Setting a TH Destination using TLS + CA and FIPS

For more information on Transformation Hub destination, see Transformation Hub Destinations.

To set a TH Destination from Logger using TLS + CA and FIPS, go to System Admin > Security > FIPS 140-2 and confirm the FIPS mode is turned on. Otherwise, make sure to select the Enable option, click Save, and then restart the system.

Caution: Before any change in Logger UI, it is required to access both the Transformation Hub Master and Logger machines. Make sure to keep the sessions open (for TH and Logger) while adding the destination.

Step 1: Generate a certificate in the Transformation Hub Master

Tip: To add a self-signed certificate, make sure to follow all steps below. This is a one-time only process.

To replace the self-signed certificates, obtain your company's root CA certificate, intermediate certificate, and key pair. Copy to /tmp as shown below:

/tmp/intermediate.cert.pem

/tmp/intermediate.key.pem

/tmp/ca.cert.pem
Add the certificate to Transformation Hub:

/opt/arcsight/kubernetes/scripts/cdf-updateRE.sh write --re-key=/tmp/intermediate.key.pem --re-crt=/tmp/intermediate.cert.pem --reca=/tmp/ca.cert.pem

Note: After importing the certificate, make sure to uninstall and re-install the Transformation Hub with FIPS and Client Authentication enabled. For further details, see Transformation Hub Deployment Guide.
Set the variables and create the directory:
export CA_CERT=/tmp/ca.cert.pem
export INTERMEDIATE_CA_CRT=/tmp/intermediate.cert.pem
export INTERMEDIATE_CA_KEY=/tmp/intermediate.key.pem
export FIPS_CA_TMP=/opt/fips_ca_tmp
export TH=<Transformation Hub hostname>_<Transformation Hub port>
mkdir $FIPS_CA_TMP

Step 2: Set the Logger Server

Set the variables for the static values (used by key tool), and create the stores directory.

Action	Command
Locate the OBC.	Software: `export CURRENT=<Logger install dir>/current/arcsight/connector/current` Appliance: `export CURRENT=/opt/arcsight/connector/current`
Move to the OBC location.	`cd ${CURRENT}`
Move the files to the current directory.	`mv lib/agent/fips/bcprov-jdk15on-168.jar ${CURRENT}` `mv lib/agent/fips/bcprov-ext-jdk15on-168.jar ${CURRENT}`
(For FIPS configuration)	`export BC_OPTS="-storetype BCFKS -providername BCFIPS -J-Djava.security.egd=file:/dev/urandom -providerpath ${CURRENT}/lib/agent/fips/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"`
Set an alias for the Transformation Hub. Add an unique name to identify your TH.	`export TH=<Transformation Hub hostname>_<Transformation Hub port>`
Set the directory to place the certificates.	`export STORES=${CURRENT}/user/agent/stores`
Set a password for the certificates.	`export STORE_PASSWD=changeit`
Define the hostname or IP of the TH master.	`export TH_HOST=<TH master host name>`
Define the hostname of the Logger server.	`export LOGGER_HOST=<Logger server host name>`
Establish the CA certificate.	`export CA_CERT=ca.cert.pem`
Establish the intermediate certificate.	`export INTERMEDIATE_CA_CRT=intermediate.cert.pem`
Establish the temporal certificate.	`export FIPS_CA_TMP=/opt/fips_ca_tmp`
Create the stores directory.	`mkdir -p ${STORES}`

Create Logger OBC Key Pair and Certificate Signing Request.

Action	Command
Create the key pair. Add a password when required. Tip: To use the same password for the key, press enter. Otherwise, use the `changeit` option.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -genkeypair -alias ${TH} -keystore ${STORES}/${TH}.keystore.bcfips -dname "cn=${LOGGER_HOST},OU=Arcsight,O=MF,L=Sunnyvale,ST=CA,C=US" -validity 365`
Create the provider 1 file.	`echo security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > $CURRENT/user/agent/agent.security`
Create the provider 2 file.	`echo security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS >> $CURRENT/user/agent/agent.security`
Create the provider 3 file.	`echo security.provider.3=sun.security.provider.Sun >> $CURRENT/user/agent/agent.security`
List the keystore entries.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -list -keystore ${STORES}/${TH}.keystore.bcfips -storepass ${STORE_PASSWD}`
Create the CSR.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -certreq -alias ${TH} -keystore ${STORES}/${TH}.keystore.bcfips -file ${STORES}/${TH}-cert-req -storepass ${STORE_PASSWD}`

