13.5 Creating TrustStore and KeyStore for Mutual SSL with Transformation Hub

If you have enabled client authentication in Transformation Hub, you must configure mutual SSL authentication between SmartConnector and Transformation Hub.

To configure mutual SSL between Transformation Hub and SmartConnector, perform the following:

  1. On the SmartConnector server:

    1. Change to the current directory,

      Linux:

      cd <install dir>/current

      Windows:

      cd <install dir>\current

    2. Set the environment variables for the static values used by keytool:

      Linux:

      export CURRENT=<full path to this "current" folder>

      export TH=<th hostname>_<th port>

      export STORES=${CURRENT}/user/agent/stores

      export STORE_PASSWD=<password>

      export TH_HOST=<TH master host name>

      export CA_CERT=ca.cert.pem

      export CERT_CA_TMP=/opt/cert_ca_tmp

      Windows:

      set CURRENT=<full path to this "current" folder>

      set TH=<th hostname>_<th port>

      set STORES=%CURRENT%\user\agent\stores

      set STORE_PASSWD=<password>

      set TH_HOST=<TH master host name>

      set CA_CERT=C:\Temp\ca.cert.pem

      set CERT_CA_TMP=\opt\cert_ca_tmp

    3. (Conditional) Create the stores directory if it does not exist:

      Linux:

      mkdir ${STORES}

      Windows:

      mkdir %STORES%

    4. From a command prompt, change to the installation directory of the keytool utility. The default installation directory is:

      Linux:

      /usr/lib/jvm/jre/bin

      Windows:

      c:\usr\lib\jvm\jre\bin

    5. Create the key pair:

      1. Execute the command:

        Linux:

        ./keytool -genkeypair -alias ${TH} -keystore ${STORES}/${TH}.keystore.jks -dname "cn=<Connector FQDN>,OU=Arcsight,O=MF,L=Sunnyvale,ST=CA,C=US" -validity 375

        Windows:

        .\keytool -genkeypair -alias %TH% -keystore %STORES%\%TH%.keystore.jks -dname "cn=<Connector FQDN>,OU=Arcsight,O=MF,L=Sunnyvale,ST=CA,C=US" -validity 375

        NOTE:For dname, the FQDN, OU, O, L, ST and C values must be appropriate for your company and location. For example, -dname "CN=ig.mf.com,OU=IG,O=MF,L=Sunnyvale,ST=CA,C=US"

      2. When prompted, enter the password. Note the password as you will need it in a later step.

        NOTE:Ensure that the password is same as the store password you specified in Step 1.b.

      3. When prompted for the key password, press Enter if you want the key password to be same as the keystore password. Save the password. You will need it again in a later step.

    6. List the keystore entries and verify that you have minimum one private key:

      Linux:

      ./keytool -list -keystore ${STORES}/${TH}.keystore.jks -storepass ${STORE_PASSWD}

      Windows:

      .\keytool -list -keystore %STORES%\%TH%.keystore.jks -storepass %STORE_PASSWD%

    7. Create a Certificate Signing Request (CSR):

      Linux:

      ./keytool -certreq -alias ${TH} -keystore ${STORES}/${TH}.keystore.jks -file ${STORES}/${TH}-cert-req -storepass ${STORE_PASSWD}

      Windows:

      .\keytool -certreq -alias %TH% -keystore%STORES%\%TH%.keystore.jks -file %STORES%\%TH%-cert-req -storepass %STORE_PASSWD%

  2. On the Transformation Hub Server:

    1. Ensure that the CDF root CA certificate and root CA key used by Transformation Hub are available in /tmp directory with the following names:

      /tmp/ca.key.pem

      /tmp/ca.cert.pem

    2. Set the environment variables for the static values used by keytool:

      export CA_CERT_TH=/tmp/ca.cert.pem

      export CA_KEY_TH=/tmp/ca.key.pem

      export CERT_CA_TMP_TH=/opt/cert_ca_tmp

      export TH=<Transformation Hub hostname>_<Transformation Hub port>

    3. Create a temporary directory on the Transformation Hub master server:

      mkdir $CERT_CA_TMP_TH

  3. Copy the ${STORES}/${TH}-cert-req file from a Linux based SmartConnector server or %STORES%\%TH%-cert-req file from a Windows based SmartConnector Server to the CERT_CA_TMP_TH directory in the Transformation Hub master server created in Step 2.c.

