Skip to main content
Skip table of contents

Certificate Configuration for LogRhythm Component Connections

LogRhythm and SQL Server support any certificates that the Windows operating system can support, including certificates using SHA1 through SHA512 for the signature algorithm.

This topic provides information about configuring certificate information for LogRhythm components. Please note the following:

  • For LogRhythm client and server certificates, the Subject name can be the FQDN, short name, or IP address of the host machine.
  • Server certificates must contain the Server Authentication enhanced key usage value (–eku 1.3.6.1.5.5.7.3.1) as well as the key exchange attribute (-sky exchange).
  • Be sure to use a ‘CN=’ before the FQDN or IP address of the Subject for all certificates (SQL Server and LogRhythm client/server). For example: CN=LRDPX1.logrhythm.com

  • Ensure there are no spaces surrounding — or in between — the ‘CN’ and ‘=’ and the Subject (FQDN/Name/IP).

  • Ensure that the client and server certificates have their signing certificate — the Root CA of the certificate — in the Trusted Root Certification Authorities store.

  • Password-protected certificates are not supported at this time.

LogRhythm Mediator Server

Mediator Server Certificate Specification Settings. Use the specified server certificate instead of the certificate the Mediator service self-generates and self-signs when the service starts.

This certificate must have the server attributes ‘-eku 1.3.6.1.5.5.7.3.1’ and ‘–sky exchange’ and it must have an exportable key.

System Monitor Agent Client Certificate Enforcement Settings. Specify whether to require Agents to have certificates when they connect. This is applied to all Agents that connect to the Mediator.

AI Engine Data Provider

AI Engine Data Provider Client Certificate Specification Settings. This is the client certificate used by the AIE Data Provider (in the Mediator) to authenticate with the AIE Communication Manager (running on AI Engine machine).

AI Engine Communication Manager Server Certificate Enforcement Settings. 

LogRhythm AI Engine Communication Manager

AIE Communication Manager Server Certificate Specification Settings. Use the specified server certificate instead of the certificate the AIE Communication Manager self-generates and self-signs when the service starts.

This certificate must have the server attributes ‘-eku 1.3.6.1.5.5.7.3.1’ and ‘–sky exchange’ and it must have an exportable key.

AI Engine Data Provider Client Certificate Enforcement Settings. 

System Monitor

Mediator Server Certificate Enforcement Settings. 

System Monitor Client Certificate Specification Settings. This is the client certificate used by the Agent to authenticate with the Mediator Server.

LogRhythm Web UI

By default, the LogRhythm Web UI uses a self-signed certificate generated at service start-up if an SSL Public Key and SSL Private Key are not configured.

To specify a custom server certificate for the Web UI Server to use for incoming browser connections to the Web Console:

  1. To open the LogRhythm Configuration Manager via the file path, navigate to C:\Program Files\LogRhythm\LogRhythm Configuration Manager\LogRhythm Configuration Manager\dest and launch ConfigurationManager.exe.
    or
    Go to the Start Menu > LogRhythm Folder > Configuration Manager.

  2. Select Web Services from the left menu panel.
  3. Select Advanced View: Show at the bottom to reveal all advanced configuration options.
  4. Go to the Web Console UI - Hostname section.
    There will be a section for each Web Console UI service which has ever registered in the deployment.
  5. Copy and paste a key or click Choose file in the SSL Public Key and SSL Private Key sections.
  6. Click Save.
    For more information on creating certificates for the Web Console, see Complete Additional LogRhythm Installation Tasks in the LogRhythm Installation Guide.
  7. The LogRhythm Web UI Services will automatically restart upon detecting the configuration change.

Monitor the log file at "C:\Program Files\LogRhythm\LogRhythm Web Services\logs\LogRhythm Web Console UI.log" to validate that the service restarts without issue using the new certificate. If there is an issue with the public or private key, errors will display. You can recover the service by removing your configuration, and the service will return to using a self-signed certificate.

The server certificate file is sent to every client that connects to the server. The private key file is a secure object and should be stored with restricted access.

Common Components

To specify a server certificate for the Common Components, complete the following steps on each node in a cluster.

  1. Create the certificates.

    The certificates need to use the same name as the default certificates.

  2. On the Platform Manager, go to C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
  3. Complete the following steps on server.crt and server.key.
    1. Double-click server.crt.
    2. Click Install Certificate.
    3. Click Local Machine.
    4. Click Next.
    5. Click Place all certificates in the following store: Trusted Root Certification Authorities.
    6. Click OK.
    7. Click Finish.

Common Access Card (CAC) Use

Work with your Administrator to get details about your organization's certificate authority and client certificates.

The setup of certificates and common access card use must be done by an authorized administrator who understands your organization's network system infrastructure and has the proficiency to set it up correctly.

Key Considerations:

  • When creating a server certificate for the Mediator, AIE ComMgr, and SQL Server using your ‘root’ certificate, you must run the command with the ‘-sky exchange –eku 1.3.6.1.5.5.7.3.1’ parameter. This enables the certificate to perform Server Authentication which is required for all server certificates including those for the Mediator, AIE ComMgr, and SQL Server. If you don’t create the server certificate with the key exchange attribute specified (-sky exchange –eku 1.3.6.1.5.5.7.3.1) it does not work for the Mediator and the certificate does not show up in the SQL Server configuration Certificates menu. The SQL Server Configuration Manager looks in both LocalMachine and CurrentUser MY stores for certificates to use.
  • When creating a server certificate for SQL Server using your ‘root’ certificate, you MUST use the machine FQDN for the Subject. The short hostname or IP address WILL NOT WORK.
  • The user the Agent service is running under MUST have the LogRhythm Root CA certificate in the LocalMachine’s trusted store (v). This allows the Agent to verify the server certificate presented by the Mediator, AIE ComMgr, and SQL Server.
  • The user the LogRhythm service (e.g. Agent) is running on MUST have read permissions to the certificate store and certificate(s).

LogRhythm TrueIdentity Sync Client Remote Server

Create Custom Certificates

Create new custom or self-signed certificates. For more information, see Create Client and Server Certificates . If you are using the self-signed certificates, complete the following using the existing certificates located C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.

Trust Certificates

On the Platform Manager, trust the newly generated certificates.

Linux

  1. Add the certificate as a new file to /etc/pki/ca-trust/source/anchors/:

    CODE 
    sudo cp foo.crt /etc/pki/ca-trust/source/anchors/

  2. Run

    CODE 
    sudo update-ca-trust

  3. To restart the Sync Client, run

    CODE 
    sudo systemctl restart LogRhythmTrueIdentitySyncClient

Windows

  1. Go to C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
  2. Ensure the certificates use the same name as the default certificates: server.crt and server.key.
  3. Double-click server.crt.

  4. Click Install Certificate..., and then click Local Machine.

    This is not the default.

  5. Click Next, and then click Place all certificates in the following store.
  6. Select Trusted Root Certification Authorities, and then click OK.
  7. Click Finish.

For both Windows and Linux, if you have different certificates for your Active Directory, you must add those certificates to the same directory as above and trust the certificates.

The following error messages appear if the certificates are not properly trusted:

level=warning msg="LDAP TLS connection failed, make sure your machine trusts the LDAP Domain Controller's root CA certificate."

level=warning msg="TrueIdentity request failed with TLS verification on, make sure your machine trusts the APIG's root CA.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close