Security > SSL Certificate and key management > Manage endpoint security configurations.
    1. For both Inbound and Outbound, ensure that the cell SSL settings are configured to use the default cell SSL settings and the default certificate alias under Specific SSL configuration for this endpoint.
    2. For each node under the cell, ensure that the Override inherited values check box is unchecked.
    3. Click OK and save your changes to the master configuration.
  7. From the navigation panel, click Security > Global Security. Under RMI/IIOP security, click CSIv2 outbound communications.
    1. Click Trusted authentication realms - outbound.
    2. Select Trust realms as indicated below. Click Add External Realm and add the realm of the remote cell. Click Apply. To obtain the realm of the remote cell, from the administrative console, click Security > Global Security. The realm name is listed under User Account repository.
  8. Verify that the Use identity assertion setting is enabled. See "Enabling identity assertion" in the related tasks for more information about enabling this setting.
  9. Stop and restart all servers, node agents, and deployment managers.

What to do next

You must repeat these steps on the remote CEI, Process Server, WebSphere® Portal server, or dashboard server administrative console using the host and SOAP port of the IBM Business Monitor server.
Parent topic: Configuring server security
Related tasks:
Configuring queue-based event delivery in a multiple-cell environment
Configuring table-based event delivery in a multiple-cell environment
Configuring IBM Cognos BI security
Configuring an existing IBM Cognos BI service for single sign-on
Configuring IBM Cognos BI for single sign-on with federated repositories
Configuring IBM Cognos BI for single sign-on with LDAP
Sharing LTPA keys
Enabling identity assertion
Deploying monitor models