Sec/User Mgmt: Step 5. Import Certificate Revocation List

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Aug 28, 2017
Version 3Show Document
  • View in full screen mode
  

This topic describes the procedure to import a Certificate Revocation List (CRL) to Security Analytics server.

A CRL is a file that contains a list of revoked certificates with details such as the serial number and revocation date of each certificate. Typically a certificate is revoked to avoid any compromise of the certificate by unauthorized users. For example, if a Security Analytics user resigns from an organization, then the user's certificate must be revoked by the issuing CA to avoid any certificate compromise. 

You can import the CRL issued by your trusted CA, so that Security Analytics can use the CRL to block unauthorized users from accessing Security Analytics. You can specify or import a CRL to Security Analytics using the below options:

  • HTTP server - This is the most common CRL Location where CA publishes the CRL to external applications using a HTTP server. The Security Analytics server reads the CRL using the HTTP URL.
  • Local CRL - This allow you to manually download the CRL for a CA and upload it to the Security Analytics server. For automation, you can write a Cron job to copy the CRL to the /var/lib/netwitness/uax/pki/crldirectory in the Security Analytics server. The Security Analytics server uses the updated CRL from the disk when the CRL is refreshed (every 5 minutes).
  • LDAP Resource - This is mostly used by Windows Systems. You must specify an LDAP URL with the username and password to access the LDAP Object. The Security Analytics server reads the CRL from the LDAP URL.
  • OCSP Responder - To specify a OCSP Responder, you need to provide the HTTP URL and OCSP Responder's Signing certificate. Make sure the OCSP Responder is online while adding the entry. In case OCSP Responder Signing Certificate is updated, you need to manually update the certificate in Security Analytics server.

Procedure

Specify CRL file on HTTP server

Note: Make sure that the CRL is available and HTTP server is accessible from Security Analytics server.

To specify CRL file on HTTP server:

  1. In the Security Analytics menu, select Administration > Security.
    The Security view is displayed with the Users tab open.

  2. Click the PKI Settings tab.

  3. In the CRLs section, click .

  4. In the CRL Type, select CRL is located on a HTTP Server from the drop-down list.

  5. In the URL field, specify the HTTP URL to access the CRL.

  6. Click Test.
    The Security Analytics UI displays the extracted information from the CRL.

    Note: If the HTTP URL is located on HTTPS location, the Security Analytics server do not validate the Web Server certificate of the HTTP server on which the CRL is located.

  7. Click Save.

    The CRL file is successfully added to the Security Analytics server.

Import Local CRL file using Security Analytics UI

Note: Make sure that the CRL is downloaded from CDP location.

To import Local CRL file using Security Analytics UI:

  1. In the Security Analytics menu, select Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.

  3. In the CRLs section, click .

    The CRL Settings dialog is displayed.

  4. In the CRL Type, select CRL is available as a File from the drop-down list.

  5. In the CRL file, click Browse to upload the CRL file.

    Note: The CRL file extension should be .crl.

  6. Click Test.

    The Security Analytics UI displays the extracted information from the CRL.

  7. Click Save.
    The CRL file is successfully added to the Security Analytics server.

Specify CRL as LDAP Resource using Security Analytics UI

Note: Make sure that the CRL is available and LDAP server is accessible from Security Analytics server.

  1. In the Security Analytics menu, select Administration > Security.

    The Security view is displayed with the Users tab open.

  2. Click the PKI Settings tab.
  3. In the CRLs section, click .

    The CRL Settings dialog is displayed.

  4. In the CRL Type, select CRL is published as LDAP Resource from the drop-down list.

  5. In the URL field, specify the LDAP URL to access the CRL.

    Note: If the LDAP URL contains white spaces, for example, CN=EMC Root CA it is escaped as CN=EMC%20Root%20CA.

  6. In the Username field, enter the username in the format of Domain/Username.

  7. In the Password field, enter the password to access the CRL.
  8. Click Test.

    The Security Analytics UI displays the information extracted from the CRL.

  9. Click Save.

    The CRL is successfully added to the Security Analytics server.

Specify OCSP Responder using Security Analytics UI

Note: Make sure that the OCSP Responder is reachable from Security Analytics server.

To specify OCSP Responder using Security Analytics UI:

  1. In the Security Analytics menu, select Administration > Security.

    The Security view is displayed with the Users tab open.

  2. Click the PKI Settings tab.

  3. In the CRLs section, click .
    The CRL Settings dialog is displayed.
  4. In the CRL Type, select HTTP URL for OCSP Responder from the drop-down list.

  5. In the URL field, specify the HTTP URL.

  6. In the Certificate field, click Browse to upload the OCSP Responder Signing certificate.
  7. Click Test.

    The Security Analytics UI displays the information extracted from the OCSP responder signing certificate.

  8. Click Save.
    The OCSP responder is successfully added to the Security Analytics server.

Configure CRL Settings

You must configure CRL settings to validate the CRL for certificate revocation.

To configure CRL settings:

  1. In the Security Analytics menu, select Administration > Security.

    The Security view is displayed with the Users tab open.

  2. Click the PKI Settings]tab.

  3. In the CRL Settings section, select any one of the following Failure Mode option.
    • Allow Users to login if Revocation check fails - This allows user to access the Security Analytics server if:
      • The CRL is not found for a user certificate issuer.

      • The user certificate is not revoked but the CRL is expired.

      • The OCSP server is not reachable.
    • Block Users to login if Revocation Check fails - This allows user to login if :

      • CRL is available for user certificate issuer.
      • User certificate is revoked and CRL is valid.

      • OCSP server is reachable and user certificate is valid.

  4. In the Revocation Check Mode field, select the mode on how the user certificate should be validated.

    • If you select a CRL only mode, the CRL is considered valid if the following criteria are met:

      • There should exist a CRL which is issued by the same issuer of a user certificate.

      • The CRL is not expired.

      • The CRL is properly signed by the issuer.

    • If you select a OCSP only mode, the OCSP is considered valid if the following criteria are met:

      • There should exist OCSP Responder which is issued by the same issuer of a user certificate.
      • The OCSP Responder is not expired.

      • The OCSP Responder is properly signed by the issuer.

    • If you select a CRL then OCSP, the following criteria should be met:
      • The user certificate should be valid.

      • If the user certificate is valid in the above step then the user certificate is validated using OCSP Responder.

      • You will be consider valid only if it is not revoked in CRL and is valid using OCSP Responder.

  5. In the Multi CRL Mode field, select the CRL mode on how the CRL is to be processed when a user has multiple CRLs from the same issuer.

    • Check Revocation in Most Recently Issued CRL - The CRL that has the highest issue date is considered as most recently used CRL.

    • Check Revocation in Last Expiring CRL - The CRL that has the highest expiry date is considered as last expiring CRL.

    • Combine All CRLs for Revocation Check - All the revoked certificate in the CRLs is considered revoked.

      Note: If there are more than one CRL, a CRL is considered unique on the basis of:
      - The date when a CRL is published.
      - The date when a CRL expires.

Next Step:

Step 6. Enable PKI

You are here
Table of Contents > Set Up Public Key Infrastructure (PKI) Authentication > Configure PKI Authentication > Step 5. Import Certificate Revocation List

Attachments

    Outcomes