Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
BlancaRodriguez Super Contributor.
Super Contributor.
2083 views

Change container certificate from self-signed to CA signed on connector appliance.

Jump to solution

Hello,

for security policy reasons my client doesnt want to use self-signed certificates to communicate the log sources and the Arcsight components.

We've generated a CA signed certificate for Connector Appliance but, the certificate that present the containers are self-signed and intended for 192.168.35.35 IP. Is it possible to install the CA signed certificate for the container instead of the self-signed?

Regards

Blanca Rodriguez
SIEM Engineer
Labels (2)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
BlancaRodriguez Super Contributor.
Super Contributor.

Re: Change container certificate from self-signed to CA signed on connector appliance.

Jump to solution

Hi Replay.

I managed to install the certificate but i'm afraid there isn't a oficial procedure for doing it.

The complete procedure (requesting a CRS and everything) is:

1. Backup remote_management.cer and remote_management.p12

2. Create JKS Keystore and Keypair (Enter Cert subject information - hit enter for same password)

c:\arcsight\testing\current\jre\bin\keytool -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -genkeypair -alias tomcat -keysize 2048 -keyalg RSA

(This instruction is for windows. On linux connapp you only have to change path to /opt/arcsight/....)

3. Generate CSR

c:\arcsight\testing\current\jre\bin\keytool -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -certreq -alias tomcat -file c:\arcsight\testing\current\user\agent\remote_management.csr

4. Submit CSR to CA and get response certificate

5. Import Trusted CA Cert (Answer yes to trust CA Cert - This must be imported before imported new signed cert)

c:\arcsight\testing\current\jre\bin\keytool  -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -importcert -alias whateverca -file c:\arcsight\testing\current\user\agent\ca.crt

6. Import signed Certificate

c:\arcsight\testing\current\jre\bin\keytool  -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -importcert -alias tomcat -file c:\arcsight\testing\current\user\agent\remote_management.cer

7. Convert Keystore to P12 (answer no to quit processing - the new keystore will still work properly)

c:\arcsight\testing\current\jre\bin\keytool -importkeystore -srckeystore c:\arcsight\testing\current\user\agent\remote_management.jks -srcstorepass changeit -deststorepass changeit -srcstoretype JKS -deststoretype PKCS12 -destkeystore c:\arcsight\testing\current\user\agent\remote_management.p12

8. Restart the smartconnector

I had to import the certificate also for https on the connapp  and I couldn't get signed more than 1 CRS,  so i generated the CRS using connap web manager and imported the certificate also using the same web manager. Once the certificate was installed and running for https, i used the following procedure to import it to the container:

  1. Https certificates on connapp are located under:

          /opt/arcsight/userdata/platform/ssl.crt/server.crt -> Public cert

           /opt/arcsight/userdata/platform/ssl.crt/server.pem -> Private key


     2 .Generate the corresponding p12 to use on the container with command:

     #> openssl pkcs12 -export -in server.crt -inkey server.pem -out server.p12

     3. Agregate the CA certificate to p12 using keytoolgui.

     4. Replace container certificates with the one generated:

          /opt/arcsight/container_X/current/user/agent/remote_management.cer -> replace with server.crt

          /opt/arcsight/container_X/current/user/agent/remote_management.p12 -> replace with server.p12

     5. Restart container.

Hope that helps.

Blanca Rodriguez
SIEM Engineer

View solution in original post

3 Replies
Highlighted
Valued Contributor.. Replay1 Valued Contributor..
Valued Contributor..

Re: Change container certificate from self-signed to CA signed on connector appliance.

Jump to solution

Hi,

Did you managed to find the way to install the CA signed certificate?

I'm unsure about this step, when requesting the CA cert, do we need to provide any information like we generate the CSR for HTTPS/FTPS or we can just request the admin to provide us with a CA signed certificate?

What formats does it accept? PEM? cer?

The ConApp guide only provide the steps but not the information stated above.

Regards

0 Likes
BlancaRodriguez Super Contributor.
Super Contributor.

Re: Change container certificate from self-signed to CA signed on connector appliance.

Jump to solution

Hi Replay.

I managed to install the certificate but i'm afraid there isn't a oficial procedure for doing it.

The complete procedure (requesting a CRS and everything) is:

1. Backup remote_management.cer and remote_management.p12

2. Create JKS Keystore and Keypair (Enter Cert subject information - hit enter for same password)

c:\arcsight\testing\current\jre\bin\keytool -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -genkeypair -alias tomcat -keysize 2048 -keyalg RSA

(This instruction is for windows. On linux connapp you only have to change path to /opt/arcsight/....)

3. Generate CSR

c:\arcsight\testing\current\jre\bin\keytool -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -certreq -alias tomcat -file c:\arcsight\testing\current\user\agent\remote_management.csr

4. Submit CSR to CA and get response certificate

5. Import Trusted CA Cert (Answer yes to trust CA Cert - This must be imported before imported new signed cert)

c:\arcsight\testing\current\jre\bin\keytool  -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -importcert -alias whateverca -file c:\arcsight\testing\current\user\agent\ca.crt

6. Import signed Certificate

c:\arcsight\testing\current\jre\bin\keytool  -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -importcert -alias tomcat -file c:\arcsight\testing\current\user\agent\remote_management.cer

7. Convert Keystore to P12 (answer no to quit processing - the new keystore will still work properly)

c:\arcsight\testing\current\jre\bin\keytool -importkeystore -srckeystore c:\arcsight\testing\current\user\agent\remote_management.jks -srcstorepass changeit -deststorepass changeit -srcstoretype JKS -deststoretype PKCS12 -destkeystore c:\arcsight\testing\current\user\agent\remote_management.p12

8. Restart the smartconnector

I had to import the certificate also for https on the connapp  and I couldn't get signed more than 1 CRS,  so i generated the CRS using connap web manager and imported the certificate also using the same web manager. Once the certificate was installed and running for https, i used the following procedure to import it to the container:

  1. Https certificates on connapp are located under:

          /opt/arcsight/userdata/platform/ssl.crt/server.crt -> Public cert

           /opt/arcsight/userdata/platform/ssl.crt/server.pem -> Private key


     2 .Generate the corresponding p12 to use on the container with command:

     #> openssl pkcs12 -export -in server.crt -inkey server.pem -out server.p12

     3. Agregate the CA certificate to p12 using keytoolgui.

     4. Replace container certificates with the one generated:

          /opt/arcsight/container_X/current/user/agent/remote_management.cer -> replace with server.crt

          /opt/arcsight/container_X/current/user/agent/remote_management.p12 -> replace with server.p12

     5. Restart container.

Hope that helps.

Blanca Rodriguez
SIEM Engineer

View solution in original post

harishreddybapp1 Frequent Contributor.
Frequent Contributor.

Re: Change container certificate from self-signed to CA signed on connector appliance.

Jump to solution
we are using software connector (not an connector appliance ) will this still work?
Below two command giving error.
c:\arcsight\testing\current\jre\bin\keytool -keystore c:\arcsight\testing\current\user\agent\remote_management.jks -storepass changeit -certreq -alias tomcat -file c:\arcsight\testing\current\user\agent\remote_management.csr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.