Configuring Certificate Management

Certificate Management is an optional feature that provides tools for managing both self-signed and CA signed certificates. With Certificate Management configured, all component certificates are signed by a root certificate. That root certificate is placed in the truststore of any component which requires a secure connection. Once the root certificate is in place in the truststore, any certificate signed by that root certificate will be trusted. This also means that any component will trust a new component certificate when that component's certificate is renewed. So, Certificate Management saves time because you do not have to update each certificate manually. Visit ESM Administrator's Guide for more information about Certificate Management.

Compact Mode

  1. Shutdown ESM by issuing the following:

    /etc/init.d/arcsight_services stop all

  2. Enable certificate management by issuing:

    Note: Prior to enabling keyadmin, if you have not changed the passwords for managerkeys and clientkeys, there might be a pop up requesting you change your ESM password.
    /opt/arcsight/manager/bin/arcsight keyadmin setup

  3. Change the password of the managerkeys by issuing:

    /opt/arcsight/manager/bin/arcsight keyadmin changePassword --store managerkeys

  4. Change the password of the clientkeys by issuing:

    /opt/arcsight/manager/bin/arcsight keyadmin changePassword --store clientkeys

  5. On the persistor, initialize certificate management by issuing:

    /opt/arcsight/manager/bin/arcsight keyadmin initializeManagement

  6. Choose Compact.

  7. Choose self-signed or CA signed.

  8. (Conditional) If self-signed is chosen, the process will run to completion.

  9. (Conditional) If CA signed is chosen, the process will create a certificate request and place it in the /opt/arcsight/manager/security/tmp directory.

  10. (Conditional) Sign the CA certificate request, place the signed certificate in the file specified, and place the CA certificate in the file specified. All files should be in the /opt/arcsight/manager/security/tmp directory.

  11. Press Enter and node will be processed.

  12. Restart ESM by issuing on the persistor node:

    /etc/init.d/arcsight_services start all

Distributed Mode

  1. Shutdown ESM by issuing the following on the persistor node:

    /etc/init.d/arcsight_services stop all

  2. Enable certificate management by issuing the following on the persistor node:

    Note: Prior to enabling keyadmin, if you have not changed the passwords for managerkeys and clientkeys, there might be a pop up requesting you change your ESM password.
    /opt/arcsight/manager/bin/arcsight keyadmin setup

  3. Change the password of the managerkeys by issuing the following on the persistor node:

    /opt/arcsight/manager/bin/arcsight keyadmin changePassword --store managerkeys

  4. Change the password of the clientkeys by issuing the following on the persistor node:

    /opt/arcsight/manager/bin/arcsight keyadmin changePassword --store clientkeys

  5. Repeat steps 2-4 on all nodes in the cluster.

  6. On the persistor, initialize certificate management by issuing:

    /opt/arcsight/manager/bin/arcsight keyadmin initializeManagement

  7. Choose Distributed.

  8. Choose self-signed or CA signed.

  9. Enter the list of nodes (except the persistor node) separated by commas.

  10. (Conditional) If self-signed is chosen, the process will run to completion.

  11. (Conditional) If CA signed is chosen, the process will create a certificate request and place it in the /opt/arcsight/manager/security/tmp directory.

  12. (Conditional) Sign the CA certificate request, place the signed certificate in the file specified, and place the CA certificate in the file specified. All files should be in the /opt/arcsight/manager/security/tmp directory.

  13. Press Enter and node will be processed.

  14. Steps 11-13 will repeat for each node.

  15. Restart ESM by issuing on the persistor node:

    /etc/init.d/arcsight_services start all