FortiSIEM - Configuring CA Certificates
Version 6.1.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE
https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
01/31/2022
FortiSIEM 6.1.2 Configuring CA Certificates
TABLEOFCONTENTS
Change Log 4
Configuring FortiSIEM for HTTPS Comm. Using Public CA Certificates 5
Internal HTTPS Comm. Using CA Certificates 5
Prerequisites 5
Collector to Supervisor HTTPS Comm. 6
Collector to Worker HTTPS Comm. 7
Linux Agent to Supervisor and Collector HTTPS Comm. 8
Windows Agent to Supervisor and Collector HTTPS Comm. 9
External HTTPS Comm. Using CA Certificates 9
Java-based HTTPS Comm. From FortiSIEM to External Websites 9
Event Forwarding from FortiSIEM to an External System Using syslog/TLS 10
Client HTTPS Comm. with Supervisor 10
FortiSIEM 6.1.2 Configuring CA Certificates 3
Fortinet Inc.
Change Log
Date Change Description
09/26/2019 Initial release of Configuring CA Certificates.
11/21/2019 Release of Configuring CA Certificates for 5.2.6.
03/30/2020 Release of Configuring CA Certificates for 5.3.0.
01/15/2021 Added "Client HTTPSCommunication with Supervisor" section.
FortiSIEM 6.1.2 Configuring CA Certificates 4
Fortinet Inc.
Configuring FortiSIEM for HTTPS Comm. Using Public CA
Certificates
This document describes how to configure various FortiSIEM nodes for HTTP(S) communication using public CA
certificates.
l
Internal HTTPS Communication Using CA Certificates
l
External HTTPS Communication Using CA Certificates
Internal HTTPS Comm. Using CA Certificates
This section addresses HTTP(S) communication within various FortiSIEM nodes using public CA certificates.
l
Prerequisites
l
Collector to Super HTTPS Communication
l
Collector to Worker HTTPS Communication
l
Linux Agent to Supervisor and Collector HTTPS Communication
l
Windows Agent to Supervisor and Collector HTTPS Communication
Prerequisites
The instructions in this document assume that you have completed the following tasks:
1. Setup FQDNs for Supervisor and Worker nodes.
2. Setup FQDNs for Collectors if you plan on using Linux and/or Windows Agents.
3. Configure Collector hostname to be FQDN and then register them using FQDN.
4. Obtain Certificates issued and signed by a well-known Certifying Authority (CA)
a. If using wildcard certificates, then the same certificate can be used in Super, Workers, and Collectors as long
as their FQDN is a direct subdomain of the wildcard domain.
b. If using per-node certificates, then the certificate’s subject name should match the FQDN of the node for
Supervisor, Workers, and Collectors.
5. Made sure that collectors can reach Supervisor and Worker nodes using their respective FQDNs.
6. If you have Linux and/or Windows Agents, then also make sure that they can reach the Collectors using their
respective FQDN.
7. In the FortiSIEM GUI, Admin > Settings > Worker Upload lists the worker addresses using worker FQDNs.
FortiSIEM 6.1.2 Configuring CA Certificates 5
Fortinet Inc.
Collector to Supervisor HTTPS Comm.
1. On the Supervisor, complete these steps:
a. Copy your CA certificates to the /etc/httpd/conf.d directory.
b. Modify the /etc/httpd/conf.d/ssl.conf file by changing the following settings to point to these
certificates:
l
SSLCertificateFile <ca-certificate-file>
l
SSLCertificateKeyFile <ca-certificate-key-file>
l
SSLCertificateChainFile <ca-certificate-chain-file>
2. Before registering the collectors, change the following setting in the /opt/phoenix/config/collector_
config_template.txt file on the Supervisor:
http_client_verify_peer=yes
3. On each Collector, before you register it, change the following setting in the /opt/phoenix/config/phoenix_
config.txt file:
http_client_verify_peer=yes
4. Log in to the Collector and verify the Supervisor’s certificate using the curl command. For example:
curl -vv https://<Supervisor-FQDN>
* Rebuilt URL to: https://<Supervisor-FQDN>/
* Trying <IP>...
