Configuring Logger with a Transformation Hub Destination – Client Authentication in FIPS Mode

Follow these steps to configure a Logger TH destination with client authentication in FIPS mode.

• Enabling FIPS and Preparing the Logger OBC

• Creating a Keystore on the Logger Onboard Connector

• Signing the Logger OBC Certificate Signing Request on Transformation Hub

• Updating the Keystore and Creating a Truststore on the Logger OBC

• Creating a Logger TH Destination in the Console

Enabling FIPS and Preparing the Logger OBC

Follow these steps to enable FIPS mode on Logger and to prepare the Logger OBC:

1. Sign-in to the Logger Console and enable FIPS mode.

   For more information, see "Enabling and Disabling FIPS Mode on Logger" in the ArcSight Logger Administrator’s Guide.

2. Navigate to the Logger OBC's current directory:

   cd <install dir>/connector/current

3. Set the environment variables for the static values used by keytool:

   export CURRENT=<full path to this "current" folder>

   export BC_OPTS="-storetype BCFKS -providername BCFIPS -J-Djava.security.egd=file:/dev/urandom -providerpath ${CURRENT}/lib/agent/fips/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"

   export TH=<Transformation Hub hostname>_<Transformation Hub port>
   export STORES=${CURRENT}/user/agent/stores
   export STORE_PASSWD=changeit
   export CA_CERT=re_ca.cert.pem
   export COMMON_NAME=<LoggerFQDN>

4. Create the ${CURRENT}/user/agent/stores directory if it does not already exist.

   mkdir -p ${STORES}

5. Apply the following workaround for a Java keytool issue:

   1. Create a new file, agent.security:

      ${CURRENT}/user/agent 

   2. Add the following content to the newly created file, and then save it:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
      security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
      security.provider.3=sun.security.provider.Sun

   3. Move the ${CURRENT}/lib/agent/fips/bcprov-jdk15on-168.jar file to the current directory.

Creating a Keystore on the Logger Onboard Connector

Follow these steps to create the OBC keystore:

1. Create the keystore for the OBC:

   cd ${STORES}

   $CURRENT/jre/bin/keytool -keystore ${TH}.keystore.bcfips -genkeypair -dname "cn=logger.fqdn, ou=ArcSight, o=Micro Focus, c=US" -keyalg rsa -keysize 2048 -alias ${TH} -startdate -1d -validity 365 -storepass ${STORE_PASSWD} -keypass ${STORE_PASSWD} ${BC_OPTS}

2. Create the certificate signing request (CSR) for the Logger OBC:

   $CURRENT/jre/bin/keytool -certreq -alias ${TH} -keystore ${TH}.keystore.bcfips -file ${COMMON_NAME}.csr -storepass ${STORE_PASSWD} ${BC_OPTS}

3. Copy the CSR file ${COMMON_NAME}.csr to the Transformation Hub /tmp folder:

   cp ${COMMON_NAME}.csr /tmp/

Signing the Logger OBC Certificate Signing Request on Transformation Hub

1. Set the environment:

   export CA_CERT=re_ca.cert.pem
   export COMMON_NAME=<LoggerFQDN>
   export TH=<Transformation Hub hostname>_<Transformation Hub port>

   Note: Use the same values that you specified for the Logger OBC.

2. Run these commands to sign the Logger certificate signing request:

   mkdir /tmp/logger
   mv ${COMMON_NAME}.csr /tmp/logger/
   cd /tmp/logger
   export CDF_APISERVER=$(kubectl get pods -n core -o custom-columns=":metadata.name"| grep cdf-apiserver)
   export PASSPHRASE=$(kubectl get secret vault-passphrase -n core -o json 2>/dev/null | jq -r '.data.passphrase')
   export ENCRYPTED_ROOT_TOKEN=$(kubectl get secret vault-credential -n core -o json 2>/dev/null | jq -r '.data."root.token"')
   export VAULT_TOKEN=$(echo ${ENCRYPTED_ROOT_TOKEN} | openssl aes-256-cbc -md sha256 -a -d -pass pass:"${PASSPHRASE}")
   export CSR=$(cat ${COMMON_NAME}.csr)

