ESM Admin Guide 6.0c
- Pavan Raja
- Apr 8, 2025
- 41 min read
Summary:
To download SSL certificates, which are essential for securing communication between systems over the internet, there are several commands that can be used depending on the specific requirements and tools available in your environment. Here are some common command-line tools and their typical uses for downloading and managing SSL certificates:
1. **Keytool**: This is a Java keystore tool that allows you to create, manage, and import digital certificates, keys, and trust anchors. It's commonly used for handling SSL/TLS certificates. - Command examples: ```sh keytool -genkey -alias mykey -keypass password123 -keystore keystore.jks -storepass password123 keytool -import -file server-cert.pem -alias servercert -keystore truststore.jks ```
2. **OpenSSL**: An open-source library for secure communication and is widely used for creating, manipulating, and managing SSL/TLS certificates, keys, and other cryptographic objects. - Command examples: ```sh openssl req -new -x509 -days 365 -nodes -out server-cert.pem -keyout server-key.pem openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -out server-keystore.p12 ```
3. **Certutil**: This is a command-line utility provided by Mozilla for managing security certificates, keys, and certificate stores. It's often used in environments running the Firefox browser or other applications that use these types of digital certificates. - Command examples: ```sh certutil -a -n "My Cert" -t ",," -f /path/to/certfile -d ./database certutil -L -u -d ./database > output.txt ```
4. **Curl**: Although primarily used for making HTTP requests, curl can also be used to download files including SSL certificates if you are configuring secure connections through command-line interfaces. - Command example: ```sh curl --cacert server_ca_cert.pem https://secure.server.com/resource ```
5. **Lynx**: A text-based web browser that can be used with SSL to view secure websites, although it doesn't handle certificate management directly, you might use it in conjunction with other tools to manage certificates. - Command example: ```sh lynx --cacert=ca_cert.pem https://secure.server.com/resource ```
6. **Windows PowerShell**: For Windows environments, PowerShell can be used to handle SSL certificates through the Import-PfxCertificate cmdlet or other related commands for certificate management. - Command example: ```powershell Import-PfxCertificate -FilePath "C:\certs\server_cert.pfx" -CertStoreLocation Cert:\LocalMachine\Root ```
7. **Linux Commands**: In Linux environments, various tools and commands can be used for certificate management such as the keytool equivalent (openssl), or direct file manipulation depending on the distribution and its packages. - Command example: ```sh openssl x509 -in server_cert.pem -outform DER -out server_cert.der ```
8. **Third-Party Tools**: There are also third-party tools specifically designed for SSL/TLS certificate management, such as HashiCorp Vault or dedicated security information and event management (SIEM) tools that offer automated workflows for certificate lifecycle management.
When using these commands to download SSL certificates, ensure you have the necessary permissions to manage certificates in your organization's infrastructure. Always test new configurations in a development environment before deploying them into production, as incorrect configurations can lead to service disruptions or security vulnerabilities.
Details:
This document is a guide for administering ArcSight ESM™ 6.0c with CORR Engine, dated September 27, 2012. It is confidential and licensed by HP for specific uses under certain terms. The information within can change without notice; warranties are only valid in the express warranty statements accompanying products or services. Errors or omissions may occur.
Key points from the guide include:
**Confidentiality**: This document should be treated as confidential, adhering to legal and contractual obligations regarding data protection.
**Usage for Examples**: Network information used in examples (like IP addresses and hostnames) is only for illustration purposes.
**Revision History**: Provides details of updates made from the initial version on September 27, 2012, including product versions released up to that date.
**Contact Information**: Offers support through phone numbers for specific regions and a web site for further assistance.
**Contents Overview:**
The guide is structured into several chapters, with Chapter 1 focusing on basic administration tasks. These tasks include:
Starting components of the system (detailed starting procedure for ArcSight Manager and decoupled process execution).
Instructions for stopping the system when necessary.
This administrative guide provides essential steps and information to effectively manage ArcSight ESM™ 6.0c with CORR Engine, ensuring smooth operation and troubleshooting according to HP's policies and procedures.
