IBM Support

WinCollect: Certificates modifications required for WinCollect on NAT on both sides deployments

Troubleshooting


Problem

This article describes that Managed Hosts inside the same NAT group have no problems talking to the console. Instead, Managed Hosts in different NAT groups find there is a problem as they can't find a SAN that matches the public IP.

Resolving The Problem

It is not generally best practice to include multiple IP addresses in the list of SAN but it is possible.

Create new certificate
 
  1. Download the following files.
    • ca.cfg
       
      BASEURL="http://172.16.88.126:9381"
      BASEPATH="/opt/qradar/ca/www"
      
      COUNTRY="CA"
      STATE_PROV="New Brunswick"
      CITY="Fredericton"
      
      ORG="IBM"
      ORG_UNIT="Security Intelligence"
      
      ROOT_COMMONNAME="Sample Root CA"
      INTERMEDIATE_COMMONNAME="Sample Primary Issuer"
    • create_test_ca.sh
      #!/bin/bash
      
      # this script will setup a ca with a root and an issuing intermediate
      # the idea is to be able to quickly issue certs for regular tls as well
      # as email and code signing and so forth. 
      
      # a later version will include misconfigured issuers and requests to 
      # excercise validation
      
      # note that the permissions aren't anywhere near as tight as they
      # should be, making this unusable for any sort of production, its intent
      # is for testing only
      
      # author: Rory Bray
      # date: 30/03/2016
      
      # read in the major config parameters (file paths, etc)
      . `pwd`/ca.cfg
      
      echo "Creating Root CA"
      
      mkdir -p ca/conf ca/root-ca/certs ca/root-ca/crl ca/root-ca/private ca/root-ca/db
      
      touch ca/root-ca/db/root-ca.db
      touch ca/root-ca/db/root-ca.db.attr
      echo 01 > ca/root-ca/db/root-ca.crt.srl
      echo 01 > ca/root-ca/db/root-ca.crl.srl
      
      cat <<EOF > ca/conf/root-ca.conf
      [ default ]
      ca                      = root-ca               # CA name
      dir                     = .                     # Top dir
      base_url                = $BASEURL		# CA base URL
      aia_url                 = \$base_url/\$ca.cer     # CA certificate URL
      crl_url                 = \$base_url/\$ca.crl     # CRL distribution point
      name_opt                = multiline,-esc_msb,utf8 # Display UTF-8 characters
      openssl_conf            = openssl_init          # Library config section
      
      # CA certificate request
      
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = yes                   # Protect private key
      default_md              = sha256                # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = no                    # Don't prompt for DN
      distinguished_name      = ca_dn                 # DN section
      req_extensions          = ca_reqext             # Desired extensions
      
      [ ca_dn ]
      countryName             = "$COUNTRY"
      organizationName        = "$ORG"
      organizationalUnitName  = "$ORG_UNIT"
      commonName              = "$ROOT_COMMONNAME"
      
      [ ca_reqext ]
      keyUsage                = critical,keyCertSign,cRLSign
      basicConstraints        = critical,CA:true
      subjectKeyIdentifier    = hash
      
      # CA operational settings
      
      [ ca ]
      default_ca              = root_ca               # The default CA section
      
      [ root_ca ]
      certificate             = \$dir/ca/\$ca/\$ca.crt       # The CA cert
      private_key             = \$dir/ca/\$ca/private/\$ca.key # CA private key
      new_certs_dir           = \$dir/ca/\$ca           # Certificate archive
      serial                  = \$dir/ca/\$ca/db/\$ca.crt.srl # Serial number file
      crlnumber               = \$dir/ca/\$ca/db/\$ca.crl.srl # CRL number file
      database                = \$dir/ca/\$ca/db/\$ca.db # Index file
      unique_subject          = no                    # Require unique subject
      default_days            = 3652                  # How long to certify for
      default_md              = sha256                # MD to use
      policy                  = match_pol             # Default naming policy
      email_in_dn             = no                    # Add email to cert DN
      preserve                = no                    # Keep passed DN ordering
      name_opt                = \$name_opt             # Subject DN display options
      cert_opt                = ca_default            # Certificate display options
      copy_extensions         = none                  # Copy extensions from CSR
      x509_extensions         = signing_ca_ext        # Default cert extensions
      default_crl_days        = 30                    # How long before next CRL
      crl_extensions          = crl_ext               # CRL extensions
      
      [ match_pol ]
      countryName             = match
      stateOrProvinceName     = optional
      localityName            = optional
      organizationName        = match
      organizationalUnitName  = optional
      commonName              = supplied
      
