FortiSIEM Configuring CA Certificates
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
ENDUSER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
10/03/2019
FortiSIEM - Configuring CA Certificates
Revision 1
TABLEOFCONTENTS
Change Log 4
Inter-node HTTPS Communication Using CA Certificates 5
Prerequisites 5
Collector to Supervisor HTTPS Communication 5
Collector to Worker HTTPS Communication 6
Linux Agent to Supervisor and Collector HTTPS Communication 7
Windows Agent to Supervisor and Collector HTTPS Communication 9
Change Log
Change Log
Date Change Description
09/26/2019 Initial release of Configuring CA Certificates.
10/03/2019
Revision 1: Edited Prerequisites. Added instructions for Agent-
Super and Agent-Collector HTTPS communication
4 Configuring CA Certificates
Fortinet Technologies Inc.
Inter-node HTTPS Communication Using CA Certificates Prerequisites
Inter-node HTTPS Communication Using CA Certificates
This document describes how to configure various FortiSIEM nodes for HTTP(S) communication using public CA
certificates.
l Prerequisites
l Collector to Super HTTPS Communication
l Collector to Worker HTTPS Communication
l Linux Agent to Supervisor and Collector HTTPS Communication
l Windows Agent to Supervisor and Collector HTTPS Communication
Prerequisites
The instructions in this document assume that you have completed the following tasks:
1.
Setup FQDNs for Supervisor and Worker nodes.
2.
Setup FQDNs for Collectors if you plan on using Linux and/or Windows Agents.
3.
Configure Collector hostname to be FQDN and then register them using FQDN.
4.
Obtain Certificates issued and signed by a well-known Certifying Authority (CA)
a.
If using wildcard certificates, then the same certificate can be used in Super, Workers, and Collectors as
long as their FQDN is a direct subdomain of the wildcard domain.
b.
If using per-node certificates, then the certificate’s subject name should match the FQDN of the node for
Supervisor, Workers, and Collectors.
5.
Made sure that collectors can reach Supervisor and Worker nodes using their respective FQDNs.
6.
If you have Linux and/or Windows Agents, then also make sure that they can reach the Collectors using their
respective FQDN.
7. In the FortiSIEM GUI, Admin > Settings > Worker Upload lists the worker addresses using worker FQDNs.
Collector to Supervisor HTTPS Communication
1.
On the Supervisor, complete these steps:
a.
Copy your CA certificates to the /etc/httpd/conf.d directory.
b.
Modify the /etc/httpd/conf.d/ssl.conf file by changing the following settings to point to these
certificates:
l SSLCertificateFile <ca-certificate-file>
l SSLCertificateKeyFile <ca-certificate-key-file>
l SSLCertificateChainFile <ca-certificate-chain-file>
2.
Before registering the collectors, change the following setting in the /opt/phoenix/config/collector_
config_template.txt file on the Supervisor:
http_client_verify_peer=yes
3.
On each Collector, before you register it, change the following setting in the
/opt/phoenix/config/phoenix_config.txt file:
http_client_verify_peer=yes
Configuring CA Certificates
Fortinet Technologies Inc.
5
Collector to Worker HTTPS Communication Inter-node HTTPS Communication Using CA Certificates
4.
Log in to the Collector and verify the Supervisor’s certificate using the curl command. For example:
curl -vv https://<Supervisor-FQDN>
* Rebuilt URL to: https://<Supervisor-FQDN>/
* Trying <IP>...
* TCP_NODELAY set
* Connected to <Supervisor-FQDN> (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=<Country>; ST=<State>; L=<Location>; O=<Organization>; OU=<OU>;
CN=*.<Domain>
* start date: Jul 26 00:00:00 2019 GMT
* expire date: Jul 30 12:00:00 2021 GMT
* subjectAltName: host "<Supervisor-FQDN>" matched cert's "*.<Domain>"
* issuer: C=<Country>; O=<CA>; OU=<CA-Domain>; CN=<CA name>
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: <Super-FQDN>
If curl reports that the verification of the SSL certificate fails, then check your certificate for a
mismatch between the <Supervisor-FQDN> and the subject name.
5.
Register the Collector with the Supervisor using the phProvisionCollector command.
Example usage: phProvisionCollector --add <Organization-user-name>
<Organization-user-password> <Supervisor-FQDN> <Organization-name>
<Collector-name>
Make sure to register the collector using the Supervisor’s FQDN, otherwise registration will fail.
Collector to Worker HTTPS Communication
1.
On each Worker node, perform the following steps:
a.
Copy your CA certificates to /etc/httpd/conf.d directory.
b.
Modify /etc/httpd/conf.d/ssl.conf by changing the following settings to point to these
certificates:
l SSLCertificateFile <ca-certificate-file>
l SSLCertificateKeyFile <ca-certificate-key-file>
l SSLCertificateChainFile <ca-certificate-chain-file>
6 Configuring CA Certificates
Fortinet Technologies Inc.
