8.3 Configuring SSL for Database

You must configure mutual SSL in database to secure the communication with database.

To configure SSL in database manually, perform the following:

For more information about configuring SSL in database, see SSL Authentication section in Vertica Documentation.

8.3.1 Obtaining Database Client Certificates

You must obtain the certificates from search engine (database client) and use them for enabling SSL between database and scheduler as well as database and search engine.

  1. To obtain the search engine pod, run the following command on the master node:

    kubectl get pods --all-namespaces | grep hercules-search-engine

    Example output:

    arcsight-installer-9tmsc hercules-search-engine-c97657f9999xpx 2/2 Running 0 17m

    NOTE:The search engine pod is reflected as hercules-search-engine-c97657f9999xpx in the example above.

  2. To obtain the search engine certificates, run the following command on the master node:

    kubectl cp <namespace>/<pod>:/vault-crt/RE <path to copy> -c <container>

    Example:

    kubectl cp arcsight-installer-9tmsc/hercules-search-engine-c97657f99-99xpx:/vault-crt/RE /root -c hercules-search-engine

    NOTE:Three files will be generated: issue_ca.crt, vertica.crt, and vertica.key.

  3. Copy issue_ca.crt, vertica.crt, and vertica.key to <database-cluster-node-1>/root.

8.3.2 Generating Database Server Certificate P

  1. Log in to database cluster node 1 as a root.

  2. Get the CA certificate for database:

    • If you have a well-known root CA, organizations root CA, or generated a new CDF root CA, you can use the same CA.

    • If you do not have a CA, generate a new CA by executing the instructions in the Generating a New CA section.

  3. Copy the CA and CA key to /root directory:

    For example:

    cp /root/ca/certs/ca.cert.pem /root

    cp /root/ca/private/ca.key.pem /root

  4. To generate a database server certificate, run the following command and specify the necessary information that will be incorporated into your certificate request:

    openssl req -newkey rsa:2048 -new -nodes -keyout <server_key_file> -out <server_csr_file>

    Example:

    openssl req -newkey rsa:2048 -new -nodes -keyout server.key -out server.csr

  5. After entering the requested information, run the following command:

    openssl x509 -req -in <server_csr_file> -days 3650 -sha1 -CAcreateserial -CA <CA_certificate_file> -CAkey <CA_key_file> -out <server_key_file>

    Example:

    openssl x509 -req -in server.csr -days 3650 -sha1 -CAcreateserial -CA ca.cert.pem -CAkey ca.key.pem -out server.crt

  6. Verify the generated certificate:

    • openssl x509 -noout -purpose -in <server_certficate_file> | grep "SSL server"

      Example command:

      openssl x509 -noout -purpose -in server.crt | grep "SSL server"

      Example output:

      SSL server : Yes

      SSL server CA : No

      Netscape SSL server : Yes

      Netscape SSL server CA : No

    • openssl x509 -noout -purpose -in <CA_certificate_file> | grep "SSL server CA : Yes"

      Example command:

      openssl x509 -noout -purpose -in ca.cert.pem | grep "SSL server CA : Yes"

      Example output:

      SSL server CA : Yes (WARNING code=3)

      Netscape SSL server CA : Yes (WARNING code=3)

    • openssl verify -CAfile <CA_certificate_file> <server_certficate_file>

      Example command:

      openssl verify -CAfile ca.cert.pem server.crt

      Example output:

      server.crt: OK

  7. Copy server.key and server.crt to <database-installer-directory>/arcsight-database:

    cp server.key server.crt /opt/arcsight-database

8.3.3 Enabling SSL in Database

  1. Log in to database cluster node 1 as root.

  2. Change to the root directory.

    cd /root

  3. Copy the files obtained from search engine and the database server certificate to /tmp folder:

    cp vertica.crt vertica.key ca.cert.pem ca.key.pem issue_ca.crt /tmp

  4. Change to the directory where database is installed:

    Example:

    cd /opt/arcsight-database

  5. Enable SSL using the command:

    ./db_ssl_setup --enable-ssl --vertica-cert-path <server_certificate_path>/opt/arcsight-database/server.crt --vertica-key-path <server_key_pth> --client-ca-path <client_CA_path>

    Example:

