Sec/User Mgmt: Step 5. Import Certificate Revocation List

Document created by RSA Information Design and Development on Sep 19, 2017Last modified by RSA Information Design and Development on Oct 2, 2017
Version 3Show Document
  • View in full screen mode
 

This topic describes the procedure to import a Certificate Revocation List (CRL) to NetWitness Server.

A CRL is a file that contains a list of revoked certificates with details such as the serial number and revocation date of each certificate. Typically a certificate is revoked to avoid any compromise of the certificate by unauthorized users. For example, if a NetWitness Suite user resigns from an organization, then the user's certificate must be revoked by the issuing CA to avoid any certificate compromise. 

You can import the CRL issued by your trusted CA, so that NetWitness Suite can use the CRL to block unauthorized users from accessing NetWitness Suite. You can specify or import a CRL to NetWitness Suite using the below options:

  • HTTP server - This is the most common CRL Location where CA publishes the CRL to external applications using a HTTP server. The NetWitness Server reads the CRL using the HTTP URL.
  • Local CRL - This allow you to manually download the CRL for a CA and upload it to the NetWitness Server. For automation, you can write a Cron job to copy the CRL to the /var/lib/netwitness/uax/pki/crldirectory in the NetWitness Server. The NetWitness Server uses the updated CRL from the disk when the CRL is refreshed (every 5 minutes).
  • LDAP Resource - This is mostly used by Windows Systems. You must specify an LDAP URL with the username and password to access the LDAP Object. The NetWitness Server reads the CRL from the LDAP URL.
  • OCSP Responder - To specify a OCSP Responder, you need to provide the HTTP URL and OCSP Responder's Signing certificate. Make sure the OCSP Responder is online while adding the entry. In case OCSP Responder Signing Certificate is updated, you need to manually update the certificate in NetWitness Server.

Procedure

Specify CRL file on HTTP server

Note: Make sure that the CRL is available and HTTP server is accessible from NetWitness Server.

To specify CRL file on HTTP server:

  1. In NetWitness Suite, go to ADMIN > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the CRLs section, click The add button.
  4. In the CRL Type, select CRL is located on a HTTP Server from the drop-down list.
  5. In the URL field, specify the HTTP URL to access the CRL.
  6. Click Test.
    The NetWitness Suite UI displays the extracted information from the CRL as below.

    Note: If the HTTP URL is located on the HTTPS location, the NetWitness Server does not validate the Web Server certificate of the HTTP server on which the CRL is located.

  7. Click Save.
    The CRL file is successfully added to the NetWitness Server.

Import Local CRL file using NetWitness Suite UI

Note: Make sure that the CRL is downloaded from CDP location.

To import Local CRL file using NetWitness Suite UI:

  1. In NetWitness Suite, go to ADMIN > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the CRLs section, click The add button.
    The CRL Settings dialog is displayed.
  4. In the CRL Type, select CRL is available as a File from the drop-down list.
  5. In the CRL file, click Browse to upload the CRL file.

    Note: The CRL file extension should be .crl.

  6. Click Test.
    The NetWitness Suite UI displays the extracted information from the CRL as below.
  7. Click Save.
    The CRL file is successfully added to the NetWitness Server.

Specify CRL as LDAP Resource using NetWitness Suite UI

Note: Make sure that the CRL is available and LDAP server is accessible from NetWitness Server.

  1. In NetWitness Suite, go to ADMIN > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the CRLs section, click The add button.
    The CRL Settings dialog is displayed.
  4. In the CRL Type, select CRL is published as LDAP Resource from the drop-down list.
  5. In the URL field, specify the LDAP URL to access the CRL.

    Note: If the LDAP URL contains white spaces, for example, CN=EMC Root CA it is escaped as CN=EMC%20Root%20CA.

  6. In the Username field, enter the username in the format of Domain/Username.
  7. In the Password field, enter the password to access the CRL.
  8. Click Test.
    The NetWitness Suite UI displays the information extracted from the CRL as below.
  9. Click Save.
    The CRL is successfully added to the NetWitness Server.

Specify OCSP Responder using NetWitness Suite UI

Note: Make sure that the OCSP Responder is reachable from NetWitness Server.

To specify OCSP Responder using NetWitness Suite UI:

  1. In NetWitness Suite, go to ADMIN > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the CRLs section, click The add button.
    The CRL Settings dialog is displayed.
  4. In the CRL Type, select HTTP URL for OCSP Responder from the drop-down list.
  5. In the URL field, specify the HTTP URL.
  6. In the Certificate field, click Browse to upload the OCSP Responder Signing certificate.
  7. Click Test. The NetWitness Suite UI displays the information extracted from the OCSP responder signing certificate.
  8. Click Save.
    The OCSP responder is successfully added to the NetWitness Server.

Configure CRL Settings

You must configure CRL settings to validate the CRL for certificate revocation.

To configure CRL settings:

  1. In NetWitness Suite, go to ADMIN > Security. The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the CRL Settings section, select any one of the following Failure Mode option.
    • Allow Users to login if Revocation check fails - This allows user to access the NetWitness Server if:
      • The CRL is not found for a user certificate issuer.

      • The user certificate is not revoked but the CRL is expired.

      • The OCSP server is not reachable.
    • Block Users to login if Revocation Check fails - This allows user to login if :

      • CRL is available for user certificate issuer.
      • User certificate is revoked and CRL is valid.

      • OCSP server is reachable and user certificate is valid.

  4. In the Revocation Check Mode field, select the mode on how the user certificate should be validated.
    • If you select a CRL only mode, the CRL is considered valid if the following criteria are met:
      • There should exist a CRL which is issued by the same issuer of a user certificate.
      • The CRL is not expired.
      • The CRL is properly signed by the issuer.
    • If you select a OCSP only mode, the OCSP is considered valid if the following criteria are met:
      • There should exist OCSP Responder which is issued by the same issuer of a user certificate.
      • The OCSP Responder is not expired.
      • The OCSP Responder is properly signed by the issuer.
    • If you select a CRL then OCSP, the following criteria should be met:
      • The user certificate should be valid.
      • If the user certificate is valid in the above step then the user certificate is validated using OCSP Responder.
      • You will be consider valid only if it is not revoked in CRL and is valid using OCSP Responder.
  5. In the Multi CRL Mode field, select the CRL mode on how the CRL is to be processed when a user has multiple CRLs from the same issuer.
    • Check Revocation in Most Recently Issued CRL - The CRL that has the highest issue date is considered as most recently used CRL.
    • Check Revocation in Last Expiring CRL - The CRL that has the highest expiry date is considered as last expiring CRL.
    • Combine All CRLs for Revocation Check - All the revoked certificate in the CRLs is considered revoked.

      Note:
      If there are more than one CRL, a CRL is considered unique on the basis of:
      - The date when a CRL is published.
      - The date when a CRL expires.

 

Next Step:

Step 6. Enable PKI

You are here
Table of Contents > Sec/User Mgmt: Step 5. Import Certificate Revocation List

Attachments

    Outcomes