Completing the Database Setup

This section details the process for completing the database setup.

• Gathering Keys and Certificates from Deployed Capabilities
• Enabling the Database to Receive SSL Connections
• Enabling the Database to Ingest Events from Transformation Hub
• For Cloud Deployments Only - Configuring the Schema Registry Port

 

Gathering Keys and Certificates from Deployed Capabilities

The database and deployed capabilities need to establish a trusted connection. To do so, gather the keys and certificates from the deployed capabilities.

1. Log in to an ArcSight master node as root.
2. On the master node, run the following command:

kubectl cp $( kubectl get namespaces | grep arcsight | cut -d ' ' -f1)/$( kubectl get pods -A | grep fusion-db-search-engine | cut -d ' ' -f4 ):/vault-crt/RE /tmp -c hercules-search-engine

3. Copy the following files to the database node1 as root:

/tmp/issue_ca.crt       /tmp/vertica.crt       /tmp/vertica.key 

Enabling the Database to Receive SSL Connections

For data privacy, the following procedures are recommended but optional.

• Creating the Database Server Key and Certificate
• Configuring Deployed Capabilities to Use SSL for Database Connection

Creating the Database Server Key and Certificate

1. Log in to the database node1 as root.
2. Create a working directory for generating keys and certificates, such as:

mkdir -p /opt/cert

3. Change into the following directory:

cd /opt/cert

4. Copy the following files to the database node1 as root:

issue_ca.crt       vertica.crt       vertica.key 

5. Create a certificate of authority for the database by running the following command:

openssl req -newkey rsa:4096 -sha256 -keyform PEM -keyout generated-db-ca.key -x509 -days 3650 -outform PEM -out \
generated-db-ca.crt \
-subj "/C=US/ST=California/L=Santa Clara/O=Micro Focus/OU=Arcsight/CN=RootCA/emailAddress=admin@microfocus.com" -nodes

6. Create the database server key by running the following command:

openssl genrsa -out generated-db-server.key 4096 -nodes -sha256
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................................++
...............................................................................................................................................................++
e is 65537 (0x10001)

7. Create the database server certificate signing request by running the following command:

openssl req -new -key generated-db-server.key -out generated-db-server.csr \
-subj "/C=US/ST=California/L=Santa Clara/O=Micro Focus/OU=Arcsight/CN=Database/emailAddress=admin@microfocus.com" -nodes -sha256

8. Sign the Certificate Signing Request with self-signed CA by running the following command:

oopenssl x509 -req -in generated-db-server.csr -CA generated-db-ca.crt -CAkey generated-db-ca.key -CAcreateserial -extensions server -days 3650 -outform PEM -out generated-db-server.crt -sha256
Signature ok
subject=/C=US/ST=California/L=Santa Clara/O=Micro Focus/OU=Arcsight/CN=Database/emailAddress=admin@microfocus.com
Getting CA Private Key

9. Change to the database tools directory by running the following command:

cd /opt/arcsight-db-tools

10. Enable the database SSL by running the following command:

./db_ssl_setup --enable-ssl --vertica-cert-path /opt/cert/generated-db-server.crt --vertica-key-path /opt/cert/generated-db-server.key --client-ca-path /opt/cert/issue_ca.crt

Configuring Deployed Capabilities to Use SSL for Database Connection

1. Log in to the CDF Management Portal.
2. Navigate to Fusion > Database Configuration > Database Certificate(s).
3. Enable the Use SSL for Database Connection option.
4. Copy the complete contents of the file generated-db-ca.crt, created from the steps earlier, into the Database Certificate(s) text area.
5. Click Save to activate the configuration changes.

 

Enabling the Database to Ingest Events from Transformation Hub

The database uses a component named "Kafka scheduler" to ingest events from Transformation Hub's Kafka component.

1. Log in to the database node1 as root:

cd /opt/arcsight-db-tools

2. Configure the Kafka scheduler SSL setting.
   • Plain Text: This option requires you to enable Allow plain text (non-TLS) connections to Kafka. To enable this option, see Configuring the Deployed Capabilities.
     To configure the Kafka scheduler to use plain-text, run the following command:
     

     ./sched_ssl_setup --disable-ssl

   • SSL: This option requires that Enabling the Database To Receive SSL Connections section was completed. This command utilizes crt and key files gathered or generated in earlier steps.
     To configure the Kafka scheduler to use SSL, run the following command:
     

     ./sched_ssl_setup --enable-ssl --sched-cert-path /opt/cert/vertica.crt --sched-key-path /opt/cert/vertica.key --vertica-ca-path /opt/cert/generated-db-ca.crt --kafka-ca-path /opt/cert/issue_ca.crt

3. Configure the schema registry server setting, which the database's Kafka scheduler uses to obtain the event schema from Transformation Hub's Schema Registry component.

./schema_registry_setup <FQDN of ArcSight Platform Virtual IP for HA or single master node> /opt/cert/issue_ca.crt

4. Create the Kafka scheduler. Specify one or more Transformation Hub nodes that have the kafka:yes label in a comma separated list. For high availability, we recommend specifying at least three nodes.
• If Kafka scheduler was configured to use plain-text in previous step, use port 9092:
  

  ./kafka_scheduler create <Transformation_Hub_Node_1_IP>:9092,<Transformation_Hub_Node_2_IP>:9092,<Transformation_Hub_Node_3_IP>:9092

• If Kafka scheduler SSL was enabled in previous step, use port 9093:
  

  ./kafka_scheduler create <Transformation_Hub_Node_1_IP>:9093,<Transformation_Hub_Node_2_IP>:9093,<Transformation_Hub_Node_3_IP>:9093

For a list of options you can specify when installing the scheduler, click here.
5. Check the Database status:

./db_installer status

6. Check the scheduler status, event-copy progress, and messages:

./kafka_scheduler status
./kafka_scheduler events
./kafka_scheduler messages

7. Continue to the post-deployment section.

 

Configuring the Schema Registry Port

For Cloud deployments, add a load balancing rule on the AKS cluster to connect the database to the schema registry by using the port: 32081.