Cisco Prime Central User Guide, 1.1
Chapter 1: Working with the Cisco Prime Central Portal
Downloads: This chapterpdf (PDF - 591.0KB) The complete bookPDF (PDF - 2.13MB) | Feedback

Table of Contents

Working with the Prime Central Portal

Overview of the Prime Central Portal

Key Features

Secu rity

Logging Into the Prime Central Portal

Customizing Login Advisory Messages

Maximum Number of User Accounts Supported

Customizing the Prime Central Portal

Adding a Portlet

Maximizing or Minimizing a Portlet

Removing a Portlet

Adding or Removing Columns in a Portlet

Changing the Layout of the Home Page

Changing the Time Zone

Changing the Prime Central Session Timeout

Changing the Fault Management Session Timeout

Menu Structure

Home Menu

Design Menu

Fulfill Menu

Assure Menu

Analyze Menu

Inventory Menu

Administration Menu

Filtering and Searching

Filtering Using the Quick Filter

Filtering Using the Advanced Filter

Configuring an Advanced Filter Criterion

Sorting

Finding the Prime Central Version

Logging Out of the Prime Central Portal

Closing the Prime Central Browser Without Logging Out

Managing the Self-Signed Certificates

Replacing the Certificates in the Fault Management Component

Creating a Certificate Signing Request with WebSphere

Receiving a Certificate Issued By a WebSphere Certificate Authority

Importing an Existing Certificate into WebSphere

Placing Certificates in the Internet Explorer Trusted Store

Overview of the Prime Central Portal

The Cisco Prime Carrier Management suite for service providers supports integrated lifecycle management of next-generation networks and services based on a business-centric framework. This comprehensive suite supports major Cisco architectures, including IP NGN, next-generation mobile internet, and cloud intelligent networks.

The Prime Central portal is the main console for operator workflows across multiple domain managers. The suite components listed in the following table are accessible through the Prime Central portal.

 

Table 1-1 Components of Cisco Prime Carrier Management

Component
Description

Prime Network

Provides management of packet networks, including access, aggregation, edge, MPLS core, and Evolved Packet Core (EPC). Formerly Cisco Active Network Abstraction .

Prime Optical

Provides efficient and productive optical infrastructure management for fault, configuration, performance, and security. Formerly Cisco Transport Manager .

Prime Performance Manager

Provides performance statistics and reports for service provider and large enterprise networks, including access, edge, distribution, core, mobile backhaul, Carrier Ethernet, MPLS core, and EPC networks.

Prime Provisioning

Provides automated resource management and rapid profile-based provisioning capabilities for Carrier Ethernet, Multiprotocol Label Switching (MPLS), and Packet Transport technologies. Formerly Cisco IP Solution Center and Cisco Prime Fulfillment .

Provides automated resource management and rapid profile-based provisioning capabilities for Carrier Ethernet, Radio Access Network (RAN) backhaul, Multiprotocol Label Switching (MPLS), and Packet Transport technologies. Formerly Cisco IP Solution Center and Cisco Prime Fulfillment Provisioning .


Note See the Cisco Prime Central 1.1 Release Notes for the latest component versions that are compatible with Prime Central 1.1.


Key Features

The Prime Central portal plays the role of the presentation tier for the entire suite. The portal provides:

  • A single point of access (single sign-on) to the Prime Central domain managers.
  • Support for LDAP, TACACS+, and RADIUS authentication plugins.
  • Common user management with role-based access control (RBAC).
  • Global security settings you can configure for the users in your network, such as:

Maximum login attempts

Maximum active user sessions

User inactivity period before deactivation

  • Customizable login advisory messages.
  • Bulk import of users specified in an Excel spreadsheet.
  • Bulk reporting of user logins.
  • Database and application monitoring.
  • Common physical inventory management:

Detailed physical inventory views.

Filter and search capabilities.

Seamless drill-down to individual domain managers.

  • Common cross-domain alarm management:

Aggregation, correlation, and deduplication of alarms.

Portlets with customized views and filters.

Seamless cross-launch of the source domain manager.

Seamless access from alarms to common inventory.

Pregenerated reports for active and historical alarms.