This text appears to be a series of tasks or steps related to setting up and configuring ArcSight, a security information and event management (SIEM) tool. The tasks include:
**Pinging the ArcSight Manager**: Ensuring communication with the manager.
**Starting the ArcSight Console**: Launching the main interface for managing SIEM configurations.
**Reconnecting the ArcSight Console to the Manager**: Restoring connection after possible disconnections.
**Starting ArcSight Web**: Accessing web-based management capabilities.
**Starting the Management Console**: Another console for managing various aspects of the system.
**Starting SmartConnectors**: Enabling connectors to external devices or systems.
**Reducing Impact of Anti-Virus Scanning**: Strategies to minimize disruption caused by antivirus software scanning.
**License Tracking and Auditing**: Monitoring license usage and compliance.
**ArcSight System Tasks**: General tasks related to maintaining the system's functionality.
**Setting up a Custom Login Banner**: Personalizing login screens with specific messages or branding.
**Chapter 2: Configuration** includes managing and changing properties file settings, understanding property file formats, distinguishing between defaults and user properties, editing these files, utilizing dynamic properties, and providing an example of how to change manager settings within the ArcSight environment.
The provided text appears to be a summary of various topics related to managing and configuring a software or system, possibly from Hewlett Packard (HP) but not explicitly stated. Here's a summarized breakdown of the key points mentioned in the text:
1. **Properties Dynamically**: This seems to refer to adjusting properties within a service layer container port, which is part of configuring the system dynamically.
2. **Changing the Service Layer Container Port**: Describes how to adjust settings related to this port for better functionality and security.
3. **Securing the Manager Properties File**: Discusses methods to secure configuration files used by the manager to enhance privacy and integrity.
4. **Adjusting Console Memory**: Focuses on optimizing memory allocation specifically for console usage, which is crucial for performance.
5. **Adjusting Pattern Discovery Memory**: Involves setting aside a specific amount of memory exclusively for pattern discovery operations within the system.
6. **Installing New License Files Obtained from HP**: Explains how to integrate and activate new license files provided by HP to ensure legal use of software features.
7. **Configuring Manager Logging**: Details steps on how to set up logging mechanisms in the manager for easier troubleshooting and performance monitoring.
8. **Sending logs and diagnostics to HP Support**: Outlines a process for collecting and transmitting diagnostic data directly to HP’s support team when needed.
9. **Guidelines for using the Send Logs utility**: Provides detailed instructions on how to effectively use the send logs tool, ensuring that collected information is both accurate and pertinent.
10. **Gathering logs and diagnostic information**: Covers procedures for collecting necessary data related to system performance or issues, which can be used in diagnostics and troubleshooting.
11. **Understanding SSL Authentication**: Explores how SSL certificates work within the authentication process of a secure network connection.
12. **Terminology**: Introduces basic terminology specific to IT security and configuration management.
13. **Confidential Administrator's Guide 3Tools for SSL Configuration**: Discusses three tools (Keytoolgui, keytool, and tempca) used in configuring Secure Sockets Layer (SSL) settings.
14. **How SSL Works**: Provides an explanation of the basic principles underlying SSL technology.
15. **SSL certificates**: Offers information about different types or aspects of SSL certificates that can be configured using the tools mentioned earlier.
These points suggest a guide focused on technical configurations and troubleshooting for a software system, likely related to HP products, with an emphasis on security measures such as logging, memory management, and secure communication protocols like SSL.
The text appears to be a section of a larger document or guide related to the use and management of SSL (Secure Sockets Layer) certificates, particularly in the context of a system or software that handles network communications using HTTPS. Here's an overview based on the provided information:
**Types**: This part likely introduces different types of SSL certificates used for securing communication between systems.
**Comparing Self-signed and CA-signed certificates**: It compares these two types, highlighting advantages and disadvantages of each in terms of security and management.
**Using a Self-Signed Certificate**: Provides guidelines on implementation when clients communicate with one or multiple managers within the system.
**Using a CA-Signed SSL Certificate**: Discusses the process for creating key pairs, sending requests to a certificate authority (CA), importing root and issued certificates, and restarting the manager to accommodate these new certificates.
**Creating and Managing Certificates**: Details on adding additional components like ESM (Extended Security Module) and removing or replacing expired certificates.
**Establishing SSL Client Authentication**: Explains how to set up client-side authentication in both ArcSight Console and SmartConnectors, ensuring secure communication with clients.
The text seems to be part of a manual or guide for implementing SSL/TLS security features within a specific software or system setup, likely aimed at enhancing the security and trustworthiness of network communications.
The text outlines various aspects of managing and configuring SSL certificates for ArcSight, a security information and event management tool. It covers the following topics:
1. **Migrating from one certificate type to another**: This involves transitioning between Demo, Self-Signed, and CA-Signed certificates. Each transition is discussed in detail with steps similar to each other but tailored to specific scenarios (e.g., migrating from Demo to Self-Signed).
