Configuring Transformation Hub Access - FIPS Mode (Server Authentication Only)

This section describes how to configure ESM to access Transformation Hub when FIPS mode is enabled. FIPS 140-2 is the only supported FIPS mode.

To configure ESM access to Transformation Hub in FIPS Mode:

  1. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  2. From the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  3. Use the keytool command to import the root CA certificate into the ESM client truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path 
					to certificate file> -alias <alias for the certificate>

  4. As user arcsight, run the following command from the /opt/arcsight/manager/bin directory to start the managersetup wizard:

    ./arcsight managersetup -i console

  5. Provide the following information:

    Note: You do not need to provide the path to the Transformation Hub root certificate, as it has already been imported.

    1. Specify the host name or IP address and port information for the nodes in Transformation Hub. Include the host and port information for all nodes and not just the master node. Use a comma-separated list (for example: <host>:<port>,<host>:<port>).

      Note: You must specify the host name and not the IP address.

      Transformation Hub can only accept IPv4 connections from ESM.

      If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

    2. Specify the topics in Transformation Hub from which you want to read. These topics determine the data source.

      For more information, see the Administrator's Guide for the ArcSight Platform.

      Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2).
    3. If the Kafka cluster is not configured to use SASL/PLAIN authentication, leave the authentication type as None. If the Kafka cluster is configured to use SASL/PLAIN authentication, select SASL/PLAIN as the authentication type.

    4. If you selected SASL/PLAIN as the client authentication type, specify the user name and password for authenticating to Kafka.

    The wizard validates the connection to Transformation Hub. If there are any issues, you will receive an error or warning message. If the wizard does not generate error or warning messages and you are able to advance to the next screen, the connection is valid.

  6. Advance through the wizard and complete the configuration.

    For more information about managersetup, see the ESM Administrator's Guide.

  7. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start all

  8. To verify that the connection to Transformation Hub is working, look for the line Transformation Hub service is initialized in server.std.log.