      [ any_pol ]
      domainComponent         = optional
      countryName             = optional
      stateOrProvinceName     = optional
      localityName            = optional
      organizationName        = optional
      organizationalUnitName  = optional
      commonName              = optional
      emailAddress            = optional
      
      # Extensions
      
      [ root_ca_ext ]
      keyUsage                = critical,keyCertSign,cRLSign
      basicConstraints        = critical,CA:true
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      
      [ signing_ca_ext ]
      keyUsage                = critical,keyCertSign,cRLSign
      basicConstraints        = critical,CA:true,pathlen:0
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ crl_ext ]
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      
      [ issuer_info ]
      caIssuers;URI.0         = \$aia_url
      
      [ crl_info ]
      URI.0                   = \$crl_url
      
      # Policy OIDs
      
      [ openssl_init ]
      oid_section             = additional_oids
      
      [ additional_oids ]
      EOF
      
      cat << EOF
      
      
      Creating root CA, passphrase is for the root CA private key 
      and will be needed when we create the issuing CAs.  
      
      The first passphrase prompt creates the passphrase and the 
      second wants the same passphrase
      
      Obviously, answer yes when prompted :)
      
      EOF
      openssl req -new \
                  -config ca/conf/root-ca.conf \
                  -out ca/root-ca/root-ca.csr \
                  -keyout ca/root-ca/private/root-ca.key
      
      
      openssl ca -selfsign \
                 -config ca/conf/root-ca.conf \
                 -in ca/root-ca/root-ca.csr \
                 -out ca/root-ca/root-ca.crt \
                 -extensions root_ca_ext \
                 -days 3650
      
      openssl ca -gencrl \
      	-config ca/conf/root-ca.conf \
      	-out ca/root-ca/crl/root-ca.crl
      
      cp ca/root-ca/crl/root-ca.crl $BASEPATH
      
      openssl x509 -inform pem -in ca/root-ca/root-ca.crt \
                   -outform der -out $BASEPATH/root-ca.cer
      
      cat << EOF
      
      Root CA created
      
      EOF
      
      sleep 5
      
      cat << EOF
      
      Creating a known-good Intermediate issuer CA
      
      EOF
      
      mkdir -p external-req ca/conf ca/intermediate-ca/certs ca/intermediate-ca/crl ca/intermediate-ca/private ca/intermediate-ca/db
      
      touch ca/intermediate-ca/db/intermediate-ca.db
      touch ca/intermediate-ca/db/intermediate-ca.db.attr
      echo 01 > ca/intermediate-ca/db/intermediate-ca.crt.srl
      echo 01 > ca/intermediate-ca/db/intermediate-ca.crl.srl
      
      cat <<EOF > ca/conf/intermediate-ca.conf
      [ default ]
      ca                      = intermediate-ca                # CA name
      dir                     = .                     # Top dir
      base_url                = $BASEURL		# CA base URL
      aia_url                 = \$base_url/\$ca.cer     # CA certificate URL
      crl_url                 = \$base_url/\$ca.crl     # CRL distribution point
      name_opt                = multiline,-esc_msb,utf8 # Display UTF-8 characters
      
      # CA certificate request
      
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = yes                   # Protect private key
      default_md              = sha256                # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = no                    # Don't prompt for DN
      distinguished_name      = ca_dn                 # DN section
      req_extensions          = ca_reqext             # Desired extensions
      
      [ ca_dn ]
      countryName             = "$COUNTRY"
      organizationName        = "$ORG"
      organizationalUnitName  = "$ORG_UNIT"
      commonName              = "$INTERMEDIATE_COMMONNAME"
      
      [ ca_reqext ]
      keyUsage                = critical,keyCertSign,cRLSign
      basicConstraints        = critical,CA:true,pathlen:0
      subjectKeyIdentifier    = hash
      
      # CA operational settings
      
      [ ca ]
      default_ca              = dev_ca                # The default CA section
      