* TCP_NODELAY set
* Connected to <Supervisor-FQDN> (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=<Country>; ST=<State>; L=<Location>; O=<Organization>; OU=<OU>;
CN=*.<Domain>
* start date: Jul 26 00:00:00 2019 GMT
* expire date: Jul 30 12:00:00 2021 GMT
* subjectAltName: host "<Supervisor-FQDN>" matched cert's "*.<Domain>"
* issuer: C=<Country>; O=<CA>; OU=<CA-Domain>; CN=<CA name>
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: <Super-FQDN>
If curl reports that the verification of the SSL certificate fails, then check your certificate for a mismatch between
the <Supervisor-FQDN> and the subject name.
FortiSIEM 6.1.2 Configuring CA Certificates 6
Fortinet Inc.
5. Register the Collector with the Supervisor using the phProvisionCollector command.
Example usage: phProvisionCollector --add <Organization-user-name> <Organization-user-
password> <Supervisor-FQDN> <Organization-name> <Collector-name>
Make sure to register the collector using the Supervisor’s FQDN, otherwise registration will fail.
Collector to Worker HTTPS Comm.
1. On each Worker node, perform the following steps:
a. Copy your CA certificates to /etc/httpd/conf.d directory.
b. Modify /etc/httpd/conf.d/ssl.conf by changing the following settings to point to these certificates:
l
SSLCertificateFile <ca-certificate-file>
l
SSLCertificateKeyFile <ca-certificate-key-file>
l
SSLCertificateChainFile <ca-certificate-chain-file>
2. On Supervisor GUI, go to Admin > Settings > Worker Upload and list the FQDNs for each worker.
3. Use curl to test connectivity to workers and check that curl verifies the certificate to be OK. For example:
curl -vv https://<Worker-FQDN>
* Rebuilt URL to: https://<Worker-FQDN>/
* Trying <IP>...
* TCP_NODELAY set
* Connected to <Worker-FQDN> (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=<Country>; ST=<State>; L=<Location>; O=<Organization>; OU=<OU>;
CN=*.<Domain>
* start date: Jul 26 00:00:00 2019 GMT
* expire date: Jul 30 12:00:00 2021 GMT
* subjectAltName: host "<Worker-FQDN>" matched cert's "*.<Domain>"
* issuer: C=<Country>; O=<CA>; OU=<CA-Domain>; CN=<CA name>
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: <Worker-FQDN>
FortiSIEM 6.1.2 Configuring CA Certificates 7
Fortinet Inc.
Linux Agent to Supervisor and Collector HTTPS Comm.
1. Set up CA certificates on Supervisor as described in Collector to Supervisor HTTPS Communication.
2. On each Collector node, perform the following steps if you have not done this already for Windows Agent:
a. Copy your CA certificates to the /etc/httpd/conf.d directory.
b. Modify the /etc/httpd/conf.d/ssl.conf file by changing the following settings to point to these
certificates:
l
SSLCertificateFile <ca-certificate-file>
l
SSLCertificateKeyFile <ca-certificate-key-file>
l
SSLCertificateChainFile <ca-certificate-chain-file>
3. Configure the Collector FQDN as the hostname using vami_config_net. Similarly, configure the Collector name
in the GUI to be FQDN.
4. Register the Collector, using FQDN as the Collector name.
5. Use curl to test connectivity to Collectors via FQDN and check that curl verifies the certificate to be OK. For
example:
curl -vv https://<Collector-FQDN>
* Rebuilt URL to: https://<Collector-FQDN>/
* Trying <IP>...
* TCP_NODELAY set
* Connected to <Collector-FQDN> (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=<Country>; ST=<State>; L=<Location>; O=<Organization>; OU=<OU>;
CN=*.<Domain>
* start date: Jul 26 00:00:00 2019 GMT
* expire date: Jul 30 12:00:00 2021 GMT
* subjectAltName: host "<Collector-FQDN>" matched cert's "*.<Domain>"
* issuer: C=<Country>; O=<CA>; OU=<CA-Domain>; CN=<CA name>
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: <Collector-FQDN>
6. Register the Linux Agent with the Supervisor using the Supervisor’s FQDN.
Linux Agents:
When installing Linux Agent, you must add a -v option to verify the Supervisor’s certificates.
FortiSIEM 6.1.2 Configuring CA Certificates 8
Fortinet Inc.
./fortisiem-linux-agent-installer-6.1.2.0119.sh -s <Supervisor-FQDN> -i
<Organization-Id> -o <Organization-Name> -u <Agent-User> -p <Agent-Password> -v
Linux agent installer options:
l
-c - CA Certificate bundle file (Optional)
l
-h - Show this message
l
-i - Organization Id
l
-n - Hostname where agent is installed (Optional)
l
-o - Organization
l
-p - Agent Registration Password
l
-s - Super IP/HostName
l
-u - Agent Registration User
l
-v - Verify Super and Collector SSL Certificate during TLS handshake (Optional)
Windows Agent to Supervisor and Collector HTTPS Comm.
