Setting Up SSL Client-Side Authentication Between Transformation Hub and ESM- Non-FIPS Mode

Before setting up client-side authentication with Transformation Hub, you must import the Transformation Hub root certificate into the ESM truststore.

Transformation Hub maintains its own certificate authority (CA) to issue certificates for individual nodes in the Transformation Hub cluster. ESM needs that CA certificate in its truststore so that it will trust connections to Transformation Hub. For information about obtaining the certificate, see the information about viewing and changing the certificate authority in the Administrator's Guide for the ArcSight Platform. You might need to contact the Transformation Hub administrator to obtain the CA certificate if you do not have sufficient privileges to access the Transformation Hub cluster.

To import the Transformation Hub root certificate into the ESM truststore:

Note: Before completing the steps below, verify whether the Transformation Hub root certificate has previously been imported into ESM. If it has, you do not need to re-import it.

  1. On the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  2. Use the keytool command to import the root CA certificate into the ESM truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path to certificate file> -alias <alias for the certificate>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias alias1 -importcert -file /tmp/ca.crt

To enable client-side authentication between Transformation Hub and ESM:

  1. Obtain your company's root CA certificate, an intermediate certificate, and key pair and place them in /tmp with the following names:

    • /tmp/intermediate.cert.pem
    • /tmp/intermediate.key.pem
    • /tmp/ca.cert.pem
  2. Verify that Transformation Hub is functional and that client authentication is configured.

  3. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  4. If /opt/arcsight/manager/config/client.properties does not exist, create it using an editor of your choice.

  5. Change the store password for the keystore, keystore.client, which has an empty password by default. This empty password interferes with the certificate import.

  6. Run the following commands to update the empty password of the generated key services-cn in the keystore to be the same password as that of the keystore itself:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -storepasswd -storepass ""

    When prompted, enter the same password that you entered for the store password:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -keypasswd -keypass "" -alias services-cn

  7. Run the following command to update the password in config/client.properties:

    /opt/arcsight/manager/bin/arcsight changepassword -f config/client.properties -p ssl.keystore.password

  8. Generate the keypair and certificate signing request (.csr) file. When generating the keypair, enter the fully-qualified domain name of the ArcSight Manager host as the common name (CN) for the certificate.

    Run the following commands:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -genkeypair –dname "cn=<your host's fully-qualified domain name>, ou=<your organization>, o=<your company>, c=<your country>" -keyalg rsa -keysize 2048 –alias ebkey -startdate -1d -validity 366
    /opt/arcsight/manager/bin/arcsight keytool -certreq -store clientkeys -alias ebkey -file ebkey.csr

    where ebkey.csr is the output file where the .csr is stored

  9. Sign the .csr with the Transformation Hub root certificate. On the Transformation Hub server, the root certificate is located at /opt/arcsight/kubernetes/ssl/intermedite.cert.pem and the key is called ca.key.

    Run the following command on either the Transformation Hub server or a different server with a functional openssl (as long as you have the intermediate.cert.pem and intermediate.key.pem available):

    openssl x509 -req -CA ${INTERMEDIATE_CA_CRT} -CAkey ${INTERMEDIATE_CA_KEY} -in <full path to the esm csr> -out <full path and file name for storing the generated cert> -days 3650 -CAcreateserial -sha256

    For example:

    openssl x509 -req -CA /tmp/intermediate.cert.pem -CAkey /tmp/intermediate.key.pem -in /tmp/ebkey.csr -out /tmp/signedIntermediateEBkey.crt -days 3650 -CAcreateserial -sha256

    You must specify all file locations with the full path.

  10. Import the intermediate certificate from Transformation Hub into the ESM client truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias <alias for the certificate> -importcert -file <absolute path to certificate file>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias ebcaroot -importcert -file /tmp/intermediate.cert.pem

  11. On the ESM server, run the following command to import the signed certificate (the -out parameter in the above openssl command):

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias ebkey -importcert -file <path to signed cert> -trustcacerts

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias ebkey -importcert -file /tmp/signedIntermediateEBkey.crt -trustcacerts
  12. To verify that the configuration is complete and that the connection to Transformation Hub is valid, run managersetup and ensure that there are no errors.

  13. Start the ArcSight Manager:

    /etc/init.d/arcsight_services start all