Create Custom Certificates

Prerequisites

• The TrueIdentity Sync Client needs to be installed on a server that has access to both the Active Directory and the Platform Manager (PM). If you do not have signed and verified certificates from a trusted authority, install the TrueIdentity Sync Client directly on the PM.
• The Sync Client host needs to have the Active Directory server's certificate in its Trusted Root Certification Authorities and the certificate needs to have Server Authentication as one of the intended purposes.
• To ensure the certificate is supported for import, it is recommended you use a .p12 or .pfx file extension. However, any certificate file supported by the underlying OS may be used.

• If the LogRhythm TrueIdentity Sync Client is on a remote host, you must generate and trust custom or self-signed certificates on the PM before continuing with configuration. You will also need to trust the PM certificates on the TrueIdentity Sync client host.

• If you are using the self-signed certificates located in C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls, follow instructions below to trust the certificates. Note that it is recommended you create custom certificates signed by a Third Party Certificate Authority.

• If leveraging an existing Public Key Infrastructure in your environment, verify that any Third Party Certificate Authorities are already trusted by your LogRhythm PM and TrueIdentity Sync Client hosts.

These instructions are examples using openSSL to create custom certificates on a Windows PM through a command prompt.

1. Log into your LogRhythm Platform Manager.

2. Go to C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\ssl, and copy the openssl.cfg to this directory.

   

   The openssl.cfg can be found at openssl.cfg.

3. Open a command prompt from this location and complete the following:

   1. To create the certificate signing request (CSR), run:

      CODE

      openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -sha256 -keyout privateKey.key -config openssl.cfg

   2. To create a public certificate from the CSR and a private certificate, run:

      CODE

      openssl x509 -req -days 365 -in CSR.csr -signkey privateKey.key -out LogRhythmSSL.crt -extensions extended -extfile openssl.cfg

4. The new certificates are generated.

Trust Certificates

On the Platform Manager, trust the newly generated certificates. If you are using the self-signed certificates, complete the following using the existing certificates located C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.

Linux

1. Add the certificate as a new file to /etc/pki/ca-trust/source/anchors/: sudo cp foo.crt /etc/pki/ca-trust/source/anchors/

2. Run:

   CODE

   sudo update-ca-trust

3. To restart the TrueIdentity Sync Client, run:

   CODE

   sudo systemctl restart LogRhythmTrueIdentitySyncClient

Windows

1. Go to C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
2. Copy the custom certificates to this directory.
3. Ensure the certificates use the same name as the default certificates (server.crt, server.key), and then double-click server.crt.

4. Click Install Certificate..., and then click Local Machine.

   

   This is not the default.

5. Click Next, and then click Place all certificates in the following store.
6. Select Trusted Root Certification Authorities, and then click OK.
7. Click Finish.

For both Windows and Linux, if you have different certificates for your Active Directory, you must add those certificates to the same directory as above and trust the certificates.

The following error messages appear if the certificates are not properly trusted:

"LDAP TLS connection failed, make sure your machine trusts the LDAP Domain Controller's root CA certificate."

"TrueIdentity request failed with TLS verification on, make sure your machine trusts the APIG's root CA.