  4. On the Transformation Hub server, create the signed certificate using the openssl utility:

    /bin/openssl x509 -req -CA ${CA_CERT_TH} -CAkey ${CA_KEY_TH} -in ${CERT_CA_TMP_TH}/${TH}-cert-req -out ${CERT_CA_TMP_TH}/${TH}-cert-signed -days 366 -CAcreateserial -sha256

  5. On the SmartConnector server:

    1. Copy the ${TH_CERT_CA_TMP_TH}/${TH}-cert-signed and /tmp/ca.cert.pem certificates from the Transformation Hub server to the ${STORES} directory on the Linux based SmartConnector server or %STORES% directory on the Windows based SmartConnector server.

    2. Import the CDF root CA certificate to the truststore:

      1. Execute the command:

        Linux:

        ./keytool -importcert -file ${STORES}/${CA_CERT} -alias CARoot-keystore ${STORES}/${TH}.truststore.jks -storepass ${STORE_PASSWD}

        Windows:

        .\keytool -importcert -file %STORES%\%CA_CERT% -alias CARoot-keystore %STORES%\%TH%.truststore.jks -storepass %STORE_PASSWD%

      2. When prompted, specify a password for the truststore. Note the password as you will need it again in a later step.

      3. When you are asked to trust the certificate, enter Yes.

    3. Import the CDF root CA certificate to the keystore:

      1. Execute the command:

        Linux:

        ./keytool -importcert -file ${STORES}/${CA_CERT} -alias CARoot -keystore ${STORES}/${TH}.keystore.jks -storepass ${STORE_PASSWD}

        Windows:

        .\keytool -importcert -file %STORES%\${CA_CERT} -alias CARoot -keystore %STORES%\%TH%.keystore.jks -storepass %STORE_PASSWD%

      2. When you are asked to trust the certificate, enter Yes.

    4. Import the signed certificate to the keystore:

      Linux:

      ./keytool -importcert -file ${STORES}/${TH}-cert-signed -alias ${TH}-keystore ${STORES}/${TH}.keystore.jks -storepass ${STORE_PASSWD}

      Windows:

      .\keytool -importcert -file %STORES%\%TH%-cert-signed -alias %TH%-keystore %STORES%\%TH%.keystore.jks -storepass %STORE_PASSWD%

    5. Note the keystore and truststore paths:

      Linux:

      echo ${STORES}/${TH}.truststore.jks

      echo ${STORES}/${TH}.keystore.jks

      Windows:

      echo %STORES%\%TH%.truststore.jks

      echo %STORES%\%TH%.keystore.jks

    6. Delete the following files:

      CAUTION:The following files should be deleted to prevent the distribution of security certificates that could be used to authenticate against the Transformation Hub. These files are very sensitive and should not be distributed to other machines.

      Linux:

      rm ${STORES}/${CA_CRT}

      rm ${STORES}/ca.key.pem

      rm ${STORES}/${TH}-cert-signed

      rm ${STORES}/${TH}-cert-req

      Windows:

      del %STORES%\ca.cert.pem

      del %STORES%\ca.key.pem

      del %STORES%\%TH%-cert-signed

      del %STORES%\%TH%-cert-req

  6. On the Transformation Hub server, delete the /tmp folder where the CDF root CA certificate, and root CA key of Transformation Hub are available.

    CAUTION:The temporary certificate folder should be deleted to prevent the distribution of security certificates that could be used to authenticate against the Transformation Hub. These files are very sensitive and should not be distributed to other machines.

  7. Continue with Configuring the SmartConnector.