Setting Up SSL Client-Side Authentication Between Transformation Hub and ESM - Non-FIPS Mode

ArcSight Platform maintains its own certificate authority (CA) to issue certificates for individual nodes in the Transformation Hub cluster and external communication. ESM needs the signed certificates in its truststore so that it will trust connections to the Arcsight Platform and Transformation Hub. You might need to contact the ArcSight Platform administrator to obtain the signed certificates if you do not have sufficient privileges to access them and run the necessary commands.

Note: When configuring Transformation Hub access, you must specify the FQDN of the ArcSight Platform virtual IP for HA or single master node and not the IP address.

To complete the configuration, complete the following tasks:

Enable client-side authentication between Transformation Hub and ESM
Configure ESM to consume from Transformation Hub.

Enabling Client-side Authentication Between Transformation Hub and ESM:

Verify that Transformation Hub is functional and that client authentication is configured.
As user arcsight , stop the ArcSight Manager:

/etc/init.d/arcsight_services stop manager

/opt/arcsight/manager/bin/arcsight keytool -store clientkeys -storepasswd -storepass ""

/opt/arcsight/manager/bin/arcsight keytool -store clientkeys -keypasswd -keypass "" -alias services-cn

/opt/arcsight/manager/bin/arcsight changepassword -f config/client.properties -p ssl.keystore.password

export COMMON_NAME=

/opt/arcsight/manager/bin/arcsight keytool -store clientkeys -genkeypair -dname "cn=$, ou=, o=, c=" -keyalg rsa -keysize 2048 -alias ebkey -startdate -1d -validity 366

/opt/arcsight/manager/bin/arcsight keytool -certreq -store clientkeys -alias ebkey -file $.csr

Create a temporary folder to store the generated certificates:

mkdir –m 700 /tmp/esm

export CA_CERT=re_ca.cert.pem

export COMMON_NAME= export TH=_ Note: For COMMON_NAME , use the same host FQDN as you used for the ESM client key pair.

cd /tmp/esm

export CDF_APISERVER=$(kubectl get pods -n core -o custom-columns=":metadata.name"| grep cdf-apiserver) export PASSPHRASE=$(kubectl get secret vault-passphrase -n core -o json 2>/dev/null | jq -r '.data.passphrase') export ENCRYPTED_ROOT_TOKEN=$(kubectl get secret vault-credential -n core -o json 2>/dev/null | jq -r '.data."root.token"') export VAULT_TOKEN=$(echo $ | openssl aes-256-cbc -md sha256 -a -d -pass pass:"$") export CSR=$(cat $.csr)

WRITE_RESPONSE=$(kubectl exec -it -n core $ -c cdf-apiserver -- bash -c "VAULT_TOKEN=$VAULT_TOKEN vault write -tls-skip-verify -format=json RE/sign/coretech csr=\"$\"") && \ echo "$WRITE_RESPONSE" | jq -r ".data | .certificate" > $.signed.crt && \ echo "$WRITE_RESPONSE" | jq -r ".data | .issuing_ca" > $.issue_ca.crt && \ echo "$WRITE_RESPONSE" | jq -r ".data | .certificate, if .ca_chain then .ca_chain[] else .issuing_ca end" > $.signed.cert.with.ca.crt

cd /opt/arcsight/kubernetes/scripts/

./cdf-updateRE.sh > /tmp/esm/$ For a cloud deployment:

cd /cdf-deployer/scripts/

./cdf-updateRE.sh > /tmp/esm/$ /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias -importcert -file

For example: /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias thcert -importcert -file /opt/arcsight/tmp/re_ca.cert.pem

Note: You might receive the following message: Certificate already exists in keystore under alias Do you still want to add it? [no]: It is not necessary to add an existing certificate.

/opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias -importcert -file -trustcacerts

For example: /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias ebkey -importcert -file /opt/arcsight/tmp/$.signed.cert.with.ca.crt –trustcacerts

Note: You might see the following warning: . Top-level certificate in reply: . . is not trusted. Install reply anyway? [no]: This is because the root certificate of the RE CA is not in the ESM truststore. This does not affect the functionality of ESM. Enter yes to allow the new certificate to be imported.

Configuring ESM to Consume from Transformation Hub

Run the following command:

/opt/arcsight/manager/bin/arcsight managersetup -i console

Host name and port information for the worker nodes in Transformation Hub. Use a comma-separated list (for example: :,:) and specify the FQDN of the worker nodes.

Note: You must specify the host name and not the IP address. Transformation Hub can only accept IPv4 connections from ESM. If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2). ESM will read Avro-format events from any topic where the name contains "avro" in lower case. For example, th-arcsight-avro .

Note: The default port for connecting to the Schema Registry is 32081.

Filter out desired events from Connectors so that ESM does not process them.
Filter out ESM's correlation events that were forwarded (CEF events that the Forwarding Connector sent to th-cef ) so that ESM does not re-process its own events. If you do not configure filtering, ESM must consume from the th-arcsight-avro topic. If you configure filtering, ESM must consume from the mf-event-avro-esmfiltered topic. For more information, see configuring filters and local and global event enrichment.

After providing the information, specify Yes and complete the remaining sections of the wizard.

/etc/init.d/arcsight_services start manager

In distributed mode:

/etc/init.d/arcsight_services stop all

/etc/init.d/arcsight_services start all

Ensure that all services started:

/etc/init.d/arcsight_services status

grep -rnw '/opt/arcsight/var/logs/manager/' -e 'Transformation Hub service is initialized' -e 'Started kafka readers'