      [ dev_ca ]
      certificate             = \$dir/ca/\$ca/\$ca.crt       # The CA cert
      private_key             = \$dir/ca/\$ca/private/\$ca.key # CA private key
      new_certs_dir           = \$dir/ca/\$ca           # Certificate archive
      serial                  = \$dir/ca/\$ca/db/\$ca.crt.srl # Serial number file
      crlnumber               = \$dir/ca/\$ca/db/\$ca.crl.srl # CRL number file
      database                = \$dir/ca/\$ca/db/\$ca.db # Index file
      unique_subject          = no                    # Require unique subject
      default_days            = 365                   # How long to certify for
      default_md              = sha256                # MD to use
      policy                  = match_pol             # Default naming policy
      email_in_dn             = no                    # Add email to cert DN
      preserve                = no                    # Keep passed DN ordering
      name_opt                = \$name_opt             # Subject DN display options
      cert_opt                = ca_default            # Certificate display options
      copy_extensions         = copy                  # Copy extensions from CSR
      x509_extensions         = server_ext            # Default cert extensions
      default_crl_days        = 1                     # How long before next CRL
      crl_extensions          = crl_ext               # CRL extensions
      
      [ match_pol ]
      countryName             = match                 # Must match 'NO'
      stateOrProvinceName     = optional              # Included if present
      localityName            = optional              # Included if present
      organizationName        = match                 # Must match 'Green AS'
      organizationalUnitName  = optional              # Included if present
      commonName              = supplied              # Must be present
      
      [ extern_pol ]
      countryName             = supplied              # Must be present
      stateOrProvinceName     = optional              # Included if present
      localityName            = optional              # Included if present
      organizationName        = supplied              # Must be present
      organizationalUnitName  = optional              # Included if present
      commonName              = supplied              # Must be present
      
      [ any_pol ]
      domainComponent         = optional
      countryName             = optional
      stateOrProvinceName     = optional
      localityName            = optional
      organizationName        = optional
      organizationalUnitName  = optional
      commonName              = optional
      emailAddress            = optional
      
      # Extensions
      
      [ server_ext ]
      keyUsage                = critical,digitalSignature,keyEncipherment
      basicConstraints        = CA:false
      extendedKeyUsage        = serverAuth,clientAuth
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ client_ext ]
      keyUsage                = critical,digitalSignature
      basicConstraints        = CA:false
      extendedKeyUsage        = clientAuth
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ identity_ext ]
      keyUsage                = critical,digitalSignature
      basicConstraints        = CA:false
      extendedKeyUsage        = emailProtection,clientAuth,msSmartcardLogin
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ encryption_ext ]
      keyUsage                = critical,keyEncipherment
      basicConstraints        = CA:false
      extendedKeyUsage        = emailProtection,msEFS
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ signing_ext ]
      keyUsage                = critical,keyCertSign,cRLSign
      basicConstraints        = critical,CA:true,pathlen:0
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ timestamp_ext ]
      keyUsage                = critical,digitalSignature
      basicConstraints        = CA:false
      extendedKeyUsage        = critical,timeStamping
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ codesigning_ext ]
      keyUsage                = critical,digitalSignature
      basicConstraints        = CA:false
      extendedKeyUsage        = critical,codeSigning
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      crlDistributionPoints   = @crl_info
      
      [ ocspsign_ext ]
      keyUsage                = critical,digitalSignature
      basicConstraints        = CA:false
      extendedKeyUsage        = critical,OCSPSigning
      subjectKeyIdentifier    = hash
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      noCheck                 = null
      
      [ crl_ext ]
      authorityKeyIdentifier  = keyid:always
      authorityInfoAccess     = @issuer_info
      
      [ issuer_info ]
      caIssuers;URI.0         = \$aia_url
      
      [ crl_info ]
      URI.0                   = \$crl_url
      EOF
      
      cat << EOF
      
      
      
      Since we're creating an issuing CA, the first passphrase is for the new
      isser private key"
      
      EOF
      
      openssl req -new \
                  -config ca/conf/intermediate-ca.conf \
                  -out ca/intermediate-ca/intermediate-ca.csr \
                  -keyout ca/intermediate-ca/private/intermediate-ca.key
      
      cat << EOF
      
      
      
      This passphrase is the Root CA passphrase from above used so that the
      Root CA can sign our new issuing CA
      
      EOF
      
      openssl ca -config ca/conf/root-ca.conf \
                 -in ca/intermediate-ca/intermediate-ca.csr \
                 -out ca/intermediate-ca/intermediate-ca.crt \
                 -extensions signing_ca_ext
      
      openssl ca -gencrl \
      	-config ca/conf/intermediate-ca.conf \
      	-out ca/intermediate-ca/crl/intermediate-ca.crl
      
      cp ca/intermediate-ca/crl/intermediate-ca.crl $BASEPATH
      
      openssl x509 -inform pem -in ca/intermediate-ca/intermediate-ca.crt \
                   -outform der -out $BASEPATH/intermediate-ca.cer
      
      cat ca/intermediate-ca/intermediate-ca.crt ca/root-ca/root-ca.crt > ca/intermediate-ca/intermediate-ca-chain.pem
      echo "cert chain file:  ca/intermediate-ca/intermediate-ca-chain.pem"
      
      cat << 'EOF' > ca/conf/identity.conf
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = yes                   # Protect private key
      default_md              = sha256                # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = identity_dn           # DN template
      req_extensions          = identity_reqext       # Desired extensions
      
