No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Operation Guide 07

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deploying or Updating the Log Forwarding Service Certificate

Deploying or Updating the Log Forwarding Service Certificate

The eSight server can use UDP, TCP, or TLS (recommended for better security) to forward logs to a third-party Syslog server. If the eSight server and the third-party Syslog server trust different Certificate Authorities (CAs), a certificate needs to be deployed or updated on the eSight to ensure that logs can be normally forwarded.

Prerequisites

The following certificates have been obtained:
  • Identity certificate of the eSight server and the certificate key: server.cer and server_key.pem or server.p12, and the keys of the certificates.
  • Trust certificate of a third-party Syslog server.
NOTE:

The identity certificate of the eSight server and the trust certificate of the third-party Syslog server must be issued by the same CA or two subordinate CAs of a CA. When certificates are issued by the two subordinate CAs of a CA, the trust certificate of the root CA and the subordinate CAs must be prepared.

Context

  • The authentication mode (one-way authentication or two-way authentication) of the log forwarding service is configured on the third-party Syslog server. You are advised to configure the two-way authentication for security concerns.
  • If the eSight server and the third-party Syslog server trust the same CA, the two servers can use the certificate deployed on the eSight server for authentication, and no other certificate deployment is required.
  • When the one-way authentication mode is used (only the eSight server authenticates the third-party Syslog server), and the two servers trust different CAs, the trust certificate of the third-party Syslog server needs to be deployed on the eSight server.
  • When the two-way authentication mode is used and the eSight server and the third-party Syslog server trust different CAs, the trust certificate of the third-party Syslog server needs to be deployed on the eSight server, and the trust certificate of the eSight server also needs to be deployed on the third-party Syslog server.
  • This topic describes how to deploy the trust certificate of a third-party Syslog server on the eSight is described. You can deploy the trust certificate when peer authentication is disabled on the Syslog server or when x509/certvalid authentication is enabled.
  • You need to re-log in to the client after a certificate is deployed on a server.

Procedure

  • Windows
    1. Obtain the trust certificates from the Syslog server. Assume that the certificate names are hw_ca.pem, server.pem, and server_key.pem. Copy the certificates to the eSight server and place them to a directory, for example, the root directory of C drive.
    2. Log in to the eSight server as the ossuser user.
    3. Use openssl.exe to import a certificate and generate keystore. You can download the OpenSSL tool at https://www.openssl.org/. The actual certificate name may vary with the given.

      Example:

      C:\OpenSSL-Win32\bin>openssl pkcs12 -export -out eSight installation directory/AppBase/etc/certificate/syslogclient.pfx -inkey C:/server_key.pem -in C:/server.pem -certfile C:/hw_ca.pem 
      Enter Export Password: 
      Verifying - Enter Export Password: 
      NOTE:

      It is recommended that the password for the keystore and truststore be the same.

    4. Use keytool.exe to import a certificate and generate truststore.

      Example:

      cd eSight installation directory/AppBase/jre/bin
      keytool.exe -import -file C:/server.crt -keystore eSight installation directory/AppBase/etc/certificate/syslogtruststore.jks 
      Enter the password for the key store: 
      Enter the new password again: 
      Trust this certificate?: y
      NOTE:

      It is recommended that the password for the keystore and truststore be the same.

    5. Generate the ciphertext of the new certificate password.
      1. Run the following command to switch the directory.

        cd eSight installation directory/AppBase/tools/bmetool/encrypt

      2. Run the following command to generate the ciphertext for the new password.

        ./encrypt.bat 0

        Enter the new password as prompted.

        Enter the password to be encrypted:

        After the command is successfully executed, the following information is displayed:

        9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      NOTE:
      • The reversible Advanced Encryption Standard (AES) is used in this command.
      • For details on the password changing rules, see Security Maintenance > Password Change > Password Changing Scenarios and Policies in Maintenance Guide.
    6. Replace the ciphertext of the certificate password.
      1. Open the configuration file eSight installation directory/AppBase/etc/iemp.syslog/syslog.xml.
      2. Set the configuration item keysecret name to the ciphertext password of keysecret.
      3. Set the configuration item storesecret name to the ciphertext password of storesecret.
  • Linux
    1. Obtain the trust certificates from the Syslog server. Assume that the certificate names are hw_ca.pem, server.pem, and server_key.pem. Copy the certificates to the eSight server and place them to a directory, for example, /opt.
    2. Use PuTTY to log in to the eSight server as the ossuser user through SSH.
    3. Use openssl.sh to import a certificate and generate keystore. You can download the OpenSSL tool at https://www.openssl.org/. The actual certificate name may vary with the given.

      Example:

      Linux:/usr/local/openssl/bin # ./openssl pkcs12 -export -out eSight installation directory/AppBase/etc/certificate/syslogclient.pfx -inkey /opt/server_key.pem -in /opt/server.pem certfile /opt/hw_ca.pem 
      Enter Export Password: 
      Verifying - Enter Export Password: 
      NOTE:

      It is recommended that the password for the keystore and truststore be the same.

    4. Use keytool to import a certificate and generate truststore.

      Example:

      cd eSight installation directory/AppBase/jre/bin
      ./keytool -import -file opt/server.crt -keystore eSight installation directory/AppBase/etc/certificate/syslogtruststore.jks  
      Enter the password for the key store: 
      Enter the new password again: 
      Trust this certificate?: y
      NOTE:

      It is recommended that the password for the keystore and truststore be the same.

    5. Generate the ciphertext of the new certificate password.
      1. Run the following command to switch the directory.

        cd eSight installation directory/AppBase/tools/bmetool/encrypt

      2. Run the following command to generate the ciphertext for the new password.

        ./encrypt.sh 0

        Enter the new password as prompted.

        Enter the password to be encrypted:

        After the command is successfully executed, the following information is displayed:

        9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      NOTE:
      • The reversible Advanced Encryption Standard (AES) is used in this command.
      • For details on the password changing rules, see Security Maintenance > Password Change > Password Changing Scenarios and Policies in Maintenance Guide.
    6. Replace the ciphertext of the certificate password.
      1. Open the configuration file syslog.xml.

        vi eSight installation directory/AppBase/etc/iemp.syslog/syslog.xml

      2. Set the configuration item keysecret name to the ciphertext password of keysecret.
      3. Set the configuration item storesecret name to the ciphertext password of storesecret.
      4. Run the :wq! command to save and close the configuration file.
Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044378

Views: 59894

Downloads: 274

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next