Changing syslog to use TLS

By default, the PowerSC GUI server sends messages to the syslog logging server by using the standard syslog port (UDP 514). You can configure syslog to use TLS if needed.

1. On the syslog logging server, perform the following steps:
   1. Check to see whether the two rsyslog-gnutls prerequisites are installed:

      yum list rsyslog-gnutls.ppc64le
      yum list gnutls-utils.ppc64le

   2. Install the rsyslog-gnutls prerequisites if they are not already installed:

      yum install rsyslog-gnutls.ppc64le
      yum install gnutls-utils.ppc64le 

   3. Enter the following command to create a private key for the self-signed CA certificate:
      certtool --generate-privkey --outfile ca-key.pem
   4. Enter the following commands to create private keys and certificates. Provide the details for the certificate as needed. See https://www.rsyslog.com/doc/tutorials/tls.html#ca-certificate for guidance.
      Note: In the Extension section, answer Y to the "Does the certificate belong to an authority?" question. You can answer N to the other questions, the answers are not significant to the task.

      
      certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
      certtool --generate-privkey --outfile key.pem
      certtool --generate-request --load-privkey key.pem --outfile request.pem
      certtool --generate-certificate --load-request request.pem --outfile cert.pem 
           --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem 

   5. Edit the /etc/rsyslogd.conf file and add the following lines. See Configuring TLS-encrypted remote logging for configuration guidance.

      global(
        DefaultNetstreamDriverCAFile="/etc/pki/ca-trust/source/anchors/ca.pem"
        DefaultNetstreamDriverCertFile="/etc/pki/ca-trust/source/anchors/cert.pem"
        DefaultNetstreamDriverKeyFile="/etc/pki/ca-trust/source/anchors/key.pem"
      )
      # TCP listener
      module(
        load="imtcp"
        StreamDriver.AuthMode="x509/name"
        StreamDriver.Mode="1"
        StreamDriver.Name="gtls"
      )
      # Start up listener at port 514
      input(
        type="imtcp"
        port="514"
      )

   6. Stop and restart rsyslog, and tail /var/log/messages to confirm that it restarted.

      systemctl stop rsyslog
      systemctl start rsyslog 
      tail -f /var/log/messages

2. On the PowerSC GUI server, which is the syslog client:
   1. Import the syslog server's certificate into the PowerSC GUI server:

      /opt/powersc/uiServer/bin/import_certificate.sh <hostname> 514 

   2. Generate a server certificate .PEM file for the PowerSC GUI server:

      keytool -keystore "/etc/security/powersc/uiServer/serverKeystore.p12" 
      -exportcert -alias psc_server -rfc -file "/etc/pki/ca-trust/source/anchors/psc_server_cert.pem"

   3. Press Enter when asked for a password.
   4. Copy (scp) the /etc/pki/ca-trust/source/anchors/psc_server_cert.pem file to the syslog server.
3. On the syslog server:
   1. Concatenate the /etc/pki/ca-trust/source/anchors/psc_server_cert.pem file to all_ca.pem:

      cd /etc/pki/ca-trust/source/anchors/
      cat ca.pem psc_server_cert.pem > all_ca.pem

   2. Change /etc/rsyslogd.conf to specify the all_ca.pem file and the PowerSC GUI server:

      DefaultNetstreamDriverCAFile="/etc/pki/ca-trust/source/anchors/all_ca.pem"
      :
      PermittedPeer=["your-powersc-server.com"]

4. Specify the syslogProtocol protocol as TLS, as described in pscuiserverctl command.