Copy the ${STORES}/${TH}-cert-req file to the temporary directory created in TH, /opt/fips_ca_tmp:

scp ${STORES}/${TH}-cert-req root@<TH IP>:${FIPS_CA_TMP}

Step 3: Sign in and import the certificates

On the Transformation Hub Master

Create the signed certificate:

/bin/openssl x509 -req -CA ${INTERMEDIATE_CA_CRT} -CAkey ${INTERMEDIATE_CA_KEY} -in ${FIPS_CA_TMP}/${TH}-cert-req -out ${FIPS_CA_TMP}/${TH}-cert-signed -days 365 -CAcreateserial -sha256

Copy the ${TH}-cert-signed certificate to the ${STORES} directory in Logger:

scp ${FIPS_CA_TMP}/${TH}-cert-signed root@<Logger IP>:<Stores directory>
Copy the ca.cert.pem certificate to the ${STORES} directory in Logger:

scp ${CA_CERT} root@<Logger IP>:<Stores directory>
Copy the intermediate.cert.pem certificate to the ${STORES}directory in Logger:

scp ${INTERMEDIATE_CA_CRT} root@<Logger IP>:<Stores directory>

On the Logger Server

Import certificates to the trust store.

Action	Command
Change the value of the BC_OPTS to import certs.	`export BC_OPTS="-storetype BCFKS -providername BCFIPS -J-Djava.security.egd=file:/dev/urandom -J-Djava.ext.dirs=${CURRENT}/lib/agent/fips -J-Djava.security.properties=${CURRENT}/user/agent/agent.security"`
Import the CA certificate to the trust store.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -importcert -file ${STORES}/${CA_CERT} -alias CA_${TH} -keystore ${STORES}/${TH}.truststore.bcfips -storepass ${STORE_PASSWD}`
Import the intermediate certificate to the trust store. Tip: Enter yes to trust the certificate.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -importcert -file ${STORES}/${INTERMEDIATE_CA_CRT} -alias INTCA_${TH} -keystore ${STORES}/${TH}.truststore.bcfips -storepass ${STORE_PASSWD}`

Import certificates to the key store.

Action	Command
Import the CA certificate to the key store.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -importcert -file ${STORES}/${CA_CERT} -alias CA_${TH} -keystore ${STORES}/${TH}.keystore.bcfips -storepass ${STORE_PASSWD}`
Import the intermediate certificate to the key store. Tip: Enter yes to trust the certificate. A message will be displayed confirming the certificate reply installation.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -importcert -file ${STORES}/${INTERMEDIATE_CA_CRT} -alias INTCA_${TH} -keystore ${STORES}/${TH}.keystore.bcfips -storepass ${STORE_PASSWD}`
Import the signed certificate to the key store. Tip: A message will be displayed confirming the certificate reply installation.	`${CURRENT}/jre/bin/keytool ${BC_OPTS} -importcert -file ${STORES}/${TH}-cert-signed -alias ${TH} -keystore ${STORES}/${TH}.keystore.bcfips -storepass ${STORE_PASSWD}`

Note the key store and trust store paths:
- Truststore: echo ${STORES}/${TH}.truststore.bcfips
- Keystore: echo ${STORES}/${TH}.keystore.bcfips

Step 4: Set Logger UI

Follow the steps described in To create a TH Destination. Make sure to fill out the following fields as described below:

Parameter field	Action
Use SSL/TLS	Set to true.
SSL/TLS Trust Store file	Add the `${TH}.truststore.bcfips` file path.
SSL/TLS Trust Store password	Enter the password you set for the trust store.
Use SSL/TLS Authentication	Set to true.
SSL/TLS Keystore file	Add the `${TH}.keystore.bcfips` file path.
SSL/TLS Key Store password	Enter the password you set for the key store.
SSL/TLS Key password	Enter the password you set for the key.

Step 5: Delete temporary folders and sensitive files

On the Logger Server

Remove the files:

rm ${STORES}/${INTERMEDIATE_CA_CRT}

rm ${STORES}/intermediate.key.pem

rm ${STORES}/${TH}-cert-signed

rm ${STORES}/${TH}-cert-req

mv ${CURRENT}/bcprov-jdk15on-168.jar lib/agent/fips/

mv ${CURRENT}/bcprov-ext-jdk15on-168.jar lib/agent/fips/

On the Transformation Hub Master

Delete the temporary folder where the certificate was signed.