Certificate Configuration for LogRhythm Component Connections
LogRhythm and SQL Server support any certificates that the Windows operating system can support, including certificates using SHA1 through SHA512 for the signature algorithm.
This topic provides information about configuring certificate information for LogRhythm components. Please note the following:
- For LogRhythm client and server certificates, the Subject name can be the FQDN, short name, or IP address of the host machine.
- Server certificates must contain the Server Authentication enhanced key usage value (–eku 1.3.6.1.5.5.7.3.1) as well as the key exchange attribute (-sky exchange).
- Be sure to use a ‘CN=’ before the FQDN or IP address of the Subject for all certificates (SQL Server and LogRhythm client/server). For example: CN=LRDPX1.logrhythm.com
Ensure there are no spaces surrounding — or in between — the ‘CN’ and ‘=’ and the Subject (FQDN/Name/IP).
Ensure that the client and server certificates have their signing certificate — the Root CA of the certificate — in the Trusted Root Certification Authorities store.
- Password-protected certificates are not supported at this time.
LogRhythm Mediator Server
Mediator Server Certificate Specification Settings. Use the specified server certificate instead of the certificate the Mediator service self-generates and self-signs when the service starts.
System Monitor Agent Client Certificate Enforcement Settings. Specify whether to require Agents to have certificates when they connect. This is applied to all Agents that connect to the Mediator.
AI Engine Data Provider
AI Engine Data Provider Client Certificate Specification Settings. This is the client certificate used by the AIE Data Provider (in the Mediator) to authenticate with the AIE Communication Manager (running on AI Engine machine).
AI Engine Communication Manager Server Certificate Enforcement Settings.
LogRhythm AI Engine Communication Manager
AIE Communication Manager Server Certificate Specification Settings. Use the specified server certificate instead of the certificate the AIE Communication Manager self-generates and self-signs when the service starts.
AI Engine Data Provider Client Certificate Enforcement Settings.
System Monitor
Mediator Server Certificate Enforcement Settings.
System Monitor Client Certificate Specification Settings. This is the client certificate used by the Agent to authenticate with the Mediator Server.
LogRhythm Web UI
To specify a server certificate for the Web UI Server to use for incoming browser connections on a single Web Console.
The Web Console sections in Configuration Manager will only appear on the server where the Web Services are installed, so if there is a standalone Web Console server, you need to access Configuration Manager on that server, not on the XM/PM server.
To open the LogRhythm Configuration Manager via the file path, navigate to C:\Program Files\LogRhythm\LogRhythm Configuration Manager\LogRhythm Configuration Manager\dest and launch ConfigurationManager.exe.
or
Go to the Start Menu > LogRhythm Folder > Configuration Manager.- Go to the Web Console UI section.
- Click Choose file.
- Select the certificate you want to use.
- Click Save.
For more information on creating certificates for the Web Console, see Complete Additional LogRhythm Installation Tasks in the LogRhythm Installation Guide.
To specify a server certificate for the Web UI Server to use for incoming browser connections on multiple Web Consoles, specify separate keys for each.
- Go to C:\Program Files\LogRhythm\LogRhythm Web Services.
- Open the nginx.conf and nginx.conf.ejs files.
Ensure you upload both the SSL Private Key and the SSL Public Key files. Do not forget to include both to avoid configuration issues. Specify both the ssl_certificate and ssl_certificate_key file values:
server { listen 443 ssl; server_name www.logrhythm.com; ssl_certificate www.logrhythm.com.crt; ssl_certificate_key www.logrhythm.com.key;
ssl_protocols TLSv1.2;
ssl_ciphers AES128-SHA;
...
}
- Restart the LogRhythm Web Services Host API service for the changes to take effect.
The server certificate file is sent to every client that connects to the server. The private key file is a secure object and should be stored with restricted access.
Common Components
To specify a server certificate for the Common Components, complete the following steps on each node in a cluster.
-
The certificates need to use the same name as the default certificates.
- On the Platform Manager, go to C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
- Complete the following steps on server.crt and server.key.
- Double-click server.crt.
- Click Install Certificate.
- Click Local Machine.
- Click Next.
- Click Place all certificates in the following store: Trusted Root Certification Authorities.
- Click OK.
- Click Finish.
Common Access Card (CAC) Use
Work with your Administrator to get details about your organization's certificate authority and client certificates.
The setup of certificates and common access card use must be done by an authorized administrator who understands your organization's network system infrastructure and has the proficiency to set it up correctly.
Key Considerations:
- When creating a server certificate for the Mediator, AIE ComMgr, and SQL Server using your ‘root’ certificate, you must run the command with the ‘-sky exchange –eku 1.3.6.1.5.5.7.3.1’ parameter. This enables the certificate to perform Server Authentication which is required for all server certificates including those for the Mediator, AIE ComMgr, and SQL Server. If you don’t create the server certificate with the key exchange attribute specified (-sky exchange –eku 1.3.6.1.5.5.7.3.1) it does not work for the Mediator and the certificate does not show up in the SQL Server configuration Certificates menu. The SQL Server Configuration Manager looks in both LocalMachine and CurrentUser MY stores for certificates to use.
- When creating a server certificate for SQL Server using your ‘root’ certificate, you MUST use the machine FQDN for the Subject. The short hostname or IP address WILL NOT WORK.
- The user the Agent service is running under MUST have the LogRhythm Root CA certificate in the LocalMachine’s trusted store (v). This allows the Agent to verify the server certificate presented by the Mediator, AIE ComMgr, and SQL Server.
- The user the LogRhythm service (e.g. Agent) is running on MUST have read permissions to the certificate store and certificate(s).
LogRhythm TrueIdentity Sync Client Remote Server
Create Custom Certificates
Create new custom or self-signed certificates. For more information, see Create Client and Server Certificates . If you are using the self-signed certificates, complete the following using the existing certificates located C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
Trust Certificates
On the Platform Manager, trust the newly generated certificates.
Linux
Add the certificate as a new file to /etc/pki/ca-trust/source/anchors/:
CODEsudo cp foo.crt /etc/pki/ca-trust/source/anchors/
Run
CODEsudo update-ca-trust
To restart the Sync Client, run
CODEsudo systemctl restart LogRhythmTrueIdentitySyncClient
Windows
- Go to C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm API Gateway\tls.
- Ensure the certificates use the same name as the default certificates: server.crt and server.key.
- Double-click server.crt.
Click Install Certificate..., and then click Local Machine.
This is not the default.
- Click Next, and then click Place all certificates in the following store.
- Select Trusted Root Certification Authorities, and then click OK.
- Click Finish.
For both Windows and Linux, if you have different certificates for your Active Directory, you must add those certificates to the same directory as above and trust the certificates.
The following error messages appear if the certificates are not properly trusted:
level=warning msg="LDAP TLS connection failed, make sure your machine trusts the LDAP Domain Controller's root CA certificate."
level=warning msg="TrueIdentity request failed with TLS verification on, make sure your machine trusts the APIG's root CA.