SNMPv1, v2c, and v3 forwarding (OSS integration).

  • Security audit information, which can be viewed in the Audit Log portlet.
  • Virtualization on VMware configurations.

Security

Prime Central uses the following security features:

  • HTTPS support for transporting user credentials.
  • SSL encryption of all single sign-on (SSO) traffic.
  • URL-based SSL traffic encryption available upon configuration.
  • Configurable session timeout with a default value.
  • Cleanup of session states and expiration of cookies upon session timeout.
  • Cross-site scripting and SQL injection guard.
  • Mutual authentication between SSO and all SSO participating components: Prime Network, Prime Optical, Prime Performance Manager, and Prime Provisioning.

Note For HTTPS communication, only Secure Sockets Layer version 3 (SSLv3) and Transport Layer Security version 1 (TLSv1) are allowed. The highest exportable SSL ciphers for encryption communication are used.


Logging Into the Prime Central Portal

Prime Central features single sign-on (SSO), meaning that when you log into the Prime Central portal, you do not have to log in separately to each domain manager within your domain.

Using an open-source product called Central Authentication Service (CAS), the SSO solution offers a central authoritative source that is shared by the Prime Central portal and domain managers.

With an SSO CAS solution, different applications can authenticate to one authoritative source of trust. You then log into that single source; you do not have to log into each application separately. Any authentication provider (such as RADIUS, TACACS+, or LDAP) can use the eXtensible Management Platform (XMP) login mechanism within the CAS authentication handler. CAS SSO applies to all web applications that are running under the same browser session.

To log into the Prime Central portal:


Step 1 Open a Prime Central-supported web browser (Firefox 8 or 9 or Internet Explorer 8 or 9) and enter https:// server-hostname : https-port-number , where:

  • server-hostname is the hostname of the Prime Central portal.
  • https-port-number is the SSL port number that was configured during installation. The default SSL port is 8443.

Note Use a Prime Central-supported browser as your default web browser with caching and cookies enabled. If you log into Prime Central with a web browser that is not your default browser:

  • You might need to log in again when you cross-launch from one domain manager to another domain manager.
  • A cross-launched domain manager might remain open even after you log out of Prime Central.


 

The login window (Figure 1-1) opens.

Step 2 Enter your username and password.

If you are an administrator logging in for the first time, enter the username centraladmin and the password that you configured during installation.

Step 3 Click Log In .

Step 4 Click Agree .

Step 5 Accept the self-signed, untrusted security certificates.

  • In Firefox, if you accept the security certificates, they do not reappear upon subsequent logins.
  • In Internet Explorer, if you accept the security certificates without placing them in the trusted certificate store, they reappear upon subsequent logins. If you place the certificates in the trusted store, they do not reappear upon subsequent logins. See Placing Certificates in the Internet Explorer Trusted Store.


 

Figure 1-1 Prime Central Login Window

 

Customizing Login Advisory Messages

Advisory messages are shown both before and after a user logs into Prime Central. By default, these messages read as follows:

  • Pre-login message—Warning: This system is restricted to authorized users only. Unauthorized access is a violation of the law.
  • Post-login message—Warning: You are accessing a private network. Unauthorized access is a violation of the law.

To customize login advisory messages and configure when users see them:


Step 1 Log into the Prime Central portal as the primeusr user.

Step 2 In a text editor, open the following files:

    • Pre-login message—$XMP_HOME/apache-tomcat-6.0.32/webapps/ROOT/html/xmp/xwt/nls/ en-us/sso_login.js
    • Post-login message—$XMP_HOME/apache-tomcat-6.0.32/webapps/prime-main-hook/WEB-INF/ classes/content/Language_en.properties

Step 3 Update the following variables with the desired text changes:

  • Pre-login message: login_disclosure
  • Post-login message: warning-message

Step 4 Save the changes.

Step 5 To specify that these messages appear only the first time a user logs into Prime Central:

a. Open the $XMP_HOME/apache-tomcat-6.0.32/webapps/ROOT/WEB-INF/classes/portal-ext.properties file.

b. Find the property prime.terms.of.use.show.always=true and change true to false .

c. Save the change.

