Sec/User Mgmt: Step 5. (Optional) Use Custom Server Certificate

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Product Team on Jul 30, 2019
Version 7Show Document
  • View in full screen mode
  

By default Security Analytics server uses a web server certificate generated by Security Analytics for HTTPS connection. Security Analytics also allows you to configure custom web server certificate to be used as Security Analytics server certificate. You can configure custom web server certificate even if PKI is not enabled.

Supported Certificate Formats

The following certificate formats are supported. You must select the format that meets your requirement:

  • For server certificate with its private key:
    • pkcs12 or .p12 
    • jks
    • pfx   
  • For trusted CA certificate:
    • pkcs12 or .p12 
    • jks 
    • pfx
    • pem
    • crt
    • der
    • cer

Note: The .pfx, .p12, .jks are containers that can contain one or more private keys and its chains or certificates. PEM is a BASE64 encoded certificate that can contain multiple certificates.

Note: The alias name for a Security Analytics server certificate cannot contain the following Brace Characters: [ ] { } ( ) < > or the characters & (ampersand) ! (exclamation point) or | (pipe).

Procedures

(Optional) Create a Certificate Signing Request (CSR) and Certificate Store for Jetty Certificate

The CSR can be submitted to the Certificate Authority (CA) Server to get the Server Certificate based on the CSR created. Once the certificate is created, these steps will help you to package the Private Key and the Signed Certificate that can be uploaded to Security Analytics Server to be used as a Server Certificate. If a Server Certificate has already been created (along with its private key), you can skip these steps and upload the certificate to the Security Analytics Server.

 

Perform the following steps to create a CSR for Jetty Certificate:

  1. Change the directory to /root:

    cd /root

  2. Create a new directory:

    mkdir sa_pki_server_cert

  3. Change the directory to the newly created directory:

    cd sa_pki_server_cert

  4. Create a CSR:

    openssl req -new -nodes -sha256 -out server_cert_request.csr -newkey rsa:4096 -keyout sa_server_pki_private_key.key -config /opt/rsa/netwitness/openssl.cnf

    The openssl.cnf file is the SSL configuration file. For details about adding the necessary information to that file, see Open SSL Configuration below.

  5. Check that the Private Key, Server Certificate, and CSR match, using sha256sum:

    openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
    openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
    openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

    An example output is:

    [root@ABCD open_ssl_test]# openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
    (stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5
    d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f (stdin)

    [root@ABCD open_ssl_test]# openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
    d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f (stdin)

    [root@ABCD open_ssl_test]# openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
    d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f (stdin)

    Note: Make a note of the value for each stdin, and ensure they all match.

  6. Submit the CSR to a CA and get a signed certificate.
  7. Copy the Certificate in PEM format to the newly created directory:

    /root/sa_pki_server_cert/signed_certificate.pem

  8. Check that the certificate that you receive from CA has the correct public key and it matches the above two outputs. If they do not match, you might have omitted the previous steps.

    openssl x509 -noout -modulus -in certificate.crt | sha256sum

    Note: You can use the xca tool to complete these steps.

    For example:

    [root@ABCD open_ssl_test]# mv test.crt certificate.crt
    [root@ABCD open_ssl_test]# openssl x509 -noout -modulus -in certificate.crt | sha256sum
    d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f (stdin)

    [root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in sa_server_pki_private_key.key | sha256sum
    d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f (stdin)

    [root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | sha256sum
    d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f (stdin)

  9. Copy the Private Key and Certificate to a Key Store.

    openssl pkcs12 -export -descert -name <myservercert> -in signed_certificate.pem -inkey sa_server_pki_private_key.key -out keystore.p12

  10. Provide a password, for example sa, to the Key Store.

Open SSL Configuration

In step #4 of the example above, openssl.cnf is an openssl configuration file that adds additional configuration to your certificate. For more information about OpenSSL CONF library configuration files, please refer to the openssl.cnf library reference at https://www.openssl.org/docs/manmaster/man5/config.html.

In /opt/rsa/netwitness/openssl.cnf modify and add the following configuration:

[ req ]

default_bits = 4096

distinguished_name = req_distinguished_name

req_extensions = req_ext

default_md = sha256

x509_extensions = v3_ca # The extensions to add to the self signed certificate

[req_ext]

subjectAltName = @alt_names

[alt_names]

DNS.1 = <FQDN>

DNS.2 = <hostname>

IP.1 = <IP>

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = <country e.g. US>

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = <state or province e.g. Florida>

localityName = Locality Name (eg, city)

localityName_default = <city e.g. Miami>

organizationName = Organization Name (eg, company)

organizationName_default = <company e.g. RSA>

commonName = Common Name (e.g. hostname)

commonName_default = <hostname e.g. mynetwitness.rsa.com>

commonName_max = 64

[ v3_ca ]

basicConstraints = CA:FALSE

Import Trusted CAs

    1. In the Security Analytics menu, select  Administration > Security.
      The Security view is displayed with the Users tab open.
    2. Click the PKI Settings tab.
    3. In the Trusted CAs section, click .
      The Import Certificate Authority dialog is displayed.

    4. In the CA Store File field, click Browse and select the certificate or certificate store.
    5. In the Password field, enter the password of the certificate or certificate store.

Note: The password is applicable only for .pkcs12 or .p12, .pfx, and .jks certificate store formats.

  1. If you already have an existing CA file with the same name as the one that you are importing, and you want to overwrite it and take the new CA file, select the Overwrite Existing Entries checkbox.
  2. Click Save.
    The CA certificate is successfully added to the Security Analytics Trusted CAs store.

Import SA Server Certificate with its Private Key

  1. In the Security Analytics menu, select  Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the Server Certificates section, click .
    The Import Server Certificates dialog is displayed.
  4. In the Keystore/Certificate File field, click Browse and select the certificate store.
  5. In the Password field, enter the password of the certificate store.
  6. (Optional) If the user certificate and Security Analytics server certificate are issued by the same CA, select the Import CAs checkox.
  7. Click Save.
    The Security Analytics server certificate with its private key is successfully added to Security Analytics.

Note: You can import multiple server certificates with its private keys.

Note: The Import Server Certificates dialog may not close on some browsers, however, the import will be        successful. To view the imported certificate, refresh the page.

    1. To specify a default server certificate, select a certificate and click Use as Server Certificate.
      The selected server certificate is highlighted in red.
    2. You must SSH the Security Analytics server and run the following command:

puppet agent -t

This will automatically update the jetty-ssl.xml file with the appropriate server certificate.

  1. Restart the Jetty service for changes to take effect.

 

 

You are here

Table of Contents > Set Up System Security > Step 5. (Optional) Use Custom Server Certificate

Attachments

    Outcomes