Sec/User Mgmt: Import Server Certificate and Trusted CA Certificate

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Apr 26, 2019
Version 2Show Document
  • View in full screen mode
 

To enable PKI authentication, you must import the Trusted CA certificate into the NetWitness Platform. You can import the server certificate and the trusted CA certificate in the ADMIN > Security view > PKI Settings tab.

Certificate Revocation List

A Certificate Revocation List (CRL) is a file that contains a list of revoked certificates with details such as the serial number and revocation date of each certificate. When a certificate validity is expired, it must be revoked to avoid any compromise of the certificate by unauthorized users. For example, if a NetWitness Platform user resigns from an organization, then the user's certificate must be revoked by the issuing CA. 

You can import the CRL or specify the HTTP URL issued by your trusted CA, so that NetWitness Platform can validate with the CRL to block unauthorized users from accessing NetWitness Platform.

To import the CRL or specify a HTTP URL into NetWitness Platform, choose one of the following methods:

  • HTTP server - This is the most common CRL location where the CA publishes the CRL to external applications using an HTTP server. The NetWitness Platform reads the CRL using the HTTP URL.
  • Local CRL - This allows the users to manually download the CRL from the CA and upload it to the NetWitness Platform.
  • OCSP (Online Certificate Status Protocol) Responder - This allows NetWitness Platform to verify the revocation status of a particular certificate instead of validating the complete CRL. To specify a OCSP Responder, you need to provide the HTTP URL and optionally the OCSP Responder's Signing certificate. Make sure the OCSP Responder is online while adding the entry. When the OCSP Responder Signing Certificate is updated, you need to manually update the certificate in NetWitness Platform.

Note: You can configure the CRL when you import the CA certificate or after importing the CA certificate.

User Principal Settings

User Principal Settings allow NetWitness Platform to uniquely identify the user from the user certificate for PKI authentication. To identify the user, you must specify an attribute in the user certificate to extract the user name or user id. NetWitness Platform must be configured to read the value of this attribute. NetWitness Platform uses the extracted value of this attribute as username or user id for authorization and retrieves the user groups from an Active Directory (AD) server. By default, NetWitness Platform extracts the entire value of the selected attribute, without filtering any characters. You can apply regular expression (RegEx) to refine the value extracted.

Note: The conversion of Distinguished Names (attribute in Subject Name or Subject Alternative Name) to a human readable format is done based on RFC2253 (LDAPv3). Therefore, any Relative Distinguished Name apart from the one defined in RFC2253 (LDAPv3) may display in hex format. For example, email attribute value may display #1160bcghryy637bchs774. You can apply RegEX to extract the value. NetWitness Platform tries its best to extract values for such attributes.

User Principal settings can be configured when you import the Trusted CA certificate.

Lookup Query

A Lookup Query sends a specific query to Active Directory to retrieve the user object. Here is an example of a sample query for retrieving a user object from the Active Directory.

Sample Query:(&(objectCategory=Person)(objectClass=User)(CN=${nw-pki-user}))
nw-pki-user is replaced with the value extracted from the user certificate.

Caution: Make sure that the AD user account is active. AD does not return the user account expiry (accountExpires) information to NetWitness Platform along with user details. Therefore, the NetWitness Platform cannot validate the AD user account is expired or not.

Note: NetWitness Platform does not validate the syntax of the lookup query. You must ensure proper query syntax is used to retrieve the user object from Active Directory.

Import NW Server Certificate with its Private Key

For instructions on how to import the NetWitness Server Certificate with its private key, see (Optional) Use a Custom Server Certificate.

Import Trusted CAs, Configuring CRL and User Principal Settings

To import a trusted CA:

  1. Go to ADMIN > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the Trusted CAs section, click The add icon.
    The Import Certificate Authority dialog is displayed.
    Import Certifcate Authority dialog

Note: The supported formats are .p12, .jks, .pfx, .pem, .crt, .der, and .cer

  1. In the CA Store File field, click Browse and select a certificate.
  2. In the Password field, enter the password of the certificate.

Note: The password is applicable only for .p12, .pfx and .jks certificate formats.

  1. Click Save.
    A Configure Trusted CA dialog is displayed with Certificate Details.
    Trusted CA certificate details dialog
  2. Click Next.
    CRL configuration window
  3.  In the Revocation Configuration section, do one of the following to configure the CRL revocation check.
    • Select Disable Revocation Checks to disable the CRL revocation check.

    Warning: Disabling the revocation check may increase the risk of unauthorized users logging in to NetWitness Platform.

  4. Click Next.
  5. To configure user principal settings, in the User Principal Settings section, click Configure Path and RegEx.
    User Prinicapl settings window
  6. In the Certificate field, paste the PEM (Base64) encoded user certificate.
    BASE64 encoded user certificate
  7. Click Next.
    The subjectDN, subjectAltnames, and extenstions attributes are displayed.
    Attribute contains value for user principal
  8. Select a unique attribute value to extract the username or user id.
  9. To apply RegEx, click The add icon.

Note: You can apply multiple RegEx to extract a username or user id. All of the extracted values are concatenated to generate the final username or user id.

  1. Click Test.
    The final user name or user id after applying RegEx is extracted and displayed.
    Apply RegEx window
  1. Click Save.
    Lookup Quey window
  2. Enter the query in the Lookup Query field to query the external authentication system for retrieving the user objects.
  3. Click Test User Certificate.
    The Test User Certificate dialog is displayed.
    Test user Certificate dialog
  4. Paste the PEM of the user certificate and click Test.

Note: The user Certificate is used by NetWitness Platform for a dry-run of the trusted CA configuration. If the user certificate validation and the user id extraction from the certificate is successful, a confirmation message is displayed.

  1. After the certificate is validated, click Save.
    The following message is displayed.
    Trusted CA save message
  2. Click OK.
    The Trusted CA certificate is added to the NetWitness Platform.

Note: You can add multiple Trusted CA certificates.

You are here
Table of Contents > (Optional) Set Up Public Key Infrastructure (PKI) Authentication > Configure PKI Authentication > Import Server Certificate and Trusted CA Certificate

Attachments

    Outcomes