Step 6 Restart the Prime Central portal.

Step 7 Log out of the Prime Central portal, clear your browser cache, and log back in.


 

Maximum Number of User Accounts Supported

Prime Central supports up to 150 simultaneous users, all of whom can see their own customized view of the Prime Central portal.

Note the following:

  • In Prime Central, 30 users can perform all portal operations concurrently. The remaining 120 users can monitor data, but it is not recommended that they perform memory-intensive operations such as domain manager cross-launch or user management.
  • A single user can have up to ten cross-launched domain manager windows open simultaneously. If a user tries to open an eleventh window, the user cannot proceed without first closing one of the open windows.
  • Prime Central supports up to 30 simultaneous domain manager cross-launches across multiple users.
  • The number of domain manager cross-launches Prime Central supports depends on:

CPU and memory available on a user’s machine.

CPU, memory, and connections available on the machines on which the domain managers run.

Customizing the Prime Central Portal

When you log into Prime Central, the portlets that you see on the home page depend on your user privileges and which domain managers are installed and available. Figure 1-2 shows the Prime Central home page with the Alarm Browser portlet partially visible.

Figure 1-2 Prime Central Home Page

 

 

1

Content area, with content that depends on your portlet selections

8

Add Applications icon

2

Menu bar, with main menu choices

9

Change Layout icon

3

Home menu and icon

10

Refresh Current Page icon

4

Logged-in user link

11

Remove icon

5

Log Out link

12

Maximize icon

6

Help link

13

Minimize icon

7

About link

Adding a Portlet

Note the following about portlet management:

  • By default, administrators can see all available portlets.
  • Administrators can assign different portlets and layouts for each user role. The portlets are added automatically to a user’s Prime Central home page.
  • At first login, the user sees a set of portlets in a particular layout based on the logged-in user's role. The user can then customize the portlet selection and layout.

To add a portlet:


Step 1 On the Prime Central home page, click the Add Applications icon.

Step 2 In the Add Application dialog box, click Cisco Prime .

Step 3 Select the desired portlet and click Add . Alternatively, drag and drop the portlet to the desired location on the home page.

You cannot add multiple instances of the same portlet to the home page.

Step 4 Click the Close ( X ) icon to close the Add Application dialog box.

Step 5 On the Prime Central home page, click the Refresh Current Page icon to see the portlet you added.


 

Maximizing or Minimizing a Portlet

To maximize or minimize a portlet:


Step 1 Click the Maximize or Minimize icon in the top-right corner of the portlet.

Step 2 To exit the view, do one of the following:

    • In a maximized view , click the Return to Home icon in the top-right corner.
    • In a minimized view , click the Restore icon in the top-right corner. (The Minimize and Restore icons are toggle buttons.)


 

Removing a Portlet

To remove a portlet:


Step 1 In the top-right corner of the portlet, click the Remove icon.

Step 2 At the confirmation prompt, click OK .


 

Adding or Removing Columns in a Portlet

To add or remove columns in a portlet:


Step 1 In the top-right corner of the portlet, click the Settings icon.


Note Although the Alarm Browser and Alarm Report portlets do not have a Settings icon, you can customize their display. See Changing the Alarm Information Displayed and Specifying the Report Order.


Step 2 Click Columns . A list of all available columns in that portlet is displayed. Columns with a check mark are shown in the portlet; columns without a check mark are not shown in the portlet.

Step 3 Uncheck the columns that you do not want displayed in the portlet. Check the columns that you want displayed.

Step 4 Click Close .


 

Changing the Layout of the Home Page

Note the following layout constraints:

  • Large portlets—such as User Management and Common Inventory—cannot be positioned together in a single row.
  • Portlets are not rearranged automatically, unless you choose one of the following options:

Free (free-form)

1 col (1 column)

  • When a window is minimized or maximized, you cannot drag and drop portlets to rearrange them.
  • If you choose the Free layout option, portlets are not aligned automatically; instead, you must rearrange them manually. In contrast with other layouts, the Free layout takes up the entire browser window instead of only the content area.

To change the layout of the home page:


Step 1 On the Prime Central home page, click the Change Layout icon.