      [ identity_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, full name)"
      commonName_max          = 64
      emailAddress            = "7. Email Address            (eg, name@fqdn)"
      emailAddress_max        = 40
      
      [ identity_reqext ]
      keyUsage                = critical,digitalSignature
      extendedKeyUsage        = emailProtection,clientAuth
      subjectKeyIdentifier    = hash
      subjectAltName          = email:move
      EOF
      
      cat << 'EOF' > ca/conf/encryption.conf
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = yes                   # Protect private key
      default_md              = sha256                # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = encryption_dn         # DN template
      req_extensions          = encryption_reqext     # Desired extensions
      
      [ encryption_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, full name)"
      commonName_max          = 64
      emailAddress            = "7. Email Address            (eg, name@fqdn)"
      emailAddress_max        = 40
      
      [ encryption_reqext ]
      keyUsage                = critical,keyEncipherment
      extendedKeyUsage        = emailProtection
      subjectKeyIdentifier    = hash
      subjectAltName          = email:move
      EOF
      
      cat << 'EOF' > ca/conf/tls-server.conf
      [ default ]
      SAN                     = DNS:yourdomain.tld    # Default value
      
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = no                    # Protect private key
      default_md              = sha256                # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = server_dn             # DN template
      req_extensions          = server_reqext         # Desired extensions
      
      [ server_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, FQDN)     "
      commonName_max          = 64
      
      [ server_reqext ]
      keyUsage                = critical,digitalSignature,keyEncipherment
      extendedKeyUsage        = serverAuth,clientAuth
      subjectKeyIdentifier    = hash
      subjectAltName          = $ENV::SAN
      EOF
      
      cat << 'EOF' > ca/conf/tls-server-nosan.conf
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = no                    # Protect private key
      default_md              = sha256                # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = server_dn             # DN template
      req_extensions          = server_reqext         # Desired extensions
      
      [ server_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, FQDN)     "
      commonName_max          = 64
      
      [ server_reqext ]
      keyUsage                = critical,digitalSignature,keyEncipherment
      extendedKeyUsage        = serverAuth,clientAuth
      subjectKeyIdentifier    = hash
      EOF
      
      cat << 'EOF' > ca/conf/tls-client.conf
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = no                    # Protect private key
      default_md              = sha256                  # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = client_dn             # DN template
      req_extensions          = client_reqext         # Desired extensions
      
      [ client_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, full name)"
      commonName_max          = 64
      
      [ client_reqext ]
      keyUsage                = critical,digitalSignature
      extendedKeyUsage        = clientAuth
      subjectKeyIdentifier    = hash
      EOF
      
      cat << 'EOF' > ca/conf/time-stamp.conf
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = no                    # Protect private key
      default_md              = sha256                  # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = timestamp_dn          # DN template
      req_extensions          = timestamp_reqext      # Desired extensions
      
      [ timestamp_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, full name)"
      commonName_max          = 64
      
      [ timestamp_reqext ]
      keyUsage                = critical,digitalSignature
      extendedKeyUsage        = critical,timeStamping
      subjectKeyIdentifier    = hash
      EOF
      
      cat << 'EOF' > ca/conf/oscp-signing.conf
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = no                    # Protect private key
      default_md              = sha256                  # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = ocspsign_dn           # DN template
      req_extensions          = ocspsign_reqext       # Desired extensions
      
      [ ocspsign_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, full name)"
      commonName_max          = 64
      
      [ ocspsign_reqext ]
      keyUsage                = critical,digitalSignature
      extendedKeyUsage        = critical,OCSPSigning
      subjectKeyIdentifier    = hash
      EOF
      
      cat << 'EOF' > ca/conf/code-signing.conf
      # Code-signing certificate request
      
      [ req ]
      default_bits            = 2048                  # RSA key size
      encrypt_key             = yes                   # Protect private key
      default_md              = sha256                # MD to use
      utf8                    = yes                   # Input is UTF-8
      string_mask             = utf8only              # Emit UTF-8 strings
      prompt                  = yes                   # Prompt for DN
      distinguished_name      = codesign_dn           # DN template
      req_extensions          = codesign_reqext       # Desired extensions
      
