Configure SSLConfigure SSL
Note: When configuring the Logstash, you may need to specify sensitive settings such as passwords. You can use the Logstash keystore to securely store secret values instead of file system permissions for using it in configuration settings. For more information, see Logstash keystore Documentation.
To support trusted connections, the Decoder or Log Decoder has two ports, an unencrypted non-SSL port and an encrypted SSL port. Trusted connections require the encrypted SSL port.
To establish trusted connection for the Decoder or Log Decoder with Logstash, add the following parameters in the Logstash Configuration file (netwitness-<decoder-ip>-input.conf) to enable the SSL mode.
| Parameters | Settings | Parameter Type | Default Value |
|---|---|---|---|
| ssl_enable | Set the value to ‘true’ to enable SSL |
Boolean |
false |
| ssl_certificate_path | Enter the path of the Logstash keystore file. The keystore file must be in .p12 format | String | N/A |
| ssl_certificate_password | Enter the password of the keystore |
String |
N/A |
Certificate and KeystoreCertificate and Keystore
The NetWitness Export Connector must have a valid CA (Certificate Authority) certificate and a server certificate to establish a trusted connection with Decoders or Log Decoders.
Create a CA certificate
To create a CA certificate, do the following steps.
- SSH to NW Logstash host.
-
Change the directory to /root by running the following command.
cd /root -
Create a private key of 2048 bits by running the following command.
openssl genrsa -out CA-key.pem 2048 - Create a CA certificate by running the following command.
openssl req -new -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
Create Certificate Signing Request (CSR) and Keystore
Do the following steps provided in this procedure to create a CSR for server and Keystore for the NetWitness Export Connector. You must submit the CSR to the Certificate Authority (CA) server to obtain a server certificate. Once the server certificate is created, do the following steps to package the private key and the signed certificate that must be uploaded to the Logstash keystore.
To create a CSR, do the following steps.
Note: You can skip till step 6 if you have PEM already available.
- SSH to NW Logstash host.
-
Change the directory to /root by running the following command.
cd /root - Create a private key of 2048 bits by running the following command.
openssl genrsa -out server-key.pem 2048 - Create a CSR by running the following command.
openssl req -new -key server-key.pem -out signingReq.csr - Submit the CSR to the CA and get a signed server certificate by running the following command.
openssl x509 -req -days 1000 -in signingReq.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out server-cert.pem - Create a Keystore for the NetWitness Export Connector by running the following command.
- openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile CA-cert.pem -out logstash-input-netwitness.p12 - Copy the /etc/pki/nw/trust/truststore.pem from the Decoder or Log Decoder to the Logstash host by running the following command.
scp /etc/pki/nw/trust/truststore.pem <logstash ssh username>@<logstash destination directory path> - Import truststore.pem from the Decoder or Log Decoder to the Logstash keystore (logstash-input-netwitness.p12) by running the following command.
keytool -importcert -keystore logstash-input-netwitness.p12 -trustcacerts -alias nw-inter -file truststore.pem -storetype PKCS12
Note: truststore.pem is same for all Decoders, if the Logstash is aggregating from same NetWitness setup. If the Logstash is aggregating from two different NetWitness setups, you must copy the truststore.pem for each Decoders.
- Copy logstash-input-netwitness.p12 file to the /etc/logstash directory by running the following command.
cp logstash-input-netwitness.p12 /etc/logstash - Change the owner of logstash-input-netwitness.p12 as Logstash by running the following command.
chown logstash:logstash /etc/logstash/logstash-input-netwitness.p12
Note: You must use the same keystore "logstash-input-netwitness.p12" for all NetWitness hosts that is integrated with Logstash.
-
Connect to the Decoders to add the server-cert.pem to trustpeer and caupload APIs by running the following commands. You can also use to REST API port to connect.
curl -X POST -d server-cert.pem http://<logdecoder or decoder IP>:<logdecoder or decoder REST port>/sys/trustpeer
curl -X POST -d server-cert.pem http:// <logdecoder or decoder IP>:<logdecoder or decoder REST port>/sys/caupload
Note: If you are not able to use the REST API, follow the below steps to copy the certificates to /sys peerCert and /sys caCert APIs using NetWitness CLI .
1. SSH to Admin Server.
2. Type "help" for a list of commands or "man" for a list of manual pages.
3. Run the following command.
login localhost:50002 <username> <password>
3. Run the following commands.
send /sys peerCert op=add --file-data=/root/server-cert.pem
send /sys caCert op=add --file-data=/root/server-cert.pem
- Restart the Logstash service running the following command.
systemctl restart logstash
Note: If you are using an untrusted certificate, copy the truststore.pem file from the Decoder or Log Decoder and import it to <JAVA_HOME>/lib/security/cacerts for the Logstash service to trust the CA certificate of Decoder or Log Decoder. For example: keytool -importcert -file </path/to/file/>truststore.pem -keystore /usr/java/jdk-X.Y.Z/lib/security/cacerts -alias nw-core-cert -storepass <password>