Step 2 Click the radio button that corresponds to the desired layout (one column, 50/50, and so on).

Step 3 Click Save .


 

Changing the Time Zone

Prime Central stores events in the database in Coordinated Universal Time (UTC). The Prime Central portal converts events to the time zone that is configured on the client’s workstation.

You can use the User Preferences portlet to change the default time zone used for time stamp displays.

To change the time zone:


Step 1 From the Prime Central menu, choose Administration > System > User Preferences .

Step 2 In the User Preferences portlet, select a time zone from the Time Zone drop-down list.

Time zone options are shown as offsets from UTC. The offset range is –11 to +14 hours from UTC.


Note The Language drop-down list is display only. U.S. English is the only language supported in Prime Central 1.1.


Step 3 Click Save .

Step 4 On the Prime Central home page, click the Refresh Current Page icon to see the time zone change.


 

Changing the Prime Central Session Timeout

By default, the Prime Central session times out after 60 minutes of inactivity. You are prompted to extend the session 10 minutes before it times out. If you do not extend the session before the timeout, you are logged out automatically from Prime Central and from any domain managers.

When a session times out, the login window appears. When you log back in, you return to the Prime Central home page. It is recommended that you clear your browser cache and delete cookies before logging in again.

To change the default user session timeout, see Configuring Global Security Settings.

Changing the Fault Management Session Timeout

By default, the fault management session times out after 24 hours of inactivity. If you set the portal timeout to longer than 24 hours, you must change the fault management timeout to align with the portal timeout.

To change the fault management session timeout:


Step 1 Log out of the Prime Central portal.

Step 2 As the primeusr user, log into the fault management server.

Step 3 Enter the following command to stop the fault management server:

$NCHOME/FaultMgmtStop.sh
 

Step 4 Open the $NCHOME/tipv2/profiles/TIPProfile/config/cells/TIPCell/security.xml file and locate the following section:

<authMechanisms xmi:type="security:LTPA" xmi:id="LTPA_1" OID="oid:1.3.18.0.2.30.2" authContextImplClass="com.ibm.ISecurityLocalObjectTokenBaseImpl. WSSecurityContextLTPAImpl" authConfig="system.LTPA" simpleAuthConfig="system.LTPA" authValidationConfig="system.LTPA" timeout="1440" keySetGroup="KeySetGroup_TIPNode_1">
 

Step 5 Change the value of the timeout attribute as necessary. The default is 1440 minutes (24 hours).

Step 6 Save and close the security.xml file.

Step 7 Enter the following command to start the fault management server:

$NCHOME/FaultMgmtStart.sh
 

Step 8 Log into the Prime Central portal.


 

Menu Structure

When you log into Prime Central, the menu structure that you can access depends on your user privileges and which components are installed and available. The following menus are visible to users with administrator-level privileges:


Note Although some browsers allow you to open multiple tabs within a single browser instance, you should not try to access the Prime Central portlets across multiple tabs within the same browser instance. You can, however, cross-launch to a domain manager in a new browser tab.


Home Menu

The Home menu (Figure 1-3) takes you to the Prime Central home page. When a portlet is maximized, the Return to Home icon returns you to the home page.

Figure 1-3 Home Menu

 

Design Menu

From the Design menu (Figure 1-4), network designers can define the resources needed to build service profiles. Operators can then use these service profiles to fulfill service requests, provision, and activate the service.

The Design menu cross-launches Prime Provisioning, where you can perform the following functions:

  • Customers—Create and manage customers. A customer is typically an enterprise or large corporation that receives network services from a service provider.
  • Providers—Create and manage provider accounts. A provider is typically a “service provider” or large corporation that provides network services to a customer.
  • Resource Pools—Create and manage pools for IP address, multicast address, route distinguisher, site of origin, virtual circuit ID (VC ID), and VLAN.
  • Route Targets—Create and manage route targets. A VPN can be organized into subsets called route targets, which describe how the customer edge (CE) router in a virtual private network (VPN) communicate with each other.
  • Template Manager—Create and manage templates and associated data. Templates provide a means to deploy commands and configurations not normally supported by Prime Provisioning to a device. Templates are written in the Velocity Template Language (VTL) and are generally comprised of IOS and IOS XR device CLI configurations.
  • Policy Manager—Create and manage policies for licensed services. Policies are used to define common tunnel attributes such as bandwidth pools, hold and setup priority, and affinity bits.
  • Create New Policy—Create a new service policy, which can be applied to multiple provider edge (PE)-CE links in a single service request. A network operator defines service policies. A service operator uses a service policy to create service requests.

