Open topic with navigation

Setting a TH Destination using TLS + CA

For more information on Transformation Hub destination, see Transformation Hub Destinations.

To set a TH Destination from Logger using TLS + CA, go to System Admin > Security > FIPS 140-2 and confirm the FIPS mode is turned off. Otherwise, make sure to select the Disable option, click Save, and then restart the system.

Step 1: Generate a certificate in the Transformation Hub Master

1. To replace the self-signed certificates, obtain your company's root CA certificate, intermediate certificate, and key pair. Copy to /tmp as shown below:

   /tmp/intermediate.cert.pem

   /tmp/intermediate.key.pem

   /tmp/ca.cert.pem

2. Add the certificate to Transformation Hub:

   /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh write --re-key=/tmp/intermediate.key.pem --re-crt=/tmp/intermediate.cert.pem --re-ca=/tmp/ca.cert.pem

   Note: After importing the certificate, uninstall and re-install the Transformation Hub with Client Authentication enabled. For further details, see Transformation Hub Deployment Guide.
3. Set the variables and create the directory:

   export CA_CERT=/tmp/ca.cert.pem

   export CERT_CA_TMP=/opt/cert_ca_tmp

   export INTERMEDIATE_CA_CRT=/tmp/intermediate.cert.pem

   export INTERMEDIATE_CA_KEY=/tmp/intermediate.key.pem

   export TH=<Transformation Hub hostname>_<Transformation Hub port>

   mkdir $CERT_CA_TMP

Step 2: Set the Logger Server

1. Set the variables for the static values (used by key tool), and create the stores directory.

   Action	Command
   Locate the OBC.	Software: export CURRENT=<Logger install dir>/current/arcsight/connector/current Appliance: export CURRENT=/opt/arcsight/connector/current
   Set an alias for the Transformation Hub. Add a unique name to identify your TH.	export TH=<Transformation Hub hostname>_<Transformation Hub port>
   Set the directory to place the certificates.	export STORES=${CURRENT}/user/agent/stores
   Set a password for the certificates.	export STORE_PASSWD=changeit
   Define the hostname or IP of the TH master.	export TH_HOST=<TH master host name>
   Define the hostname of the Logger server.	export LOGGER_HOST=<Logger server host name>
   Establish the CA certificate.	export CA_CERT=ca.cert.pem
   Establish the intermediate certificate.	export INTERMEDIATE_CA_CRT=intermediate.cert.pem
   Establish the temporal certificate.	export CERT_CA_TMP=/opt/cert_ca_tmp
   Create the stores directory.	mkdir -p ${STORES}

2. Create Logger OBC Key Pair and Certificate Signing Request.

   Action	Command
   Create the key pair. Add a password when required. Tip: To use the same password for the key, press enter.	${CURRENT}/jre/bin/keytool -genkeypair -alias ${TH} -keystore ${STORES}/${TH}.keystore.jks -dname "cn=${LOGGER_HOST},OU=Arcsight,O=MF,L=Sunnyvale,ST=CA,C=US" -validity 365
   List the key store entries.	${CURRENT}/jre/bin/keytool -list -keystore ${STORES}/${TH}.keystore.jks -storepass ${STORE_PASSWD}
   Create the CSR.	${CURRENT}/jre/bin/keytool -certreq -alias ${TH} -keystore ${STORES}/${TH}.keystore.jks -file ${STORES}/${TH}-cert-req -storepass ${STORE_PASSWD}

3. Copy the ${STORES}/${TH}-cert-req file to the temporary directory created in TH:

   scp ${STORES}/${TH}-cert-req root@<TH IP>:${CERT_CA_TMP}

Step 3: Sign in and import the certificates

On the Transformation Hub Master

1. Create the signed certificate:

/bin/openssl x509 -req -CA ${INTERMEDIATE_CA_CRT} -CAkey ${INTERMEDIATE_CA_KEY} -in ${CERT_CA_TMP}/${TH}-cert-req -out ${CERT_CA_TMP}/${TH}-cert-signed -days 365 -CAcreateserial -sha256

2. Copy the ${TH}-cert-signed certificate to the ${STORES} directory in Logger:

   scp ${CERT_CA_TMP}/${TH}-cert-signed root@<LOGGER IP>:<STORES DIRECTORY>

3. Copy the ca.cert.pem certificate to the ${STORES} directory in Logger:

   scp ${CA_CERT} root@<LOGGER IP>:<STORES DIRECTORY>

4. Copy the intermediate.cert.pem certificate to the ${STORES} directory in Logger:

   scp ${INTERMEDIATE_CA_CRT} root@<LOGGER IP>:<STORES DIRECTORY>

On the Logger Server

1. Import certificates to the trust store.

   Action	Command
   Import the CA certificate to the trust store.	${CURRENT}/jre/bin/keytool -importcert -file ${STORES}/${CA_CERT} -alias CA_${TH} -keystore ${STORES}/${TH}.truststore.jks -storepass ${STORE_PASSWD}
   Import the intermediate certificate to the trust store. Tip: Enter yes to trust the certificate.	${CURRENT}/jre/bin/keytool -importcert -file ${STORES}/${INTERMEDIATE_CA_CRT} -alias INTCA_${TH} -keystore ${STORES}/${TH}.truststore.jks -storepass ${STORE_PASSWD}

2. Import certificates to the key store

   Action	Command
   Import the CA certificate to the key store.	${CURRENT}/jre/bin/keytool -importcert -file ${STORES}/${CA_CERT} -alias CA_${TH} -keystore ${STORES}/${TH}.keystore.jks -storepass ${STORE_PASSWD}
   Import the intermediate certificate to the key store. Tip: Enter yes to trust the certificate. A message will be displayed confirming the certificate reply installation.	${CURRENT}/jre/bin/keytool -importcert -file ${STORES}/${INTERMEDIATE_CA_CRT} -alias INTCA_${TH} -keystore ${STORES}/${TH}.keystore.jks -storepass ${STORE_PASSWD}
   Import the signed certificate to the key store.	${CURRENT}/jre/bin/keytool -importcert -file ${STORES}/${TH}-cert-signed -alias ${TH} -keystore ${STORES}/${TH}.keystore.jks -storepass ${STORE_PASSWD}

3. Note the key store and trust store paths:

   • Truststore: echo ${STORES}/${TH}.truststore.jks
   • Keystore: echo ${STORES}/${TH}.keystore.jks

Step 4: Set Logger UI

Follow the steps described in To create a TH Destination. Make sure to fill out the following fields as described below:

Step 5: Delete temporary folders and sensitive files

On the Logger Server

• Remove the files:

rm ${STORES}/${INTERMEDIATE_CA_CRT}

rm ${STORES}/intermediate.key.pem

rm ${STORES}/${TH}-cert-signed

rm ${STORES}/${TH}-cert-req

On the Transformation Hub Master

• Delete the temporary folder where the certificate was signed.