Configuring a SmartConnector with Transformation Hub Destination with Client Authentication in Non-FIPS Mode

Follow these steps to configure a SmartConnector with a Transformation Hub (TH) destination with client authentication, in non-FIPS mode.

You will need to supply an intermediate certificate and key.

Preparing the SmartConnector Server

Prepare the SmartConnector:
- If the connector is not yet installed:
  1. Run the installer.
  2. After the core software is installed, do the following in the window that opens: select Select Global Parameters > Set FIPS Mode, and set the FIPS Mode to Disabled.
- If the connector is already installed:
  1. Run the installer.
  2. Select Set Global Parameters > Set FIPS Mode, and set the FIPS Mode to Disabled.
Navigate to the Connector's current directory:

Linux command:
```
cd <install dir>/current
```
Windows command:
```
cd <install dir>\current
```

Set the environment variables for the static values used by keytool:

Linux commands:

export CURRENT=<full path to this "current" folder>

Example:export CURRENT=/opt/CONNECTORS/TA003/current

export TH=<Transformation Hub hostname>_<Transformation Hub port>

Example:export TH=15.214.***.**

export CA_CERT=re_ca.cert.pem

Example:export CA_CERT=re_ca.crt.pem

export STORE_PASSWD=changeit
export STORES=${CURRENT}/user/agent/stores
export COMMON_NAME=<your.connector.fqdn>

Windows commands:

set CURRENT=<full path to this "current" folder>
set TH=<Transformation Hub hostname>_<Transformation Hub port>
set STORES=%CURRENT%\user\agent\stores
set STORE_PASSWD=changeit

set CA_CERT=re_ca.cert.pem

set COMMON_NAME=<your.connector.fqdn>

Create the ${CURRENT}/user/agent/stores directory if it does not already exist.

Linux command:
```
mkdir -p ${STORES}
```
Windows command:
```
mkdir -p "%STORES%"
```
If the command above returns a space error, replace the environment variables with their actual values, enclosed in quotes, and execute again.

Creating the Keystore for SmartConnector on the SmartConnector Server

Follow the applicable steps according to your platform type, Windows or Linux

Create the keystore for SmartConnector:

Linux commands:

cd ${STORES}

$CURRENT/jre/bin/keytool -keystore ${TH}.keystore.jks -genkeypair -dname "cn=your.connector.fqdn, ou=ArcSight, o=Micro Focus, c=US" -keyalg rsa -keysize 2048 -alias ${TH} -startdate -1d -validity 366 -storepass ${STORE_PASSWD} -keypass ${STORE_PASSWD}

Window commands:

cd %STORES%

"%CURRENT%\jre\bin\keytool" -keystore "%TH%.keystore.jks" -genkeypair -dname "cn=your.connector.fqdn, ou=ArcSight, o=Micro Focus, c=US" -keyalg rsa -keysize 2048 -alias "%TH%" -startdate -1d -validity 366 -storepass "%STORE_PASSWD%" -keypass "%STORE_PASSWD%"

If the command above returns a space error, replace the environment variables with their actual values, enclosed in quotes, and execute again.

Create the certificate signing request (CSR) for SmartConnector:

Linux command:

$CURRENT/jre/bin/keytool -certreq -alias ${TH} -keystore ${TH}.keystore.jks -file ${COMMON_NAME}.csr -storepass ${STORE_PASSWD}

Windows command:

%CURRENT%\jre\bin\keytool -certreq -alias %TH% -keystore %TH%.keystore.jks -file %COMMON_NAME%.csr -storepass %STORE_PASSWD%

Copy the CSR file ${COMMON_NAME}.csr to the Transformation Hub /tmp folder:
```
cp ${COMMON_NAME}.csr /tmp/
```

Signing the SmartConnector Certificate Signing Request on Transformation Hub

Set the environment:

export CA_CERT=re_ca.cert.pem
export COMMON_NAME=<your.connector.fqdn>
export TH=<Transformation Hub hostname>_<Transformation Hub port>

Note: Use the same values that you specified in the smartconnector server.