    ./db_ssl_setup --enable-ssl --vertica-cert-path /opt/arcsight-database/server.crt --vertica-key-path /opt/arcsight-database/server.key --client-ca-path /tmp/issue_ca.crt

  6. Switch to dbadmin user.

  7. (Conditional) If the ~/.vsql folder exists already, you must delete the contents of the folder.

    rm -rf ~/.vsql/*

  8. (Conditional) If the ~/.vsql folder does not exist, create the folder:

    mkdir ~/.vsql

  9. Copy the following certificates to ~/.vsql folder:

    cp /tmp/vertica.crt ~/.vsql/client.crt

    cp /tmp/vertica.key ~/.vsql/client.key

    cp /tmp/ca.cert.pem ~/.vsql/ca_root.crt

    chmod 600 ~/.vsql/client.key

  10. Verify the SSL configuration:

    • Verify whether the SSL cipher is displayed:

      vsql -m require

      Example output:

      SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, protocol: TLSv1.2)

    • Verify whether ssl_state is Mutual:

      select user, authentication_method, ssl_state from sessions where session_id = current_session();

      Example output:

      current_user | authentication_method | ssl_state
      
      --------------+-----------------------+-----------
      
      dbadmin       | Password                | Mutual
      
      (1 row)

8.3.4 Establishing an SSL Communication with Identity Intelligence

For the SSL communication between database and Identity Intelligence, you need to upload the database CA certificate in the Fusion component. Identity Intelligence will use the database CA certificate uploaded in the Fusion component.

To add database certificate:

  1. Log in to the CDF management portal as an administrator.

  2. Click Deployment > Deployments.

  3. Click of arcsight-installer, then click Reconfigure.

  4. Click Fusion.

  5. Perform the following in the Database Configuration section:

    1. Enable Use SSL for Database connections.

    2. Copy the content of database root CA certificate (ca.cert.pem) and paste in Database certificate(s).

      Ensure that there are no additional entries, such as space or line breaks at the end of the certificate content.

  6. Click Save.

  7. Continue with Creating a Kafka Scheduler.

8.3.5 Creating a Kafka Scheduler

Applies only if you installed Identity Intelligence either in a new cluster or in an existing cluster that has Transformation Hub without Recon. Does not apply if you used the ./install-single-node-post.sh installation script, which automatically performs this configuration.

You must create a Kafka scheduler for database to receive data from Transformation Hub.

To create a kafka scheduler, perform the following:

  1. Log in to the database cluster node 1 as root.

  2. Change to the directory where database is installed:

    cd /opt/arcsight-database

  3. Set up Kafka scheduler:

    ./sched_ssl_setup --enable-ssl --sched-cert-path /tmp/vertica.crt --sched-key-path /tmp/vertica.key --vertica-ca-path /tmp/ca.cert.pem --kafka-ca-path /tmp/issue_ca.crt

  4. (Conditional) If a Kafka schedule exists already, delete the scheduler:

    ./kafka_scheduler delete

  5. Create the SSL Kafka scheduler:

    ./kafka_scheduler create <Transformation_Hub_Node_1_IP>:9093,<Transformation_Hub_Node_ 2_IP>:9093 <Transformation_Hub_Node_3_IP>:9093

  6. Verify Kafka scheduler creation and validate whether the port number is the Kafka SSL port number (default 9093):

    ./kafka_scheduler status

    Example output:

    SSL/TLS mode is enabled
    Scheduler Kafka Configuration:
         kafka cluster     |   topic    | partitions | enabled
    -------------------------------+------------------+------------+---------
     vlab052002.dom052000.lab:9093 | th-arcsight-avro |     1 | t
    (1 row)
    Active Scheduler Process:
              scheduler name
    ----------------------------------------------------
     investigation_scheduler_1_vlab052002.dom052000.lab
    (1 row)
  7. Check the event-copy progress and messages:

    ./kafka_scheduler events

    ./kafka_scheduler messages

  8. Remove certificates copied to the temporary location:

    rm -rf /tmp/vertica.crt /tmp/vertica.key /tmp/issue_ca.crt /tmp/ca.crt

    rm -rf /opt/arcsight-vertica/server.key /opt/arcsight-vertica/server.crt