000037432 - Replace the existing self signed certificates of the RSA NetWitness Server with Customer Provided Certificates

Document created by RSA Customer Support Employee on May 9, 2019Last modified by RSA Customer Support Employee on Jun 3, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000037432
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Version/Condition: 11.1.x, 11.2.x, 11.3
IssuePlease find below the instructions to replace the existing self-signed certificates of the NW Server to Customer Provided Certificates (CA Certificates).
TasksYou need to generate the CSR first according to the requirements of your organization - 

To generate a CSR: 
  1. Log in to your Admin server's terminal (SSH). 
    At the prompt, type the following command: 

    # openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr


    Note: Replace yourdomain with the domain name you're securing. For example, if your domain name is abcnetwitness.com, you would type abcnetwitness.key and abcnetwitness.csr. 
     
  2. Enter the requested information: 

    Common Name: The fully-qualified domain name, or URL, you're securing. 

    If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example, *.coolexample.com. 

    Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name. 

    Organization Unit: If applicable, enter the DBA (doing business as) name. 

    City or Locality: Name of the city where your organization is registered/located. Do not abbreviate. 

    State or Province: Name of the state or province where your organization is located. Do not abbreviate. 

    Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered. 


    Note: If you do not want to enter a password for this SSL, you can leave the Passphrase field blank. 
     
  3. Open the CSR in a text editor and copy all of the text. 
  4. Submit this CSR to your Certificate Authority with the Keys for them to be signed. 

Note: You need to obtain the CA Certificate (.pem) file, Private Key (.pem) file, Certificate Chain (.chain) file and the PKCS#7 (.p7b) file for this configuration, These should have been provided by the CA.

If your CA provided the certificate file in PFX (Base64 Encoding) format, then those could be opened via a text editor and you can copy the entries starting from (include BEGIN CERTIFICATE & END CERTIFICATE);

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

You could create a new file and paste the entries which you copied and save as a .pem file.

You could also use the below command to convert pfx to PEM; 

# openssl pkcs12 -in certificatename.pfx -out certificatename.pem


Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

After signing the Certificate you need to add the CA Certificate to the Admin Nginx Configuration. 

SSH to the Node Zero (NW Server) 
  1. Stop nginx service.

    # systemctl stop nginx

  2. Take a backup of the nginx config file - 

    # mkdir -p /root/nwcertbkp 

    # cp /etc/nginx/conf.d/nginx.conf /root/nwcertbkp

  3. Take a Backup of the existing nginx certificates.

    # cp /etc/pki/nw/web/* /root/nwcertbkp

  4. Rename your certificate files obtained from CA as below.  
        - Rename the customer provided cert.pem certificate pem file to web-server-cert.pem. 
        - Rename the customer provided key.pem key pem file to web-server-key.pem. 
        - Rename customer provided cert.chain certificate chain file to web-servercert.chain. 
        - Rename cert.p7b certificate p7b file to web-server-cert.p7b. 
     
  5. Make sure you make a copy of all the files in /etc/pki/nw/web/

    # cd /etc/pki/nw/web/ 
    # mv * /tmp

  6. Replace the existing NetWitness Suite Certificates located in the below files with the files you renamed in step 4 
        - /etc/pki/nw/web/web-server-cert.pem, 
        - /etc/pki/nw/web/web-server-key.pem, 
        - /etc/pki/nw/web/web-server-cert.chain 
        - /etc/pki/nw/web/web-server-cert.p7b  
     
  7. Assuming that your CA Certificate files are in /home/nwcerts directory of the NW server.

    # cd /home/nwcerts 

    # cp web-server-cert.pem /etc/pki/nw/web/ 
    # cp web-server-key.pem /etc/pki/nw/web/ 
    # cp web-server-cert.chain /etc/pki/nw/web/ 
    # cp web-server-cert.p7b /etc/pki/nw/web/

  8. Then restart/start the nginx and jetty service 

    # systemctl start nginx 
    # systemctl restart jetty.service

NotesBrief instructions provided in Page 63 (Appendix A: Customer Provided Certificates) of the Security Configuration Guide for 11.1 : https://community.rsa.com/docs/DOC-90913 
Brief instructions provided in Page 64 (Appendix A: Customer Provided Certificates) of the Security Configuration Guide for 11.2 : https://community.rsa.com/docs/DOC-96728
Brief instructions provided in Page 57 (Appendix A: Customer Provided Certificates) of the Security Configuration Guide for 11.3 : https://community.rsa.com/docs/DOC-101324

Attachments

    Outcomes