000026576 - How to enable SSL with a CA-signed certificate on RSA Security Analytics 10.3.0 and below or RSA NetWitness Spectrum

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026576
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.0 and below
RSA NetWitness Spectrum
RSA NetWitness Spectrum 1.1
Jetty 7
IssueHow to enable SSL with a CA-signed certificate on RSA Security Analytics 10.3.0 and below or RSA NetWitness Spectrum.
Resolution

For steps on enabling SSL with a self-signed certificate (as opposed to CA-signed), refer to the knowledgebase article How to enable SSL with a self-signed certificate on RSA NetWitness Spectrum


For steps on enabling SSL with a CA-signed certificate on RSA Security Analytics 10.3.1 and above, which uses Jetty 9, refer to the knowledgebase article How to Install a Public CA Certificate on RSA Security Analytics 10.3.x Running Jetty 9.


Note: The procedure is almost identical between Security Analytics and Spectrum as they use the same webserver technology.



Step 1: Generate and import certificates
mkdir ~/cert
export KEYTOOL=/usr/java/latest/bin/keytool  (spectrum)   or    export KEYTOOL=/usr/bin/keytool (SA 10.x)
mv $JETTY_HOME/etc/keystore $JETTY_HOME/etc/keystore_orig 
$JETTY_HOME should be pointing by default to /var/lib/jetty7 (spectrum and SA 10.3 and below) or to /opt/rsa/jetty9 (SA 10.3 SP1 and above)



a) Generate a public / private keypair.  Choose an alias name to identify this certificate in the keystore.  I.e. substitute 'sa' or 'spectrum' for '<keyid>' in the examples.  You must choose a password for the new keystore in this step as well as for the private key (they can be the same or different).  In the below examples we will use 'netwitness' for both.  Take note of them as they will be used later.
 

$KEYTOOL -genkey -alias <keyid> -keyalg RSA -keysize 4096 -sigalg SHA1withRSA -keystore $JETTY_HOME/etc/keystore

 

When prompted "What is your first and last name?" Enter FQDN (eg mysaserver.example.com)



[root@sabox etc]# $KEYTOOL -genkey -alias sa -keyalg RSA -keysize 4096 -sigalg SHA1withRSA -keystore $JETTY_HOME/etc/keystore
Enter keystore password: 
Re-enter new password:
What is your first and last name?
  [Unknown]:  mysaserver.example.com
What is the name of your organizational unit?
  [Unknown]:  myou
What is the name of your organization?
  [Unknown]:  myorg
What is the name of your City or Locality?
  [Unknown]:  Someplace
What is the name of your State or Province?
  [Unknown]:  Virginia
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=mysaserver.example.com, OU=myou, O=myorg, L=Someplace, ST=Virginia, C=US correct?
  [no]:  yes


Enter key password for <sa>
 (RETURN if same as keystore password): 
[root@sabox etc]#



 


 

b) Create a Certificate Signing Request (CSR), entering the password you created in step a) when prompted:


$KEYTOOL -certreq -alias <keyid> -keystore $JETTY_HOME/etc/keystore -file ~/cert/<keyid>.csr

 

c) Now upload your spectrum.csr to CA for signing, and once it has been signed download the signed certificate spectrum.cer. Download CA cert and save as root.cer then run following

 

$KEYTOOL -import -trustcacerts -keystore $JETTY_HOME/etc/keystore -alias root -file ~/cert/root.cer

$KEYTOOL -import -trustcacerts -keystore $JETTY_HOME/etc/keystore -alias <keyid> -file ~/cert/<keyid>.cer

 

 

Step 2: Edit jetty.xml to use the new keystore and private key password(s) you created in Step 1a

 

a) It is a good practice not to have plain text passwords in an xml file. Use this command to obtain the obfuscated OBF-format strings of the password(s) that you created in step 1a.  You will need to do this once for the keystore password and again for the private key password if it is different than the keystore password.
Use this command if using SA:



java -cp `find $JETTY_HOME/lib/ -name "jetty-http*"`:`find $JETTY_HOME/lib/ -name "jetty-util*"` org.eclipse.jetty.util.security.Password <Your Keystore password from Step 1a>

Or this command if using Spectrum:


java -cp `find $JETTY_HOME/lib/ -name "jetty-http*"`:`find $JETTY_HOME/lib/ -name "jetty-util*"` org.eclipse.jetty.http.security.Password <Your Keystore password from Step 1a> 
For example:
#
java -cp `find $JETTY_HOME/lib/ -name "jetty-http*"`:`find $JETTY_HOME/lib/ -name "jetty-util*"` org.eclipse.jetty.util.security.Password netwitness
netwitness
OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms
MD5:724cfe133a94be51321a9ac2bff65f06


 
For Spectrum and SA 10.3.0 and below (Jetty7)