Inter-node HTTPS Communication Using CA
Certificates
Linux Agent to Supervisor and Collector HTTPS
Communication
2. On Supervisor GUI, go to Admin > Settings > Worker Upload and list the FQDNs for each worker.
3.
Use curl to test connectivity to workers and check that curl verifies the certificate to be OK. For example:
curl -vv https://<Worker-FQDN>
* Rebuilt URL to: https://<Worker-FQDN>/
* Trying <IP>...
* TCP_NODELAY set
* Connected to <Worker-FQDN> (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=<Country>; ST=<State>; L=<Location>; O=<Organization>; OU=<OU>;
CN=*.<Domain>
* start date: Jul 26 00:00:00 2019 GMT
* expire date: Jul 30 12:00:00 2021 GMT
* subjectAltName: host "<Worker-FQDN>" matched cert's "*.<Domain>"
* issuer: C=<Country>; O=<CA>; OU=<CA-Domain>; CN=<CA name>
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: <Worker-FQDN>
Linux Agent to Supervisor and Collector HTTPS Communication
1.
Set up CA certificates on Supervisor as described in Collector to Supervisor HTTPS Communication.
2.
On each Collector node, perform the following steps if you have not done this already for Windows Agent:
a.
Copy your CA certificates to the /etc/httpd/conf.d directory.
b.
Modify the /etc/httpd/conf.d/ssl.conf file by changing the following settings to point to these
certificates:
l SSLCertificateFile <ca-certificate-file>
l SSLCertificateKeyFile <ca-certificate-key-file>
l SSLCertificateChainFile <ca-certificate-chain-file>
3.
Configure the Collector FQDN as the hostname using vami_config_net. Similarly, configure the Collector
name in the GUI to be FQDN.
4.
Register the Collector, using FQDN as the Collector name.
5.
Use curl to test connectivity to Collectors via FQDN and check that curl verifies the certificate to be OK. For
example:
Configuring CA Certificates
Fortinet Technologies Inc.
7
Linux Agent to Supervisor and Collector HTTPS
Communication
Inter-node HTTPS Communication Using CA
Certificates
curl -vv https://<Collector-FQDN>
* Rebuilt URL to: https://<Collector-FQDN>/
* Trying <IP>...
* TCP_NODELAY set
* Connected to <Collector-FQDN> (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=<Country>; ST=<State>; L=<Location>; O=<Organization>; OU=<OU>;
CN=*.<Domain>
* start date: Jul 26 00:00:00 2019 GMT
* expire date: Jul 30 12:00:00 2021 GMT
* subjectAltName: host "<Collector-FQDN>" matched cert's "*.<Domain>"
* issuer: C=<Country>; O=<CA>; OU=<CA-Domain>; CN=<CA name>
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: <Collector-FQDN>
6.
Register the Linux Agent with the Supervisor using the Supervisor’s FQDN.
Linux Agents:
When installing Linux Agent, you must add a -v option to verify the Supervisors certificates.
./fortisiem-linux-agent-installer-5.2.5.1615.sh -s <Supervisor-FQDN> -i
<Organization-Id> -o <Organization-Name> -u <Agent-User> -p <Agent-
Password> -v
Linux agent installer options:
l -c - CA Certificate bundle file (Optional)
l -h - Show this message
l -i - Organization Id
l -n - Hostname where agent is installed (Optional)
l -o - Organization
l -p - Agent Registration Password
l -s - Super IP/HostName
l -u - Agent Registration User
l -v - Verify Super and Collector SSL Certificate during TLS handshake (Optional)
8 Configuring CA Certificates
Fortinet Technologies Inc.
Inter-node HTTPS Communication Using CA
Certificates
Windows Agent to Supervisor and Collector HTTPS
Communication
Windows Agent to Supervisor and Collector HTTPS Communication
1.
Set up CA certificates on Supervisor as described in Collector to Supervisor HTTPS Communication.
2.
On each Collector node, perform the following steps if you have not done this already for Linux Agent:
a.
Copy your CA certificates to the /etc/httpd/conf.d directory.
b.
Modify the /etc/httpd/conf.d/ssl.conf file by changing the following settings to point to these
certificates:
l SSLCertificateFile <ca-certificate-file>
l SSLCertificateKeyFile <ca-certificate-key-file>
l SSLCertificateChainFile <ca-certificate-chain-file>
3.
Configure the Collector FQDN as the hostname using vami_config_net. Similarly, configure the Collector
name in the GUI to be FQDN.
4.
Register the Collector, using FQDN as the Collector name.
To install Windows Agent, follow the instructions in the Windows Agent Installation Guide and modify the
InstallSettings.xml file with <SSLCertificate>check</SSLCertificate> instead of ignore.
Configuring CA Certificates
Fortinet Technologies Inc.
9