To enable PKI authentication, you must import the Trusted CA certificate into the NetWitness Platform. You can import the server certificate and the trusted CA certificate in the ADMIN > Security view > PKI Settings tab.
Certificate Revocation List
A Certificate Revocation List (CRL) is a file that contains a list of revoked certificates with details such as the serial number and revocation date of each certificate. When a certificate validity is expired, it must be revoked to avoid any compromise of the certificate by unauthorized users. For example, if a NetWitness Platform user resigns from an organization, then the user's certificate must be revoked by the issuing CA.
You can import the CRL or specify the HTTP URL issued by your trusted CA, so that NetWitness Platform can validate with the CRL to block unauthorized users from accessing NetWitness Platform.
To import the CRL or specify a HTTP URL into NetWitness Platform, choose one of the following methods:
- HTTP server - This is the most common CRL location where the CA publishes the CRL to external applications using an HTTP server. The NetWitness Platform reads the CRL using the HTTP URL.
- Local CRL - This allows the users to manually download the CRL from the CA and upload it to the NetWitness Platform.
- OCSP (Online Certificate Status Protocol) Responder - This allows NetWitness Platform to verify the revocation status of a particular certificate instead of validating the complete CRL. To specify a OCSP Responder, you need to provide the HTTP URL and optionally the OCSP Responder's Signing certificate. Make sure the OCSP Responder is online while adding the entry. When the OCSP Responder Signing Certificate is updated, you need to manually update the certificate in NetWitness Platform.
User Principal Settings
User Principal Settings allow NetWitness Platform to uniquely identify the user from the user certificate for PKI authentication. To identify the user, you must specify an attribute in the user certificate to extract the user name or user id. NetWitness Platform must be configured to read the value of this attribute. NetWitness Platform uses the extracted value of this attribute as username or user id for authorization and retrieves the user groups from an Active Directory (AD) server. By default, NetWitness Platform extracts the entire value of the selected attribute, without filtering any characters. You can apply regular expression (RegEx) to refine the value extracted.
User Principal settings can be configured when you import the Trusted CA certificate.
A Lookup Query sends a specific query to Active Directory to retrieve the user object. Here is an example of a sample query for retrieving a user object from the Active Directory.
nw-pki-user is replaced with the value extracted from the user certificate.
Import NW Server Certificate with its Private Key
For instructions on how to import the NetWitness Server Certificate with its private key, see (Optional) Use a Custom Server Certificate.
Import Trusted CAs, Configuring CRL and User Principal Settings
To import a trusted CA:
- Go to ADMIN > Security.
The Security view is displayed with the Users tab open.
- Click the PKI Settings tab.
- In the Trusted CAs section, click .
The Import Certificate Authority dialog is displayed.
- In the CA Store File field, click Browse and select a certificate.
- In the Password field, enter the password of the certificate.
- Click Save.
A Configure Trusted CA dialog is displayed with Certificate Details.
- Click Next.
- In the Revocation Configuration section, do one of the following to configure the CRL revocation check.
- Select Disable Revocation Checks to disable the CRL revocation check.
- Select Configure Revocation Checks Manually to manually configure the CRL revocation check.
For more information, see (Optional) Configure the CRL Manually.
- Click Next.
- To configure user principal settings, in the User Principal Settings section, click Configure Path and RegEx.
- In the Certificate field, paste the PEM (Base64) encoded user certificate.
- Click Next.
The subjectDN, subjectAltnames, and extenstions attributes are displayed.
- Select a unique attribute value to extract the username or user id.
- To apply RegEx, click .
- Click Save.
- Enter the query in the Lookup Query field to query the external authentication system for retrieving the user objects.
- Click Test User Certificate.
The Test User Certificate dialog is displayed.
- Paste the PEM of the user certificate and click Test.
- After the certificate is validated, click Save.
The following message is displayed.
- Click OK.
The Trusted CA certificate is added to the NetWitness Platform.