For details about using Prime Provisioning to provision your network, see the Cisco Prime Provisioning 6.3 User Guide .

Figure 1-4 Design Menu

 

Fulfill Menu

The Fulfill menu (Figure 1-5) cross-launches Prime Provisioning, where you can perform the following functions:

  • Service Request Manager—Manage Prime Provisioning service requests.
  • Create Service Request—Create a new Prime Provisioning service request.
  • Task Manager—View pertinent information about current and expired tasks of all types, create and schedule new tasks, delete specified tasks, and delete the active and expired tasks.
  • Task Logs—View task logs, which can be used to understand the status of a task, know whether it completed successfully, and troubleshoot why a task failed.

For details about Prime Provisioning service requests and tasks, see the Cisco Prime Provisioning 6.3 User Guide .

Figure 1-5 Fulfill Menu

 

Assure Menu

The Assure menu (Figure 1-6) contains the following menu options:

  • Prime Fault Management—Cross-launches the following portlets that let you locate, diagnose, and report network problems:

Alarm Browser—See Monitoring Affected Services and Customers.

Alarm Report—See Analyzing Fault Data.

  • Prime Optical—Cross-launches the Prime Optical domain manager. For details about using Prime Optical to manage your optical network, see the Cisco Prime Optical 9.6 User Guide .
  • Prime Network—Cross-launches the selected Prime Network component (Vision or Events). For details about using Prime Network to discover and manage your packet network, see the Cisco Prime Network 3.9 User Guide .
  • Prime Performance Manager—Cross-launches the Prime Performance Manager component. For details about using Prime Performance Manager to view the performance statistics and reports for a network, see the Cisco Prime Performance Manager 1.2 User Guide .

Figure 1-6 Assure Menu

 

Analyze Menu

The Analyze menu (Figure 1-7) cross-launches Prime Provisioning, where you can perform the following VPN or MPLS diagnostics:

  • L3VPN—CE to CE
  • L3VPN—PE to attached CE
  • L3VPN—CE to PE across Core
  • L3VPN—PE to PE in VRF
  • MPLS—PE to PE

For details about using Prime Provisioning to troubleshoot and diagnose problems, see the Cisco Prime Provisioning 6.3 User Guide , section “Performing Diagnostics.”

You can also cross-launch Cisco InTracer from the Analyze menu. Cisco InTracer is a high-performance, subscriber troubleshooting and monitoring solution. It performs call tracing, control data acquisition, processing, and analysis of both active and historical subscriber sessions. Cisco InTracer provides a framework for operators to analyze and investigate call flows and call events for subscriber sessions in near-real time. For more information about InTracer, see the Cisco InTracer Installation and Administration Guide, Version 12.2 .

Figure 1-7 Analyze Menu

 

Inventory Menu

The Inventory menu (Figure 1-8) lets you view detailed inventory information for all devices in your network.

Figure 1-8 Inventory Menu

 

Administration Menu

The Administration menu (Figure 1-9) contains the following menu options:

  • Discovery/Adding Devices—Cross-launches the Prime Network, Prime Optical, or Prime Provisioning domain manager.
  • User and Group Management—Lets you perform user management operations, including defining users and passwords and configuring RBAC.
  • Scope Management—Lets you assign device scopes (in Prime Network) or network elements (in Prime Optical) to Prime Central users.
  • System:

Audit Log—Lets you view user activity in Prime Central and in the individual domain managers.

Suite Monitoring—Lets you monitor Prime Central and the individual domain managers.

User Preferences—Lets you change the default time zone used for time stamp displays.

Figure 1-9 Administration Menu

 

Filtering and Searching

In some tables, the amount of detail can be overwhelming. In such cases, filtering helps eliminate unnecessary details, while searching helps you quickly locate data that you want to examine further.

