Installing and Configuring the FlexConnectors
You need to install two REST FlexConnectors: one to collect and parse the Alerts data, and another to collect and parse the Entities data.
Prerequisites
Complete the following steps before you begin with the REST FlexConnector installation and configuration:
-
Create the
OAuth2.propertiesfile for using the OAuth2 authentication with Intelligence as follows and save it in the desired location (For example,C:\Users\Administrator\Desktop\):client_id= <The client_id value. Click here to identify the client_id value.>
client_secret=<The client_secret value. Click here to identify the client_secret value.>
redirect_uri=http://localhost:8081/oauth2callback
auth_url=https://<FQDN of ArcSight Platform Virtual IP for HA or single master node>/osp/a/default/auth/oauth2/grant
token_url=https://<FQDN of ArcSight Platform Virtual IP for HA or single master node>/osp/a/default/auth/oauth2/grant
scope=
timestamp_format_of_api_vendor=To identify the client_id and client_secret values, do the following:
-
Login to the Management portal as the administrator.
https://<virtual_FQDN>:5443
- Click CLUSTER > Dashboard. You will be redirected to the Kubernetes Dashboard.
- Under Namespace, search and select the
arcsight-installer-xxxxnamespace. - Under Config and Storage, click Config Maps.
- Click the filter icon, and search for
investigator-default-yaml. - Open the
investigator-default-yamlfile and look for the client_id and client_secret values in the OAuth2 Authentication with OSP section.
-
-
Do the following to register the callback URL in OSP. The callback URL is the URL where the OSP directs the user after a successful authentication.
-
Launch a terminal session and log in to the node where NFS is present.
-
Change to the following directory:
cd <NFS_root_DIRECTORY>/arcsight-volume/sso/default/WEB-INF/conf/current/default/services/ -
Execute the following command to open the authcfg.xml:
vi authcfg.xml -
Add
<Url>http://localhost:8081/oauth2callback</Url>within:<RedirectUrlList>
<Url>${EXTERNAL_URI:http://localhost:9191}/mgmt/callback</Url>
<Url>${OSP_CLIENT_REDIRECT_URI_1:http://localhost:9191/mgmt/callback}</Url>
<Url>${OSP_CLIENT_REDIRECT_URI_2:http://localhost:9191/mgmt/callback}</Url>
<!-- For InetSoft Reporting Engine -->
<!-- <Url>${EXTERNAL_URI:http://localhost:8181}/report/openid/login</Url> -->
<Url>${EXTERNAL_URI}/report/openid/login</Url>
<Url>${EXTERNAL_URI}:443/report/openid/login</Url>
<!-- Endpoint to receive authcode -->
<Url>${EXTERNAL_URI:http://localhost:9090}/interset/api/actions/login/oauth2/callback</Url>
<!-- Endpoint required while logout, this will set in target -->
<Url>${EXTERNAL_URI:http://localhost:3002}/interset/</Url>
<!-- For ArcSight SOAR -->
<Url>${EXTERNAL_URI}/soar/oauth-callback</Url>
</RedirectUrlList>
-
Execute the following commands to restart OSP by deleting the fusion-single-sign-on container:
kubectl get pods --all-namespaces|grep fusion-single-sign-on
kubectl delete pod <fusion-single-sign-on-xxxxxxxxxx-xxxxx> -n <arcsight-installer-xxxxx>
-
Install and Configure the REST FlexConnector
To install and configure a REST FlexConnector, see ArcSight FlexConnector REST Developer Guide.
Ensure the following when you install and configure the REST FlexConnector:
-
Select ArcSight FlexConnector REST as the Connector Type.
-
When adding the parameters information, specify the following:
-
For the Configuration File field, specify only alerts if the FlexConnector is for collecting and parsing alerts data, else specify only entities if the FlexConnector is for collecting and parsing entities data.
-
For the Events URL field, specify https: //<FQDN of ArcSight Platform Virtual IP for HA or single master node>/interset/api/search/0/alerts?sort=timestamp&sortOrder=desc&riskSort=maximum if the FlexConnector is for collecting and parsing alerts data, else specify https: //<FQDN of ArcSight Platform Virtual IP for HA or single master node>/interset/api/search/0/topRisky?count=100 if the FlexConnector is for collecting and parsing entities data.
-
For the Authentication Type field, select OAuth2.
-
For the OAuth2 Client Properties File field, browse to the location where you have created and saved the OAuth2.properties file, then select the file.
-
- When configuring the destination, select either ArcSight Manager (encrypted) or Transformation Hub as the destination. For more information, see SmartConnector Installation and User Guide. When adding the parameters information, specify the following if you have selected Transformation Hub as the destination:
For the Content type field, select ESM.
For the Topic (hover for recommendations) field, specify either th-binary_esm or avro topics.
For the For ESM topic, the ESM version field, select 7.2.x or above versions.
To install the FlexConnector as a standalone application (recommended), select install as a standalone application, else to install the FlexConnector as a service, select install as a service.
Importing the OSP Certificate in the REST FlexConnector
To import the OSP certificate in the REST FlexConnector:
-
Launch a terminal session and log in to any of the Kubernetes nodes.
-
Execute the following command:
kubectl exec -it th-kafka-0 -n <namespace> bash
-
Navigate to the following directory where the
issue_ca.crtcertificate file is present. This certificate is the OSP Issuer Certificate (CA).cd /vault-crt/RE
-
Copy the contents of the
issue_ca.crtfile in a new file, name the file asissue_ca.cer, and save it in the desired location (for example, C:\Users\<user_name>\Desktop\). -
Do the following to import the OSP CA certificate to the FlexConnector truststore cacerts:
-
Open a command window and navigate to the following location:
cd $ARCSIGHT_HOME/current/jre/bin/
-
Execute the following command:
./keytool -importcert -file /opt/issue_ca.cer -keystore "/root/ArcSightSmartConnectors_Alerts/current/jre/lib/security/cacerts" -storepass changeit
-
When you run this command, you are prompted to provide your input for the following message: “Trust this certificate [no]:” Specify Yes.
-