000033735 - Configure Bluecoat SGOS with FTPS including Passive FTP for Netwitness Suite10.x

Document created by RSA Customer Support Employee on Aug 10, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033735
Applies ToRSA Product Set: RSA Netwitness Suite
RSA Product/Service Type: Netwitness Log Collector
RSA Version/Condition: 10.x
Issue
  • After configuring Bluecoat SGOS for Log Collection as per sadocs. no logs are being transferred.
  • Certificate used by vsftpd is self signed by the log collector and not the CA "Certificate Authority" puppetmaster.local, which is not trusted by Bluecoat.
  • Bluecoat "the client" sometimes initiates PASV FTP connections to the Log Collector on random ports, not defined in the vsftpd.conf. hence either the IPtables, or any other firewall in between will most likely block the connection.
Cause
  • Newer versions of Bluecoat SGOS do not trust self signed certificates, signed and generated by Log Collector.
  • A request of PASV FTP from client, while being opened in the vsftpd.conf, it is not limited to a certain port range. hence, a random port number is being chosen, which in most of the cases will be blocked by either the IPtables or a firewall in between.
ResolutionTo resolve the two issues, you need first to sign the CSR "Certificate Sign Request" by no machine other than the Local CA "certificate authority", which is the puppetmaster.local , ie. the SA server.
Secondly, you need to either open all ports between bluecoat and log collector, or define the port ranges allowed for PASV FTP in the vsftpd.conf file.
Afterwards, with the above two changes, you can continue normally with the sadocs guide for Bluecoat SGOS.

First: Sign the CSR using the SA puppetmaster.local
  • SSH to the SA server, and create the CSR for the vsftpd, then sign it using the local CA, then copy the vsftpd and the CA certificates to the log collector.

  • [root@sa ~]# cd /root
    [root@sa ~]# openssl req -nodes -new -sha256 -keyout vsftpd.key.pem -out vsftpd.csr.pem -days 1825
    [root@sa ~]# openssl x509 -req -out vsftpd.crt.pem -in vsftpd.csr.pem -CA /var/lib/puppet/ssl/ca/ca_crt.pem -CAkey /var/lib/puppet/ssl/ca/ca_key.pem -CAcreateserial -days 1825
    [root@sa ~]# scp vsftpd.*.pem <logcollector-IP-address>:/etc/netwitness/ng/
    [root@sa ~]# scp /var/lib/puppet/ssl/certs/ca.pem <logcollector-IP-address>:/etc/netwitness/ng/truststore/puppet-ca.pem

  • Make sure to download the ca.pem locally to your machine, to add it to the Bluecoat trusted root certificate store later on.
Second: Configure PASV FTP on the Log Collector vsftpd.conf file
  • On the Log Collector, the /etc/vsftpd/vsftpd.conf file, the default option "pasv_enable=Yes".
  • If you change it to "No", Bluecoat connections will fail.
  • Solution is to limit the ports used by PASV, edit the /etc/vsftpd/vsftpd.conf and append the below 2 lines.

  • pasv_max_port=14001
    pasv_min_port=14004

  • Now, we need to add these 4 ports on the IPtables INPUT chain on the Log Collector.

  • [root@logcollector ~]# service iptables stop
    [root@logcollector ~]# vi /etc/sysconfig/iptables
    Add the Following Line above the -j REJECT line within the file
    -A INPUT -p tcp -m multiport --dports 14001:14004 -m comment --comment "Ports allowed for PASV FTP" -j ACCEPT
    [root@logcollector ~]# service iptables restart
    [root@logcollector ~]# iptables -L
    Look for the Line below
    ACCEPT     tcp  --  anywhere             anywhere            multiport ports 4001:4004 /* Ports allowed for PASV FTP */

  • Finally, you need to allow these 4 ports on the firewall in between, if present. like Checkpoint for instance.
NotesIf you are unsure of the steps above, please contact RSA support and reference this article.

Attachments

    Outcomes