Highlighted
Respected Contributor.. jcruz Respected Contributor..
Respected Contributor..
4676 views

Logger GUI Certificate with SHA256withRSA as Signing Algorithm

If you are familiar with this you know that SHA-1 will be a deprecated hash algorithm by 2016 by most of recent web browsers. Unfortunately, the Logger GUI certificate that comes by default have SHAwithRSA as signing algorithm, as well as any other certificate you generate in the System Admin tab of this device. It would be nice if you could choose the signing algorithm, but unfortunately, you can't.

So I decided to dig a little bit on this (btw, as I did for ArcSight Express: ). Here is the procedure you need to follow if you want to generate a certificate with a decent signing algorithm (SHA256withRSA).

First of all, I must say that although I was able to do this without problems and nothing wrong happened to the Logger, or event receiving stuff, you should follow this at your own risk! Anyway, if you follow this strictly, some steps will be to backup the original key and certificate, so if anything goes wrong it should be easy to replace the original files.

This was tested in a L7500s with version 6.0.0.7307.1

1. Login via SSH to your Logger as "root" user (You can do this without requesting a challenge to the support team since version 6 or so)

2. Jump to user "arcsight":

[root@*******]# su - arcsight

3. Execute the following command. It will create two files: A Certificate Signing Request (request.csr) and a private key (server.pem).

[arcsight@******* ~]$ openssl req -out request.csr -newkey rsa:2048 -nodes -keyout server.pem -sha256

4. Send the .csr to your internal CA to sign your public key certificate. The will return to you your certificate signed by them. Rename the file they return to you to "server.crt". Now you have your private key in a file called "server.pem" and your public key certificate, signed by your internal CA, in a file called "server.crt". Now you have everything to import to Logger's apache web server!

(if you don't want your certificate to be signed by a CA, you can generate a self-signed one by executing the following command: openssl x509 -req -days 365 -in request.csr -signkey server.pem -out server.crt -sha256)

5. cd to the folder where you need to replace the current private key and certificate:

[arcsight@******* ~]$ cd /opt/arcsight/userdata/platform/ssl.crt

6. Backup the current files (so if anything goes wrong you can replace them and return back to normal operation):

[arcsight@******** ssl.crt]$ cp server.crt server.crt.bak

[arcsight@******** ssl.crt]$ cp server.pem server.pem.bak

7. Copy the private key you've created in step 3 to the location where apache is expecting it:

[arcsight@******** ssl.crt]$ cp /path/to/created/server.pem server.pem

8. Do the same for the certificate signed by your internal CA (or self-signed certificate) received/created in step 4:

[arcsight@******** ssl.crt]$ cp /path/to/received/server.crt server.crt

9. Jump back again to "root" user:

[arcsight@******** ssl.crt]$ exit

10. Restart apache

[root@******* ~] /opt/local/apache/bin/httpd -k restart

11. Just to make sure everything went fine, check the apache "error_log". The final lines should be similar to the following:

[Thu Feb 05 16:31:56 2015] [notice] SIGHUP received.  Attempting to restart

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

[Thu Feb 05 16:31:57 2015] [notice] SSL FIPS mode disabled

[Thu Feb 05 16:31:57 2015] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8zc-fips configured -- resuming normal operations

12. Double check in your browser by accessing the Logger GUI and see if the certificate presented to you it's the same you've created in this procedure.

Now you have your certificate with a decent signing algorithm!

Regards,

João Cruz

5 Replies
etjacobsen Absent Member.
Absent Member.

Re: Logger GUI Certificate with SHA256withRSA as Signing Algorithm

Thanks for the pointers.  We've been trying to get a supported answer from HP for six months.  I managed to achieve the same thing with a software logger using a slightly modified procedure:

1. cd <installdir>/userdata/platform/ssl.crt/

I used the existing key rather than writing a creating a new one:

2. openssl req -new -sha256 -key server.pem -out server.csr

3. Send the CSR off to the CA to be signed.

Make a backup of the existing certificate, just in case:

4. cp server.crt server.crt.PRESHA2

5. Save the returned CRT file into server.crt in the same directory.  The GUI seems to be unable to validate the certificate via import, so you have to do this via the filesystem.

6. Restart apache (I did so via GUI).

7. Wait for the restart (takes a few minutes)

8. Validate the key now shows up as validated with SHA-2 via a browser.

Recipe is provided as-is, no warranty expressed or implied.  It probably invalidates support, but that wasn't getting me anywhere anyway.

0 Likes
Reply
chaisongriffin Absent Member.
Absent Member.

Re: Logger GUI Certificate with SHA256withRSA as Signing Algorithm

After I uploaded my signed CA to the Logger (v6) I get an invalid certificate error when attempting to log in. The apache error log says the CommonName does not match the server name. Reading the Logger admin guide it indicates that the CN should match the hostname set in the NIC setting, which it does.

One note, we do access the site via IP address. The signed cert has the CN as the hostname with an alternate name including the IP address. We had it set up with just an IP originally, but that didn't work either.

Does anyone have any ideas as to what the problem could be?

0 Likes
Reply
akshayinnamuri Absent Member.
Absent Member.

Re: Logger GUI Certificate with SHA256withRSA as Signing Algorithm

HI,

Do we need to do same procedure for Logger and Connector appliance?

Connector appliance and Loggers support SHA-2?

0 Likes
Reply
Regular Contributor.. psantiamo Regular Contributor..
Regular Contributor..

Re: Logger GUI Certificate with SHA256withRSA as Signing Algorithm

I just followed this procedure and with a few tweaks in the directory structure in worked.

I'm on Logger 6.2.

0 Likes
Reply
prakasha85 Valued Contributor.
Valued Contributor.

Re: Logger GUI Certificate with SHA256withRSA as Signing Algorithm

after executing the command  /opt/local/apache/bin/httpd -k restart.

Getting error as httpd not running,trying to restart.

any suggestion.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.