Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
pchristopher1 Absent Member.
Absent Member.
648 views

estreamer woes

I am sttempting to implement an estreamer connector and I am getting the following error when arcsight starts

unable to find valid certification path to requested target.

and it disconnects from the sourcefire console

Anyone ? I'm lost here tried everything.

Thanks

Labels (1)
0 Likes
Reply
14 Replies
vdor Absent Member.
Absent Member.

Re: estreamer woes

Did you download the certificate from the Sourcefire Defense Center and put it in the properl location on the connector? When you setup the connection on the DC, you need to go then click the url that it creates and it'll download the cert. That cert has to be named with the IP or Hostname of the defense center that matches the certificate. Then that certificate is put in a specific location on the connector installer (you'll have to double check the documentation for that one).

0 Likes
Reply
pchristopher1 Absent Member.
Absent Member.

Re: estreamer woes

I put it as the documentation stated in user/agent/sourcefire and called it <DC IP>.pkcs12

It is still giving me this error


0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: estreamer woes

When you created it on the SF DC, did you name it as that IP address, or did you rename it afterwards? Also, can the connector machine reach the DC (any firewalls or anything else in between?)

0 Likes
Reply
pchristopher1 Absent Member.
Absent Member.

Re: estreamer woes

It was entered as the IP address.  And it was not renamed. Firewalls checked and traffic is passing. The error seems to be in the connector not using the cert in the db.

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: estreamer woes

Can you post a snipped of the logs where you see the error message? I likely won't see it again until tomorrow though..

Another thing.. if this is linux, make sure that the cert file has permissions to be read by the same user that the connector runs as. If you scp'd it over, you may nee to ease up the permissions a little bit on it.

0 Likes
Reply
pchristopher1 Absent Member.
Absent Member.

Re: estreamer woes

It actually seems like it is ignoring the pkcs12 in the directory. Perms are good set to 755 and owned by the user arcsight runs as. I checked the 'fundamentals' as far as UNIX goes. It simply seems like it is not even looking or processing the pkcs12 bundle. The document actually says to put it in $ARCSIGHT_HOME/user/agent/sourcefire then run the runagentsetup.sh script.

Thanks,

Keith

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: estreamer woes

If you open the agent.properties file, is there an entry that shows where the pcks is supposed to be? Does it match the correct directory? Also, if you added the cert after the fact, you may want to run through the agentsetup again and see if there's an opportunity to define the specific file or directory.

0 Likes
Reply
pchristopher1 Absent Member.
Absent Member.

Re: estreamer woes


Yeah there is an entry in the agent.properties file and it is showing the correct information. I added the cert before the runagentsetup.sh.

I am at a complete loss here.

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: estreamer woes

The only thing else I can think of is to ensure that 8305 is open between the two (I think you already did this). The next step I would do is just to rebuild the connector step by step, including generating a new cert from the DC. Can't hurt anything at this point.

0 Likes
Reply
pchristopher1 Absent Member.
Absent Member.

Re: estreamer woes


Question, if the cert has a password, how is that handled by the connector ? I think the problem is no password in a pkcs12 file generates a / by 0 error when attempting to add it to a keystore.

I don't see an entry in agent.properties for a password.

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: estreamer woes

This is where you would define the password and pkcs file information in the connector config (see the last field). If you never saw a screen similar to this in the agent configuration, you did it incorrectly.

estreamer.jpg

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: estreamer woes


Also, even though the estreamer has the ability to not use a password, I think defining one is required to work with the connector.

0 Likes
Reply
pchristopher1 Absent Member.
Absent Member.

Re: estreamer woes

There-in lies the rub. I cannot use the gui and the console install does not prompt for these items. I had to hand edit them. But according to the documentaion the default or undefined password is always changeit. so that is what I made it.

I wish I had a functioning solaris or UNIX agent.properties to review against mine.


0 Likes
Reply
pchristopher1 Absent Member.
Absent Member.

Re: estreamer woes

ok so there were several steps to this process to get it working.

1) I took the pkcs12 output from the sourcefire and using pk12util I added them manually to the cert8  for arcsight after doing this, I noticed the error changed to handshake failed. This lead me back to the sourcefire config

2) on the sourcefire added to a trusted host in the menu (well my networkguy did this.)

Now it seems to be working.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.