   WRITE_RESPONSE=$(kubectl exec -it -n core ${CDF_APISERVER} -c cdf-apiserver -- bash -c "VAULT_TOKEN=$VAULT_TOKEN vault write -tls-skip-verify -format=json RE/sign/coretech csr=\"${CSR}\"") && \
   echo "${WRITE_RESPONSE}" | jq -r ".data | .certificate" > ${COMMON_NAME}.signed.crt && \
   echo "${WRITE_RESPONSE}" | jq -r ".data | .issuing_ca" > ${COMMON_NAME}.issue_ca.crt && \
   echo "${WRITE_RESPONSE}" | jq -r ".data | .certificate, if .ca_chain then .ca_chain[] else .issuing_ca end" > ${COMMON_NAME}.signed.cert.with.ca.crt

   The signed certificate is in file ${COMMON_NAME}.signed.crt.

   The issuing CA is in file ${COMMON_NAME}.issue_ca.crt.

   The signed certificate with CA chain is in file ${COMMON_NAME}.signed.cert.with.ca.crt.

3. Retrieve the RE certificate.

   /<TH Home Path>/scripts/cdf-updateRE.sh > /tmp/logger/${CA_CERT}

   Example: /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh >/tmp/logger/${CA_CERT}

   Note: For a cloud installation (Azure or AWS), log in to the bastion or jump host and run the script cdf-updateRE.sh:

   arcsight-platform-cloud-installer/cdf-deployer/scripts/cdf-updateRE.sh

   Move the following files from the Transformation Hub to the Logger OBC STORES directory:

   • /tmp/logger/ ${COMMON_NAME}.signed.crt

   • /tmp/logger/${COMMON_NAME}.issue_ca.crt

   • /tmp/logger/${COMMON_NAME}.signed.cert.with.ca.crt

   • /tmp/logger/${CA_CERT}

Updating the Keystore and Creating a Truststore on the Logger OBC

Follow these steps to update the keystore and to create a truststore on the Logger OBC:

1. Update the Logger OBC keystore with a signed certificate.

   cd ${STORES}/

   $CURRENT/jre/bin/keytool -importcert -alias ${TH} -keystore ${TH}.keystore.bcfips -trustcacerts -file ${COMMON_NAME}.signed.cert.with.ca.crt -storepass ${STORE_PASSWD} ${BC_OPTS}

   Verification: Run the following command to verify the keystore, and ensure that it has only one entry in the keystore.

   $CURRENT/jre/bin/keytool -v -list -keystore ${TH}.keystore.bcfips -storepass ${STORE_PASSWD} ${BC_OPTS} |grep -i alias
   

2. Create the Logger OBC truststore.

   cd ${STORES}/

   $CURRENT/jre/bin/keytool -importcert -alias reca -trustcacerts -file ${CA_CERT} -keystore ${TH}.truststore.bcfips -storepass ${STORE_PASSWD} ${BC_OPTS}

   When prompted, specify yes to trust the certificate.

Creating a Logger TH Destination in the Console

Follow these steps to create a Logger TH destination in the Console:

1. Run the following commands, and note the keystore and truststore paths:

   echo ${STORES}/${TH}.keystore.bcfips
   echo ${STORES}/${TH}.truststore.bcfips

2. Sign-in to the Logger Console to create a TH destination.

   For more information, see "Transformation Hub Destinations" in the ArcSight Logger Administrator’s Guide.

3. Create the TH destination with the following values:

   • Kafka Broker on SSL/TLS = TRUE

   • SSL/TLS Truststore File Path = <truststorePath>

   • SSL/TLS Truststore Password = STORE_PASSWD

   • Use SSL/TLS Client Authentication = TRUE

   • SSL/TLS Keystore File Path = <keystoreFilePath>

   • SSL/TLS Keystore Password = STORE_PASSWD

   • SSL/TLS Key Password = STORE_PASSWD

4. Fill in other fields with applicable values, and save the changes.