NetFlow Analyzer Enterprise edition uses SSL for communication between collectors and central server and also for web server connectivity to central server. The product provides options for using 3rd party security certificates for SSL connectivity as many organizations prefers their own certificates approved by any certificate authority.

Steps to be followed for installing certificate from Certificate Authority (CA) for NetFlow Analyzer Enterprise is given below:

NOTE: The steps are for NetFlow Analyzer Enterprise edition. If you are trying to enable SSL for NetFlow Analyzer Professional edition, please email the technical team at  netflowanalyzer-support@manageengine.com

1. Generate a keystore
   
   
   
• Open a command prompt and navigate to ManageEngine/NetFlowCentral/jre/bin directory
• Type the following command:
  keytool -keyalg RSA  -keystore server.keystore -genkey -alias ServerKey
  
  where server.keystore is the user defined name for the keystore and ServerKey is the alias name. The name of the keystore is user defined and this exact name needs to be specified in server.xml present under ManageEngine/NetFlowCentral/conf directory. In this example, we are generating a keystore named as server.keystore for the Central server.
  
  
  
• Once prompted, enter the information required to generate a CSR. A sample key generation section follows.
        Enter keystore password:passwd            [password is user defined and needs to be specified in server.xml]
        What is your first and last name?
  
        [Unknown]:symphony                               [Replace this with the name of your host name where NetFlow Central server will be installed]
        What is the name of your organizational unit?
  
        [Unknown]:NETFLOWENTERPRISE  
           [Rest of the fields are user defined]
        what is the name of your organization?
        [Unknown]:ZOHO       
  
        What is the name of your City or Locality?
        [Unknown]:Chennai       
  
        What is the name of your State or Province?
        [Unknown]:TamilNadu    
        What is the two-letter country code for this unit?
        [Unknown]:IN           
        Is CN=symphony, OU=NETFLOWENTERPRISE, O=ZOHO, L=Chennai, ST=TamilNadu, C=IN correct?
        [no]: yes
        Enter key password for
            (RETURN if same as keystore password):passwd
        Re-enter new password:passwd
  
  
  This operation creates a KeyStore file named server.keystore in the current working directory. ie. ManageEngine/NetFlowCentral/jre/bin directory.
  
  You must specify a Fully Qualified Domain Name (FQDN) for the “first and last name” question. The reason for this is that some CA such as VeriSign expect this property to be a FQDN. There are CAs that do not require a FQDN, but it is recommended to use a FQDN for the sake of portability. All the other information given must be valid. If the information cannot be validated, a CA will not sign a generated CSR for this entry.
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
2. Create a local CSR file
   
   
   This KeyStore has an alias name ServerKey which was defined by the user when generating the keystore. To generate a CSR, follow the steps as below:
   
   
   
• From the same directory (ManageEngine/NetFlowCentral/jre/bin), execute the following command:
  
  keytool -keystore server.keystore -certreq -alias ServerKey -keyalg RSA -file self.csr  
  
  Once the command is executed, you will be prompted for password.
  Enter keystore password:passwd  
       [The same password entered for the generation of keystore, here "passwd"]
  
  This command generates a certificate signing request (CSR), in our case self.csr, which can be provided to a CA for a certificate request. The self.csr file will be created in the same directory. ie. ManageEngine/NetFlowCentral/jre/bin
  
  
  
  
  
  
  
  
  
3. Import CA certificate to keystore
   
   Once the CSR is provided to the CA authority, we will be provided certificates depending on the CA and they are usually the root certificate, chained certificate and CA certificate. These certificates needs to be imported into the already generated keystore (in our case, server.keystore). The files needs to be imported to the keystore in the exact sequence as provided by the CA, the steps for which are below. The import should be done from ManageEngine/NetFlowCentral/jre/bin directory.
   
   
   
   
   
• Import the Root File: The following command imports the root certificate to the keystore. Here, assume that the CA’s root certificate is in the file CARoot.cer . Copy it to the ManageEngine/NetFlowCentral/jre/bin directory and execute the following command from the command prompt:
  
   keytool -import -trustcacerts -keystore server.keystore -file CARoot.cer -alias Root
  
  Once the command is executed, you will be prompted for password.
  
  Enter keystore password:passwd        [The same password entered for the generation of keystore,here "passwd"]
  
  ........
  ........
  Trust this certificate? [no]:YES
  
  
  
  
  
  
  
  
  
  
  
  
  
• Import the Chained trusted file: This command imports the chained certificate to the keystore. Here, assume that the CA’s chained certificate is in the file chain.cer and copy it to the ManageEngine/NetFlowCentral/jre/bin directory and execute the following command from the prompt:
  
   keytool -import  -trustcacerts -keystore server.keystore -file chain.cer -alias Chain
  
  Once the command is executed, you will be prompted for password.
  
  Enter keystore password:passwd        [The same password entered for the generation of keystore,here "passwd"]
  
  If you receive more than one chained certificate from CA repeat the same procedure by replacing 'Chain' as 'Chain1' , 'Chain2 '  and etc.
  
  
  
  
  
  
  
  
  
  
  
  
• Import the Third Party Certificate: This command imports the CA certificate to the keystore. Here, assume that the CA’s certificate is in the file CAcert.cer and copy it to the ManageEngine/NetFlowCentral/jre/bin directory and execute the following command from the prompt:
  
    keytool -import -keystore server.keystore -file CAcert.cer -alias ServerKey    [The same name and alias used when generating the keystore is to be used here]
  
  Once the command is executed, you will be prompted for password.
  
  Enter keystore password:passwd        [The same password entered for the generation of keystore,here "passwd"]
  
  
  
  
  
  
  
  
  
  
4. Generate trust certificate from server.keystore
   
   
   
• Execute the following command.
  
   keytool  -export -alias ServerKey -file server.cer  -keystore server.keystore
  
  
  Once the command is executed we will be prompted for password.
  
  Enter keystore password:passwd     [The same password entered for the generation of server.keystore,here "passwd"]
  
  This command will export the ServerKey trust store into the server.cer
  
  
  
  
  
  
  
  
  
  
  
  
5. Import the trust certificate to the client.keystore
   
   
   
• Execute the following command.
  
  keytool -import -alias CentralKey -file server.cer -keystore client.keystore -noprompt
  
  Once the command is executed we will be prompted for password.
  
  Enter keystore password:passwd  [password is user defined and needs to be specified as detailed below]
  Re-enter new password:passwd
  
  where client.keystore is the user defined name for the keystore and CentralKey is the alias name. The name of the keystore is user defined and this exact name needs to be specified as detailed below.