By filtering a table’s contents, you can view only those items that are of interest to you. This feature can be extremely helpful when working with tables that contain many entries.

Filtering Using the Quick Filter

The User Management, Common Inventory, and Audit Log portlets have a Show drop-down list with a Quick Filter option, as shown in Figure 1-10.

Figure 1-10 Quick Filter

 

To use the Quick Filter to narrow the data in a table:


Step 1 From the Show drop-down list, choose Quick Filter (Figure 1-10).

Step 2 In the text field for each column, enter the search criteria.


Note In the Common Inventory portlet, the Quick Filter supports a percentage character (%) as a wildcard in the Management IP Address field. Other fields in the Common Inventory portlet do not use this character as a wildcard.

To search on complete octets in the Management IP Address field, the % character is not required. Instead, enter a period; the search returns the complete octet after the period.


 


 

Filtering Using the Advanced Filter

The User Management, Common Inventory, and Audit Log portlets have a Show drop-down list and an Advanced Filter option, as shown in Figure 1-11.

Figure 1-11 Advanced Filter

 

To use the Advanced Filter to narrow the data in a table:


Step 1 From the Show drop-down list, choose Advanced Filter (Figure 1-11).

Step 2 Specify the required information for each criterion. For more information, see Configuring an Advanced Filter Criterion.

Step 3 Click the + icon to add another criterion for this filter.

Step 4 Add additional criteria as required. To remove a criterion, click the - icon.

Step 5 When you have specified all criteria for the filter, click Go .

The table data is displayed using the defined filter.

Step 6 To clear a filter, click Clear Filter .

The table is refreshed and all entries are displayed.


 

Configuring an Advanced Filter Criterion

The following table describes the actions you need to take when you configure an Advanced Filter criterion.

 

Field
Action/Description

First drop-down list

Choose the primary match category. The drop-down list contains all columns in the current table.

Second drop-down list

Choose the rule to use for this criterion. The options are:

  • Contains—The attribute value is returned if it contains the string you entered. The string can be located at the start, end, or middle of the attribute for the match to succeed. For example, if the string is cle , the following values match it in the contains mode: clean , nucleus , circle .
  • Does not contain—In this mode, only those attributes that do not contain the given string match. The results are opposite to that of the contains mode. For example, if you enter cle in this mode, clean , nucleus , and circle are rejected, but foot is deemed to match, because it does not contain cle .
  • Starts with—The value of the attribute must start with the string you entered. For example, if the string is foot , footwork matches, but afoot does not.
  • Ends with—This is the reverse of the starts with case, when a given attribute matches only if the specified string is at the end of the attribute value. In this mode, for example, the string foot matches afoot but not footwork .
  • Is empty—Lists the result where there is no value in the field.
  • Is not empty—Lists the result where the value is not missing from the field.
  • Is exactly (or equals)—This is the most generic mode, in which you can enter a full or partial expression that defines which nodes you are interested in.
  • Does not equal—Lists the result that does not equal the specified value.
  • Is greater than—Lists the result that is greater than the specified value.
  • Is less than—Lists the result that is less than the specified value.
  • Is greater than or equal to—Lists the result that is greater than or equal to the specified value.
  • Is less than or equal to—Lists the result that is less than or equal to the specified value.

Third field (either drop-down list or entry field)

The third field either lists the available values or allows you to enter text:

  • If a drop-down list is displayed, choose the required entry.
  • If an entry field is displayed, enter a string or regular expression for the criterion.
  • Any entry that is not a regular expression is treated as a string.

Sorting

To sort data in a table, simply click a column heading. By clicking the column heading, you can toggle between ascending and descending sort order. The column tooltip indicates whether the column is sortable, not sortable, or currently sorted.


Note You can sort only one column at a time.


A triangle next to the column heading indicates the sort order:

  • indicates the column is sorted in ascending order.
  • indicates the column is sorted in descending order.

Finding the Prime Central Version

To find the Prime Central version you are running, click the About link on the portal home page.

The About window (Figure 1-12) displays the Prime Central version. Use the vertical scroll bar to view the Prime Central build and patch numbers, as well as version information for any installed domain managers.