 
# cp $JETTY_HOME/etc/jetty.xml $JETTY_HOME/etc/jetty.xml_orig
# vi $JETTY_HOME/etc/jetty.xml
 

b) Modify the connector lines to look like the following (Replace the boldfaced password entries with your passwords generated in step 1a that you obfuscated in step 2a).  'Password' and 'trustPassword' are the OBF string of the keystore password and should be the same, and 'KeyPassword' will be the OBF string of your your private key)

 


    <Call name="addConnector">

      <Arg>

         <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

            <Set name="Port">443</Set>

            <Set name="maxIdleTime">30000</Set>

            <Set name="Acceptors">2</Set>

            <Set name="AcceptQueueSize">100</Set>

            <Set name="Keystore"><Property name="jetty.home" default="."/>/etc/keystore</Set>

            <Set name="Password">OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms</Set>

            <Set name="KeyPassword">OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms</Set>

            <Set name="truststore"><Property name="jetty.home" default="."/>/etc/keystore</Set>

            <Set name="trustPassword">OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms</Set>

         </New>

      </Arg>

    </Call>


 

Please note that /etc/keystore in the above file is referring to $JETTY_HOME/etc/keystore.

 




Optional step but strongly recommended: Enforce usage of strong encryption by excluding weak algorithms:

 

vi $JETTY_HOME/etc/jetty.xml

 

Paste the following before the </New> tag from step 2b.

 

          <Set name="ExcludeCipherSuites">






              <Array type="java.lang.String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
                <Item>TLS_KRB5_WITH_DES_CBC_MD5</Item>
                <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
                <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>
              </Array>
            </Set>


 


Your Connector should therefore look like following:


 


 


 


 


    <Call name="addConnector">

      <Arg>

         <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

            <Set name="Port">443</Set>

            <Set name="maxIdleTime">30000</Set>

            <Set name="Acceptors">2</Set>

            <Set name="AcceptQueueSize">100</Set>

            <Set name="Keystore"><Property name="jetty.home" default="."/>/etc/keystore</Set>

            <Set name="Password">OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms</Set>

            <Set name="KeyPassword">OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms</Set>

            <Set name="truststore"><Property name="jetty.home" default="."/>/etc/keystore</Set>

            <Set name="trustPassword">OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms</Set>



            <Set name="ExcludeCipherSuites">






              <Array type="java.lang.String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
                <Item>TLS_KRB5_WITH_DES_CBC_MD5</Item>
                <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
                <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>
              </Array>
            </Set>





         </New>

      </Arg>

    </Call>
For SA 10.3.1 and above (Jetty9)  -- Refer to the knowledgebase article How to Install a Public CA Certificate on RSA Security Analytics 10.3.x Running Jetty 9 for additional details.
 
# cp $JETTY_HOME/etc/jetty-ssl.xml $JETTY_HOME/etc/jetty-ssl.xml_orig
# vi $JETTY_HOME/etc/jetty-ssl.xml
 

b) Modify the connector lines to look like the following (Replace the boldfaced password entries with your passwords generated in step 1a that you obfuscated in step 2a).  'KeyStorePassword' and 'TrustStorePassword' are the OBF string of the keystore password and should be the same, and 'KeyManagerPassword' will be the OBF string of your your private key)
Optionally, you can

 

  <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
    <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
    <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms"/></Set>
    <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms"/></Set>
    <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
    <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1xmi1vu91w261yfc1wtw1wui1yeu1w1c1vv11xms"/></Set>
    <Set name="EndpointIdentificationAlgorithm"></Set>
    <Set name="ExcludeCipherSuites">
      <Array type="String">
        <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
       <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
       <Item>TLS_KRB5_WITH_DES_CBC_MD5</Item>
       <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
       <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>

      </Array>
  </Set>
Please note that /etc/keystore in the above file is referring to $JETTY_HOME/etc/keystore.
Optional step but strongly recommended: Enforce usage of strong encryption by excluding weak algorithms:
Add the following four lines to $JETTY_HOME/etc/jetty-ssl.xml as shown above.
  <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
  <Item>TLS_KRB5_WITH_DES_CBC_MD5</Item>
  <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
  <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>

Step 3: Restart Security Analytics / Spectrum
a) Restart jettysrv
CentOS 6:
stop jettysrv
start jettysrv

CentOS 5:
monit stop jettysrv
monit start jettysrv

Step 4: Debugging
If you're unable to connect to SA / Spectrum with your browser you might see more details in the logs that are stored in $JETTY_HOME/logs/.  The log filename is in following format YYYY_MM_DD.stderrout.log (eg. 2011_08_10.stderrout.log).
Common problems:
Using the wrong password for the keystore in jetty.xml






Using the wrong password for the private key in jetty.xml

Wrong path to the keystore in jetty.xml.

Verify that your keystore contains 2 entries. The alias of your root certificate should be of type 'trustedCertEntry'. The alias of your SA/Spectrum certificate should be of type 'PrivateKeyEntry'.
$KEYTOOL -list -keystore $JETTY_HOME/etc/keystore


Legacy Article IDa58829

Attachments

    Outcomes