Sign the smartconnector certificate signing request:

mkdir /tmp/smartconnector
mv ${COMMON_NAME}.csr /tmp/smartconnector/
cd /tmp/smartconnector
export VAULT_POD=$(kubectl get pods -n core -o custom-columns=":metadata.name"| grep itom-vault)
export PASSPHRASE=$(kubectl get secret vault-passphrase -n core -o json 2>/dev/null | jq -r '.data.passphrase')
export ENCRYPTED_ROOT_TOKEN=$(kubectl get secret vault-credential -n core -o json 2>/dev/null | jq -r '.data."root.token"')
export VAULT_TOKEN=$(echo ${ENCRYPTED_ROOT_TOKEN} | openssl aes-256-cbc -md sha256 -a -d -pass pass:"${PASSPHRASE}")
export CSR=$(cat ${COMMON_NAME}.csr)

WRITE_RESPONSE=$(kubectl exec -it -n core ${VAULT_POD} -c vault -- bash -c "VAULT_TOKEN=$VAULT_TOKEN vault write -tls-skip-verify -format=json RE/sign/coretech csr=\"${CSR}\"") && \
echo "${WRITE_RESPONSE}" | jq -r ".data | .certificate" > ${COMMON_NAME}.signed.crt && \
echo "${WRITE_RESPONSE}" | jq -r ".data | .issuing_ca" > ${COMMON_NAME}.issue_ca.crt && \
echo "${WRITE_RESPONSE}" | jq -r ".data | .certificate, if .ca_chain then .ca_chain[] else .issuing_ca end" > ${COMMON_NAME}.signed.cert.with.ca.crt

The signed certificate is in file ${COMMON_NAME}.signed.crt.

The issuing CA is in file ${COMMON_NAME}.issue_ca.crt.

The signed certificate with CA chain is in file ${COMMON_NAME}.signed.cert.with.ca.crt.

Retrieve the RE certificate.
```
/<TH Home Path>/scripts/cdf-updateRE.sh > /tmp/${CA_CERT}
```
Example: /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh >${CA_CERT}

Move the following files from the Transformation Hub to the connector STORES directory:
- /tmp/smartconnector/ ${COMMON_NAME}.signed.crt
- /tmp/smartconnector/${COMMON_NAME}.issue_ca.crt
- /tmp/smartconnector/${COMMON_NAME}.signed.cert.with.ca.crt
- /tmp/smartconnector/${CA_CERT}

Updating the Keystore and Create a Truststore on the SmartConnector Server

Update the SmartConnector keystore with a signed certificate.

Linux commands:

cd ${STORES}/

$CURRENT/jre/bin/keytool -importcert -alias ${TH} -keystore ${TH}.keystore.jks -trustcacerts -file ${COMMON_NAME}.signed.cert.with.ca.crt -storepass ${STORE_PASSWD}

When prompted, specify yes to trust the certificate.

Verification: Run the following command to verify the keystore, and ensure that it has only one entry in the keystore.

$CURRENT/jre/bin/keytool -v -list -keystore ${TH}.keystore.jks -storepass ${STORE_PASSWD} |grep -i alias

Windows commands:

cd %STORES%\

%CURRENT%\jre\bin\keytool -importcert -alias %TH% -keystore %TH%.keystore.jks -trustcacerts -file %COMMON_NAME%.signed.cert.with.ca.crt -storepass %STORE_PASSWD%

Verfication: Run the following command to verify the keystore, and ensure that it has only one entry in the keystore.

%CURRENT%\jre\bin\keytool -v -list -keystore %TH%.keystore.jks -storepass %STORE_PASSWD% |grep -i alias

Create the SmartConnector truststore.

Linux commands:

cd ${STORES}/

$CURRENT/jre/bin/keytool -importcert -alias CARoot -trustcacerts -file ${CA_CERT} -keystore ${TH}.truststore.jks -storepass ${STORE_PASSWD}

When prompted, specify yes to trust the certificate.

Windows command:

%CURRENT%\jre\bin\keytool -importcert -alias CARoot -trustcacerts -file %CA_CERT% -keystore %TH%.truststore.jks -storepass %STORE_PASSWD%

When prompted, specify yes to trust the certificate.

Run the SmartConnector Setup

Run the following command and note the trust store path:

Linux commands:

echo ${STORES}/${TH}.keystore.jks

echo ${STORES}/${TH}.truststore.jks

Windows commands:

echo %STORES%\%TH%.keystore.jks

echo %STORES%\%TH%.truststore.jks

Navigate to the bin directory, and run agent setup script to install a connector with Transformation Hub as the destination.

Linux commands:
```
cd <installation dir>/current/bin
```
```
./runagentsetup.sh
```
Windows commands:
```
cd <installation dir>\current\bin
```
```
runagentsetup.bat
```
Set Use SSL/TLS to true.
Set Use SSL/TLS Authentication to true.
When completing the Transformation Hub destination fields, use the value noted from Step 1 for the key store and trust store paths and the password used above for the store password.