      [ codesign_dn ]
      countryName             = "1. Country Name (2 letters) (eg, US)       "
      countryName_max         = 2
      stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
      localityName            = "3. Locality Name            (eg, city)     "
      organizationName        = "4. Organization Name        (eg, company)  "
      organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
      commonName              = "6. Common Name              (eg, full name)"
      commonName_max          = 64
      
      [ codesign_reqext ]
      keyUsage                = critical,digitalSignature
      extendedKeyUsage        = critical,codeSigning
      subjectKeyIdentifier    = hash
      EOF
    • tls-server.sh
      #!/bin/bash
      
      uuid=`uuid`
      if [ "$1" != "" ]; then
              uuid="$1"
      fi
      dns_names="XXX"
      if [ "$2" != "" ]; then
      	dns_names="$2"
      fi
      
      # generate signing request
      if [ $dns_names == "XXX" ]; then
      openssl req -new \
          -config ca/conf/tls-server-nosan.conf \
          -out ca/intermediate-ca/certs/$uuid-id.csr \
          -keyout ca/intermediate-ca/certs/$uuid-id.key
      else
      SAN="$dns_names" \
      openssl req -new \
          -config ca/conf/tls-server.conf \
          -out ca/intermediate-ca/certs/$uuid-id.csr \
          -keyout ca/intermediate-ca/certs/$uuid-id.key
      fi
      
      # sign the request
      openssl ca \
          -config ca/conf/intermediate-ca.conf \
          -in ca/intermediate-ca/certs/$uuid-id.csr \
          -out ca/intermediate-ca/certs/$uuid-id.crt \
          -extensions server_ext
      
      # display the cert
      openssl x509 -in ca/intermediate-ca/certs/$uuid-id.crt -text
      echo "client files: ca/intermediate-ca/certs/$uuid-id.key ca/intermediate-ca/certs/$uuid-id.crt"
      echo "chain file: ca/intermediate-ca/intermediate-ca-chain.pem"
      
      # create pkcs12 package
      openssl pkcs12 -export \
          -caname "$uuid" \
          -caname "intermediate-ca" \
          -caname "root-ca" \
          -inkey ca/intermediate-ca/certs/$uuid-id.key \
          -in ca/intermediate-ca/certs/$uuid-id.crt \
          -certfile ca/intermediate-ca/intermediate-ca-chain.pem \
          -out ca/intermediate-ca/certs/$uuid-id.p12
      echo "pkcs12 package: ca/intermediate-ca/certs/$uuid-id.p12"
    • push-crl.sh
      #!/bin/bash
      
      . `pwd`/ca.cfg
      
      echo "generating updated crl files ..."
      openssl ca -gencrl \
      	-config ca/conf/root-ca.conf \
      	-out ca/root-ca/crl/root-ca.crl
      
      openssl ca -gencrl \
      	-config ca/conf/intermediate-ca.conf \
      	-out ca/intermediate-ca/crl/intermediate-ca.crl
      
      echo "copying crl files to web server ..."
      cp ca/root-ca/crl/root-ca.crl $BASEPATH/
      cp ca/intermediate-ca/crl/intermediate-ca.crl $BASEPATH/
      
      tree -D $BASEPATH
  2. Make the following edits to those files:
    • Edit ca.cfg to include the internal IP address of the Console
    • Edit create_test_ca.sh to replace .cer extension with .der extension
  3. Copy these scripts to your Console.
  4. Run the following commands:
    ./create_test_ca.sh ./tls-server.sh "NATCert" "IP:172.16.35.12,IP:192.168.3.12,DNS:qavm-3-12.q1labs.lab" #this should include the public IP, private IP, the FQDN, and any other domain names the customer needs for other purposes. cp ca/root-ca/root-ca.crt /etc/pki/ca-trust/source/anchors/root-ca.crt ./push-crl.sh update-ca-trust /opt/qradar/support/all_servers.sh -p /etc/pki/ca-trust/source/anchors/root-ca.crt -r /etc/pki/ca-trust/source/anchors /opt/qradar/support/all_servers.sh -C update-ca-trust
Install the new Certificate
 
  1. Follow the steps here to install a new SSL certificate.
    https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_ssl_installing.html
           /opt/qradar/bin/install-ssl-cert.sh
Results
Agents connected to the MHs on different NAT groups are now able to talk to the Console without getting errors from the trust manager.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 May 2024

UID

ibm16619087