Certificate Configuration for LogRhythm Component Connections

LogRhythm and SQL Server support any certificates that the Windows operating system can support, including certificates using SHA1 through SHA512 for the signature algorithm.

This topic provides information about configuring certificate information for LogRhythm components. Please note the following:

• For LogRhythm client and server certificates, the Subject name can be the FQDN, short name, or IP address of the host machine.
• Server certificates must contain the Server Authentication enhanced key usage value (–eku 1.3.6.1.5.5.7.3.1) as well as the key exchange attribute (-sky exchange).
• Be sure to use a ‘CN=’ before the FQDN or IP address of the Subject for all certificates (SQL Server and LogRhythm client/server). For example: CN=LRDPX1.logrhythm.com

• Ensure there are no spaces surrounding — or in between — the ‘CN’ and ‘=’ and the Subject (FQDN/Name/IP).

• Ensure that the client and server certificates have their signing certificate — the Root CA of the certificate — in the Trusted Root Certification Authorities store.

• Password-protected certificates are not supported at this time.

LogRhythm Mediator Server

Mediator Server Certificate Specification Settings. Use the specified server certificate instead of the certificate the Mediator service self-generates and self-signs when the service starts.

This certificate must have the server attributes ‘-eku 1.3.6.1.5.5.7.3.1’ and ‘–sky exchange’ and it must have an exportable key.

System Monitor Agent Client Certificate Enforcement Settings. Specify whether to require Agents to have certificates when they connect. This is applied to all Agents that connect to the Mediator.

AI Engine Data Provider

AI Engine Data Provider Client Certificate Specification Settings. This is the client certificate used by the AIE Data Provider (in the Mediator) to authenticate with the AIE Communication Manager (running on AI Engine machine).

AI Engine Communication Manager Server Certificate Enforcement Settings. 

LogRhythm AI Engine Communication Manager

AIE Communication Manager Server Certificate Specification Settings. Use the specified server certificate instead of the certificate the AIE Communication Manager self-generates and self-signs when the service starts.

This certificate must have the server attributes ‘-eku 1.3.6.1.5.5.7.3.1’ and ‘–sky exchange’ and it must have an exportable key.

AI Engine Data Provider Client Certificate Enforcement Settings. 

System Monitor

Mediator Server Certificate Enforcement Settings. 

System Monitor Client Certificate Specification Settings. This is the client certificate used by the Agent to authenticate with the Mediator Server.

LogRhythm Web UI

To specify a server certificate for the Web UI Server to use for incoming browser connections on a single Web Console

1. To open the LogRhythm Configuration Manager, go to C:\Program Files\LogRhythm\LogRhythm Configuration Manager.
2. Go to the Web Console UI section.
3. Click Choose file.
4. Select the certificate you want to use.
5. Click Save.
   For more information on creating certificates for the Web Console, see Complete Additional LogRhythm Installation Tasks in the LogRhythm Installation Guide.

To specify a server certificate for the Web UI Server to use for incoming browser connections on multiple Web Consoles, specify separate keys for each.

1. Go to C:\Program Files\LogRhythm\LogRhythm Web Services.
2. Open the nginx.conf and nginx.conf.ejs files.

3. Specify both the ssl_certificate and ssl_certificate_key file values:

   	server {
   		listen	443 ssl;
   		server_name	www.logrhythm.com;
   		ssl_certificate	www.logrhythm.com.crt;
   		ssl_certificate_key	www.logrhythm.com.key;
   		ssl_protocols	TLSv1.2;
   		ssl_ciphers	AES128-SHA;
   		...
   	}

4. Restart the LogRhythm Services Host Service for the changes to take effect.

The server certificate file is sent to every client that connects to the server. The private key file is a secure object and should be stored with restricted access.

Common Components

To specify a server certificate for the Common Components, complete the following steps on each node in a cluster.

1. Create the certificates.

   

   The certificates need to use the same name as the default certificates.

2. On the Platform Manager, go to C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
3. Complete the following steps on server.crt and server.key.
   
   1. Double-click server.crt.
   2. Click Install Certificate.
   3. Click Local Machine.
   4. Click Next.
   5. Click Place all certificates in the following store: Trusted Root Certification Authorities.
   6. Click OK.
   7. Click Finish.

Common Access Card (CAC) Use

Work with your Administrator to get details about your organization's certificate authority and client certificates.

The setup of certificates and common access card use must be done by an authorized administrator who understands your organization's network system infrastructure and has the proficiency to set it up correctly.

Key Considerations:

• When creating a server certificate for the Mediator, AIE ComMgr, and SQL Server using your ‘root’ certificate, you must run the command with the ‘-sky exchange –eku 1.3.6.1.5.5.7.3.1’ parameter. This enables the certificate to perform Server Authentication which is required for all server certificates including those for the Mediator, AIE ComMgr, and SQL Server. If you don’t create the server certificate with the key exchange attribute specified (-sky exchange –eku 1.3.6.1.5.5.7.3.1) it does not work for the Mediator and the certificate does not show up in the SQL Server configuration Certificates menu. The SQL Server Configuration Manager looks in both LocalMachine and CurrentUser MY stores for certificates to use.
• When creating a server certificate for SQL Server using your ‘root’ certificate, you MUST use the machine FQDN for the Subject. The short hostname or IP address WILL NOT WORK.
• The user the Agent service is running under MUST have the LogRhythm Root CA certificate in the LocalMachine’s trusted store (v). This allows the Agent to verify the server certificate presented by the Mediator, AIE ComMgr, and SQL Server.
• The user the LogRhythm service (e.g. Agent) is running on MUST have read permissions to the certificate store and certificate(s).

LogRhythm TrueIdentity Sync Client Remote Server

Create Custom Certificates

Create new custom or self-signed certificates. For more information, see Create Client and Server Certificates . If you are using the self-signed certificates, complete the following using the existing certificates located C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.

Trust Certificates

On the Platform Manager, trust the newly generated certificates.

Linux

1. Add the certificate as a new file to /etc/pki/ca-trust/source/anchors/:

   CODE

   sudo cp foo.crt /etc/pki/ca-trust/source/anchors/

2. Run

   CODE

   sudo update-ca-trust

3. To restart the Sync Client, run

   CODE

   sudo systemctl restart LogRhythmTrueIdentitySyncClient

Windows

1. Go to C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
2. Ensure the certificates use the same name as the default certificates: server.crt and server.key.
3. Double-click server.crt.

4. Click Install Certificate..., and then click Local Machine.

   

   This is not the default.

5. Click Next, and then click Place all certificates in the following store.
6. Select Trusted Root Certification Authorities, and then click OK.
7. Click Finish.

For both Windows and Linux, if you have different certificates for your Active Directory, you must add those certificates to the same directory as above and trust the certificates.

The following error messages appear if the certificates are not properly trusted:

level=warning msg="LDAP TLS connection failed, make sure your machine trusts the LDAP Domain Controller's root CA certificate."

level=warning msg="TrueIdentity request failed with TLS verification on, make sure your machine trusts the APIG's root CA.