Configure ECAT Alerts via Message Bus

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Feb 6, 2017
Version 4Show Document
  • View in full screen mode
  

This procedure is required to integrate ECAT with Security Analytics so that the ECAT alerts are picked up by the Incident Management component of Security Analytics and displayed in the Incident > Alerts view.

The diagram below represents the flow of ECAT alerts to the Incident management queue of Security Analytics and display of alerts in the Incident > Alerts view.

Prerequisites

Ensure that you have the following:

  • The Incident Management service is installed and running on Security Analytics 10.4 or later.
  • ECAT 4.0 or later is installed and running.

Configure the Incident Management Broker as an External ECAT Component

For ECAT version 4.0

To configure ECAT to send alerts over the message bus to the Security Analytics user interface:

  1. Open the ECAT user interface and log in using the proper credentials.
  2. From the menu bar, select Configure > Monitoring and External Components.
    The Monitoring and External Components dialog is displayed.
  3. Right click anywhere on the dialog and select Add Component.
    The Add Component dialog box is displayed.
  4. Provide the following information:
  • Select IM broker for the Component Type from the drop down options.
  • Type a user name to identify the IM broker.
  • Type the Host DNS or IP address of the IM broker.
  • Type the Port number.
  1. Click Save and Close to close all the dialog boxes.

For ECAT version 4.1

To configure ECAT to send alerts over the message bus to the Security Analytics user interface:

  1. Open the ECAT user interface and log in using the proper credentials.
  2. From the menu bar, select Configure > Monitoring and External Components.
    The External Components Configuration dialog is displayed.
  3. In Incident Message Broker, click + to add an Incident Message (IM) Broker.
    The Incident Message Broker dialog is displayed.
    ext-comp-im.png
  4. Under Incident Message Broker, in On, type a name for the message broker.
  5. Under Security Analytics Connection, do the following.
    1. In Server Hostname/IP, type the IP address for the Security Analytics server.
    2. In Port, the default port number is 5671. Update the field if needed.
  6. Click Save.

Configure the ECAT CA Certificate on the Security Analytics Broker

To set up SSL for Incident Management alerts:

  1. On the ECAT primary console server, export the ECAT CA certificate to .cer format (Base-64 encoded X.509) from the local computer's personal certificate store (without selecting the private key).
  2. On the ECAT primary console server (from the computer and location where the ECAT makecert executable file is located), generate a client certificate for ECAT using the ECAT CA certificate. (You must set the CN name to ecat).
    makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -in "EcatCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -cy end -sy 12 client.cer
  3. On the ECAT primary console server, make a note of the thumbprint of the client certificate generated in step 2. Enter the thumbprint value of the client certificate in the IMBrokerClientCertificateThumbprint section of theConsoleServer.Exe file as shown.
    <add key="IMBrokerClientCertificateThumbprint" value="?896df0efacf0c976d955d5300ba0073383c83abc"/>

Note: When you enter the thumbprint value in the value field, be sure to remove the question mark (?), enter the value, and then save the file.

  1. On the Security Analytics server, append the content of the ECAT CA certificate file in .cer format (from step 1) to
    /etc/puppet/modules/rabbitmq/files/truststore.pem
  2. On the Security Analytics server, do one of the following:
  • Run the puppet agent using the following command: puppet agent -t
  • Wait 30 minutes for the Security Analytics server to run the agent.
  1. On the ECAT primary console server, import the /var/lib/puppet/ssl/certs/ca.pem file from the Security Analytics server to the Trusted Root Certification authorities store.
    This ensures that ECAT, as a client, can trust the Incident Management server certificate.
  2. Restart the ECAT server to enable ECAT to send alerts to Security Analytics.
You are here
Table of Contents > Configure ECAT Alerts via Message Bus

Attachments

    Outcomes