Configure SSL

Note: When configuring the Logstash, you may need to specify sensitive settings such as passwords. You can use the Logstash keystore to securely store secret values instead of file system permissions for using it in configuration settings. For more information, see Logstash keystore Documentation.

To support trusted connections, the Decoder or Log Decoder has two ports, an unencrypted non-SSL port and an encrypted SSL port. Trusted connections require the encrypted SSL port.

To establish trusted connection for the Decoder or Log Decoder with Logstash, add the following parameters in the Logstash Configuration file (netwitness-<decoder-ip>-input.conf) to enable the SSL mode.

Parameters Settings Parameter Type Default Value
ssl_enable Set the value to ‘true’ to enable SSL

Boolean

false
ssl_certificate_path Enter the path of the Logstash keystore file. The keystore file must be in .p12 format String N/A
ssl_certificate_password Enter the password of the keystore

String

N/A

Certificate and Keystore

The NetWitness Export Connector must have a valid CA (Certificate Authority) certificate and a server certificate to establish a trusted connection with Decoders or Log Decoders.

Create a CA certificate

To create a CA certificate, do the following steps.

  1. SSH to NW Logstash host.
  2. Change the directory to /root by running the following command.
    cd /root

  3. Create a private key of 2048 bits by running the following command.
    openssl genrsa -out CA-key.pem 2048

  4. Create a CA certificate by running the following command.
    openssl req -new -key CA-key.pem -x509 -days 1000 -out CA-cert.pem

Create Certificate Signing Request (CSR) and Keystore

Do the following steps provided in this procedure to create a CSR for server and Keystore for the NetWitness Export Connector. You must submit the CSR to the Certificate Authority (CA) server to obtain a server certificate. Once the server certificate is created, do the following steps to package the private key and the signed certificate that must be uploaded to the Logstash keystore.

To create a CSR, do the following steps.

Note: You can skip till step 6 if you have PEM already available.

  1. SSH to NW Logstash host.
  2. Change the directory to /root by running the following command.
    cd /root

  3. Create a private key of 2048 bits by running the following command.
    openssl genrsa -out server-key.pem 2048
  4. Create a CSR by running the following command.
    openssl req -new -key server-key.pem -out signingReq.csr
  5. Submit the CSR to the CA and get a signed server certificate by running the following command.
    openssl x509 -req -days 1000 -in signingReq.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out server-cert.pem
  6. Create a Keystore for the NetWitness Export Connector by running the following command.
    - openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile CA-cert.pem -out logstash-input-netwitness.p12
  7. Copy the /etc/pki/nw/trust/truststore.pem from the Decoder or Log Decoder to the Logstash host by running the following command.
    scp /etc/pki/nw/trust/truststore.pem <logstash ssh username>@<logstash destination directory path>
  8. Import truststore.pem from the Decoder or Log Decoder to the Logstash keystore (logstash-input-netwitness.p12) by running the following command.
    keytool -importcert -keystore logstash-input-netwitness.p12 -trustcacerts -alias nw-inter -file truststore.pem -storetype PKCS12

Note: truststore.pem is same for all Decoders, if the Logstash is aggregating from same NetWitness setup. If the Logstash is aggregating from two different NetWitness setups, you must copy the truststore.pem for each Decoders.

  1. Copy logstash-input-netwitness.p12 file to the /etc/logstash directory by running the following command.
    cp logstash-input-netwitness.p12 /etc/logstash
  2. Change the owner of logstash-input-netwitness.p12 as Logstash by running the following command.
    chown logstash:logstash /etc/logstash/logstash-input-netwitness.p12

Note: You must use the same keystore "logstash-input-netwitness.p12" for all NetWitness hosts that is integrated with Logstash.

  1. Connect to the Decoders to add the server-cert.pem to trustpeer and caupload APIs by running the following commands. You can also use to REST API port to connect.
    curl -X POST -d server-cert.pem http://<logdecoder or decoder IP>:<logdecoder or decoder REST port>/sys/trustpeer
    curl -X POST -d server-cert.pem http:// <logdecoder or decoder IP>:<logdecoder or decoder REST port>/sys/caupload

Note: If you are not able to use the REST API, follow the below steps to copy the certificates to /sys peerCert and /sys caCert APIs using NetWitness CLI .
1. SSH to Admin Server.
2. Type "help" for a list of commands or "man" for a list of manual pages.
3. Run the following command.
login localhost:50002 <username> <password>
3. Run the following commands.
send /sys peerCert op=add --file-data=/root/server-cert.pem
send /sys caCert op=add --file-data=/root/server-cert.pem

  1. Restart the Logstash service running the following command.
    systemctl restart logstash

Note: If you are using an untrusted certificate, copy the truststore.pem file from the Decoder or Log Decoder and import it to <JAVA_HOME>/lib/security/cacerts for the Logstash service to trust the CA certificate of Decoder or Log Decoder. For example: keytool -importcert -file </path/to/file/>truststore.pem -keystore /usr/java/jdk-X.Y.Z/lib/security/cacerts -alias nw-core-cert -storepass <password>