You can establish the HTTPS connection between the ThreatConnect instance and NetWitness Platform with or without SSL certificate verification depending on whether the verify-s-s-l is marked as true or false.
Establish HTTPS connection with SSL certificate verification
You must export the SSL certificate from ThreatConnect instance and add the certificate to the Response Actions service trust-store for SSL certificate verification.
To perform SSL certificate verification using ThreatConnect Instance
-
Obtain the SSL certificate from ThreatConnect instance.
Note: Depending upon the implementation of ThreatConnect Playbook, you can obtain the certificate through different modes.
For example: If the ThreatConnect Playbook is implemented as Webhook Trigger, the certificate viewer associated with the browser can be used to export the certificate. The certificate exported is as shown in the following figure.
-
Ensure that the certificate obtained is in .pem format. If the certificate obtained is not in .pem format, you must convert the format to .pem.
Note: If multiple intermediate Certificate Authorities (CAs) are present in the connection between NetWitness Platform and ThreatConnect, all the certificates of the certificate chain must be uploaded to service trust-store in .pem format. If the certificates are transferred between the Operating Systems such as Windows and Linux, the format of the certificates must be adjusted.
-
Place the certificate on Admin-Server and run the following command.
security-cli-client --add-trusts -s response-actions-server -x /root/threatconnect-chain.pem -u deploy_admin -k <deploy_admin_password>
-
Capture the CommonName (CN) from the certificate and add it as the host mapping under /etc/hosts file.
For example: If threatconnect is the CommonName captured from the certificate, you must append the following entry to the /etc/hosts file.
#threatconnect-instance-ip CommonName-present-in-certificate
1.1.1.x threatconnect .
-
Go to (Admin) > Services > select the Response Actions Server service > > View > Explore > nw/response/connector/threatconnect.
-
Enter the CommonName (CN) captured (in Step-4) in the host field.
-
Enter true in the use-ssl field.
-
Enter true in the verify-s-s-l field.
-
In the port field, enter the appropriate port on which the ThreatConnect instance is connected. By default, the SSL port is 443.
Establish HTTPS connection without SSL certificate verification
You can establish the SSL connection between ThreatConnect and NetWitness Platform without SSL certificate verification.
To skip SSL certificate verification
-
Go to (Admin) > Services > select the Response Actions Server service > > View > Explore > nw/response/connector/threatconnect.
-
Enter true in the use-ssl field.
-
Enter false in the verify-s-s-l field.
Note: When verify-s-s-l field is set to false, you can enter the IP address or DNS mapping of ThreatConnect Instance in the host field in (Admin) > Services > select the Response Actions Server service > > View > Explore > nw/response/connector/threatconnect.
-
In the port field, enter the appropriate port on which the ThreatConnect instance is connected. By default, the SSL port is 443.
Troubleshooting
This section lists the troubleshooting information for the various issues encountered while integrating and executing Response Actions.
Error | |
Problem | The Response Action execution fails if you do not upload the SSL certificate to the Response Actions Server service trust-store after setting the verify-s-s-l configuration to true in the Response Actions Server Explore view. Consequently, the above error is displayed in the Response Actions History Overview panel. |
Workaround |
You must upload the SSL certificate to the Response Actions Server service trust-store after setting the verify-s-s-l configuration to true in the Response Actions Server Explore view. |
Error | |
Problem |
The Response Action execution fails if you do not perform the following actions after adding the SSL certificate to the Response Actions Server service trust-store. - Adding the CommonName (CN) of the certificate as the host mapping in /etc/hosts file. - Entering the CommonName (CN) of the certificate in the host field in (Admin) > Services > select the Response Actions Server service > > View > Explore > nw/response/connector/threatconnect. |
Workaround |
You must perform the following actions after adding the SSL certificate to the Response Actions Server service trust-store. - Adding the CommonName (CN) of the certificate as the host mapping in /etc/hosts file. - Entering the CommonName (CN) of the certificate in the host field in (Admin) > Services > select the Response Actions Server service > > View > Explore >nw/response/connector/threatconnect. |