1. Set up CA certificates on Supervisor as described in Collector to Supervisor HTTPS Communication.
2. On each Collector node, perform the following steps if you have not done this already for Linux Agent:
a. Copy your CA certificates to the /etc/httpd/conf.d directory.
b. Modify the /etc/httpd/conf.d/ssl.conf file by changing the following settings to point to these
certificates:
l
SSLCertificateFile <ca-certificate-file>
l
SSLCertificateKeyFile <ca-certificate-key-file>
l
SSLCertificateChainFile <ca-certificate-chain-file>
3. Configure the Collector FQDN as the hostname using vami_config_net. Similarly, configure the Collector name
in the GUI to be FQDN.
4. Register the Collector, using FQDN as the Collector name.
To install Windows Agent, follow the instructions in the Windows Agent Installation Guide and modify the
InstallSettings.xml file with <SSLCertificate>check</SSLCertificate> instead of ignore.
External HTTPS Comm. Using CA Certificates
This section addresses HTTP(S) communication from FortiSIEM to external systems or external systems to FortiSIEM
l
Java-based HTTPS Communication From FortiSIEM to External Websites
l
Event Forwarding from FortiSIEM to External System Using Syslog/TLS
l
Client HTTPS Communication with Supervisor
Java-based HTTPS Comm. From FortiSIEM to External Websites
This section addresses the following use cases:
l
Communication with External Threat Intelligence websites
l
Communication with Ticketing systems e.g. ServiceNow
FortiSIEM 6.1.2 Configuring CA Certificates 9
Fortinet Inc.
1.
Download the certificate from the desired third-party website and save it to a file.
For example, on the Unix platform, use openssl to download certificate as shown below. The FQDN is the server
name of the website to which you would like to download the certificate:
openssl s_client -connect <FQDN>:<port> -servername <FQDN> < /dev/null | sed -ne
'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <filename>.crt
Using google.com as an example:
openssl s_client -connect google.com:443 -servername google.com < /dev/null | sed -
ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
2.
Use the Java keytool command to import the certificate to Glassfish and use changeit as the password when
prompted. You must replace the sample_alias with any alias you would like to use for this certification and
filename to the certificate file downloaded:
keytool -import -trustcacerts -alias <sample_alias> -keystore
/opt/glassfish/domains/domain1/config/cacerts.jks -file <filename>.crt
keytool -import -trustcacerts -alias <sample_alias> -keystore
/opt/glassfish/domains/domain1/config/keystore.jks -file <filename>.crt
For example:
keytool -import -trustcacerts -alias google -keystore
/opt/glassfish/domains/domain1/config/cacerts.jks -file public.crt
keytool -import -trustcacerts -alias google -keystore
/opt/glassfish/domains/domain1/config/keystore.jks -file public.crt
Event Forwarding from FortiSIEM to an External System Using syslog/TLS
FortiSIEM's SSL library can validate an external system’s certificate if it is signed by a public CA.
If the external system wants to verify the FortiSIEM node's certificate, then you need to add the following certificate and
key to the phoenix_config.txt file of the FortiSIEM nodes forwarding the event.
[BEGIN phEventForwarder]
…
tls_certificate_file= #/opt/phoenix/bin/.ssh/my_cert.crt
tls_key_file= #/opt/phoenix/bin/.ssh/my_cert.key
[END]
Client HTTPS Comm. with Supervisor
A valid CA (public or private) signed certificate is required on the FortiSIEM components, and also on the Client. See
Configuring FortiSIEMfor HTTPS Communication Using Public CACertificates for more details.
Once a valid certificate is installed within FortiSIEM using the documented instructions, the following additional steps are
required to enable Client Certificate Authentication.
FortiSIEM 6.1.2 Configuring CA Certificates 10
Fortinet Inc.
1.
SSH onto the Super node.
2.
Edit the Apache configuration.
vi /etc/httpd/conf.d/ssl.conf
SLVerifyClient require
3.
Save the file.
Press ESC.
:wq
4.
Restart apache.
service httpd restart
FortiSIEM 6.1.2 Configuring CA Certificates 11
Fortinet Inc.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.