Figure 1-12 About Window

 

Logging Out of the Prime Central Portal

Prime Central features single sign-off. When you log out of the Prime Central portal home page, you are automatically logged out of any domain managers.

Closing the Prime Central Browser Without Logging Out

If your user account has a maximum number of active sessions (for example, one active session), and if you close your browser without logging out of Prime Central, your session is still in use, and you cannot log back in. When you try to log back in, the following error appears:

You are running the maximum number of allowed sessions for this user account. Log out from one or more sessions and try again.
 

To restore your login, do either of the following:

  • Ask your system administrator to disable and then enable your user account in the User Management portlet. See Enabling or Disabling a User Account.
  • Wait for the user session timeout (by default, 60 minutes), at which point your session expires. 10 minutes after expiration, all expired sessions are cleared automatically.

Managing the Self-Signed Certificates

The first time you log into Prime Central, you must accept the self-signed, untrusted security certificates.

You can replace the Prime Central certificates in the following directories with your company’s signed, trusted certificates.

 

Self-Signed Certificate
Certificate Locations

Portal

  • installation-directory /SHARED/certificate/prime.cer
  • installation-directory /install/utils/sslgen/prime.cer

When the prime.cer certificate is replaced with your company’s signed certificate in the preceding locations, delete the old prime.cer certificate and add the new certificate in the following keystores:

  • installation-directory /install/utils/sslgen/prime.keystore
  • installation-directory /XMP_Platform/jre/lib/security/cacerts

Integration layer

  • installation-directory /apache-servicemix- version /etc/certs/prime-client.jks
  • installation-directory /apache-servicemix- version /etc/certs/prime-ks.jks
  • installation-directory /apache-servicemix- version /etc/certs/prime-ts.jks

Fault management

See Replacing the Certificates in the Fault Management Component.

Replacing the Certificates in the Fault Management Component

Complete the following procedures to obtain new Secure Sockets Layer (SSL) certificates for the Prime Central fault management component.

Creating a Certificate Signing Request with WebSphere

To create a certificate signing request with WebSphere:


Step 1 Verify that the keystore used to store the certificate signing request exists.

Step 2 On a supported browser, go to https:// fault-management-server-IP-address : fault-management-web-service-listener-port /primefm/console .


Note The fault management web service listener port is 16311.


Step 3 Log in with the username and password that you configured for the Prime Central fault management application user during installation.

Step 4 Choose Settings > WebSphere Administrative Console > Launch WebSphere administrative console .

Step 5 From the left-pane menu bar in the Integrated Solutions Console tab, choose Security > SSL certificate and key management .

Step 6 From the Related Items list in the center pane, choose Key stores and certificates .

Step 7 From the table of keystores and certificates, choose the appropriate keystore. The default is NodeDefaultKeystore.

Step 8 At the right of the Properties menu, choose Personal certificate requests from the Additional Properties list.

Step 9 From the table of existing certificate signing requests, click the New button at the top of the menu.

Step 10 From the General Properties menu, enter the following values:

  • For the certificate request file, enter the desired path for the certificate signing request. By default, the path is ${CONFIG_ROOT}/cells/TIPCell/nodes/TIPNode/ desired-filename-for-certificate-signing-request .
  • For the key label, enter an alias name that identifies the certificate request in the keystore.

Step 11 Enter values in the remaining fields as you would for a normal certificate signing request.

Step 12 Click Apply .

The certificate signing request is created in the specified location and the associated entry is recorded in the keystore. The certificate signing request functions as a temporary placeholder for the signed certificate until you manually receive the certificate in the keystore.


Note Keystore tools such as keyTool cannot receive signed certificates that are generated by certificate requests from the WebSphere Application Server (WAS). Similarly, the WAS cannot accept certificates that are generated by certificate requests from other keystore utilities.


Step 13 Manually send the certificate signing request to a certificate authority (CA).

Step 14 Receive the CA-signed certificate into the keystore.


 

Receiving a Certificate Issued By a WebSphere Certificate Authority

To receive a certificate issued by a WebSphere certificate authority:


Step 1 Verify that the keystore contains the certificate request that was created and sent to the CA.

Step 2 Verify that the keystore can access the certificate that the CA returned.

Step 3 On a supported browser, go to https:// fault-management-server-IP-address : fault-management-web-service-listener-port /primefm/console .


Note The fault management web service listener port is 16311.


Step 4 Log in with the username and password that you configured for the Prime Central fault management application user during installation.

Step 5 Choose Settings > WebSphere Administrative Console > Launch WebSphere administrative console .

Step 6 From the left-pane menu bar in the Integrated Solutions Console tab, choose Security > SSL certificate and key management .

Step 7 From the Related Items list in the center pane, choose Key stores and certificates .

Step 8 From the table of keystores and certificates, choose the appropriate keystore. The default is NodeDefaultKeystore.

Step 9 At the right of the Properties menu, choose Personal certificates from the Additional Properties list.

Step 10 From the table of certificates, click the Receive from a certificate authority button at the top.

Step 11 From the General Properties menu, enter the following values:

  • For the certificate filename, enter the path for the certificate received from the CA. By default, the path is ${CONFIG_ROOT}/cells/TIPCell/nodes/TIPNode/ filename-of-certificate .
  • For the data type, choose the certificate data type.

Step 12 Click Apply and Save .

The keystore contains a new personal certificate that is issued by a CA.


 

Importing an Existing Certificate into WebSphere

To import an existing certificate into WebSphere:


Step 1 On a supported browser, go to https:// fault-management-server-IP-address : fault-management-web-service-listener-port /primefm/console .


Note The fault management web service listener port is 16311.


Step 2 Log in with the username and password that you configured for the Prime Central fault management application user during installation.

Step 3 Choose Settings > WebSphere Administrative Console > Launch WebSphere administrative console .

Step 4 From the left-pane menu bar in the Integrated Solutions Console tab, choose Security > SSL certificate and key management .

Step 5 From the Related Items list in the center pane, choose Key stores and certificates .

Step 6 From the table of keystores and certificates, choose the appropriate keystore. The default is NodeDefaultKeystore.

Step 7 At the right of the Properties menu, choose Personal certificates from the Additional Properties list.

Step 8 At the top of the certificates table, click the Import button.

Step 9 From the General Properties menu, choose either Managed key store or Key store file , and fill out the required information for the option you chose. See Table 1-2 for field descriptions.

Step 10 Click Apply and Save .


 

WebSphere General Properties Menu

The following table describes the WebSphere General Properties menu and the actions you need to take here.

 

Table 1-2 WebSphere General Properties Menu

Field
Action

Managed key store option

Imports the certificate from another keystore that is already being managed by the WebSphere Application Server. If you choose this option, do not :

  • Enter a filename in the Key file name field
  • Select a format type from the Type drop-down list
  • Enter a password in the Key file password field

Key store file option

Imports the certificate from a keystore contained in a file. If you choose this option, do not :

  • Select a keystore from the Key store drop-down list
  • Enter a password in the Key store password field

Key store drop-down list

Choose a keystore to import.

Key store password field

Enter the keystore password. The default password is WebAS .

Key file name field

Enter the full filename of the keystore from which you want to import the certificate.

Type drop-down list

Choose the format type of the certificate.

Key file password field

Enter the key file password.

Certificate alias to import drop-down list

Choose the alias for the certificate you want to import.

Imported certificate alias field

Enter an alias for the certificate in the keystore.

Placing Certificates in the Internet Explorer Trusted Store

When you use Internet Explorer to log into Prime Central, if you accept the security certificates without placing them in the trusted certificate store, they reappear upon subsequent logins.

To place certificates in the trusted store so they do not reappear upon subsequent logins:


Step 1 At the prompt to save a security certificate in the trusted store, click Install Certificate . A sample prompt reads as follows:

This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.
 

Step 2 In the Certificate Import wizard, click Browse to locate the certificate store.

Step 3 In the Select Certificate Store dialog box, choose Trusted Root Certification Authorities and click OK .

Step 4 In the Certificate Import wizard, click Finish . The next time you use Internet Explorer to log into Prime Central, the security certificates do not reappear.