2. **Verifying SSL Certificate Use**: The process of ensuring the certificate is correctly installed and used for authentication within ArcSight is explained, followed by a sample output that demonstrates how to check this.
3. **Using Certificates to Authenticate Users to ArcSight**: This section discusses how certificates can be utilized to authenticate users in the system, which helps maintain secure access without relying on passwords.
4. **Using the Certificate Revocation List (CRL)**: It explains how to implement CRL for certificate validation and its importance in maintaining security by invalidating revoked certificates.
5. **Reconfiguring the ArcSight Console after Installation**: Instructions are provided for adjusting settings within the console post-installation, including changes to ports and session timeouts.
6. **Managing Password Configuration**: This part of the text details how to configure strong passwords in ArcSight, emphasizing various best practices such as enforcing minimum length, restricting user names in passwords, and requiring a mix of character types.
Each subtopic provides detailed steps or guidelines for implementation, reflecting on the importance of maintaining secure configurations in security tools like ArcSight.
This document provides an overview and detailed steps for configuring various aspects of ArcSight asset management, focusing on password settings, uniqueness, expiration policies, failed login restrictions, re-enabling user accounts, auto-creation of assets from scanners in dynamic zones, preserving previous assets, changing default naming schemes, managing compression modes for SmartConnector events, configuring SNMP trap senders, and disabling assets based on age.
The provided text appears to be a table of contents for a document or guide, likely related to software configuration or management. Here's a summary of the main points outlined in each section:
**Chapter 2: To Delete an Asset** - Discusses how to remove assets from the system, including details on amortizing model confidence based on scanned asset age.
**Configuring Actors** - Provides guidelines and instructions for configuring actors within the software environment.
**Tuning Guide for Supporting Large Actor Models** - Offers tips and strategies for optimizing the performance of large actor models to improve overall functionality and efficiency.
**Permissions Required to Use Actors and Actor-Related Data** - Explains the necessary permissions required when using actors or handling related data within the system.
**About Exporting Actors** - Addresses the process of exporting actors, including what is involved in this operation.
**Chapter 3: Running the Manager Configuration Wizard** - Provides an overview and instructions for setting up the configuration wizard to facilitate easier management setup.
**Chapter 4: Managing Resources** - Focuses on how resources are managed within the system, possibly related to resource allocation or optimization.
**Appendix A: Administrative Commands** - Lists various commands used in administration, such as those pertaining to ArcSight_Services.
Each chapter appears to be a standalone guide with specific objectives and procedures, detailing different aspects of configuration and management within the software environment.
This text appears to be an outline or table of contents for a technical document related to ArcSight, possibly detailing commands and functionalities for managing archives. Here's a summary of the main points mentioned in each section:
**Section 99** (likely not detailed here due to truncation) - There is no description provided, likely indicating that this section is either blank or does not contain any information that can be summarized without additional context.
**ArcSight Commands** - This section outlines various commands related to ArcSight which are used for managing and interacting with the system.
**Archive Command Details**: Provides detailed information about how to use the archive command in specific modes, including remote mode (110) and standalone mode (111).
**Exporting Resources to an Archive** - Describes how to export resources into an archive for storage or backup purposes.
**Importing Resources from an Archive** - Details how to import previously exported resources back into the system, ensuring continuity of data management.
**Confidential Administrator's Guide 5**: This section seems to be part of a larger documentation set, likely providing detailed instructions and guidelines for administrators working with ArcSight.
**Appendix B: Troubleshooting** - Provides guidance on troubleshooting issues related to the product, including performance tuning queries and trends, general server settings, and specific issues after restarting the manager.
**General** - A section within the troubleshooting guide that covers basic problems or common issues.
**Query and Trend Performance Tuning** - Offers strategies for optimizing query and trend performance in ArcSight.
**server.defaults.properties Entries for Trends**: Details specific configurations related to trends within server settings, which can help improve system performance when there is high throughput.
**Troubleshooting Checklist after Restarting the Manager** - A checklist for administrators to follow post-restart to diagnose and resolve any issues that may have arisen during or immediately after a manager restart.
**Disable these Trends on High Throughput Systems**: Provides guidance on which trends should be disabled on systems with high throughput to prevent performance degradation.
**SmartConnectors** - A section discussing the use of SmartConnectors within ArcSight, possibly for enhanced data connectivity and processing capabilities.
**ArcSight Console** - Although not detailed here, this likely refers to a graphical interface or console used for managing ArcSight functionalities directly by users.
Overall, these sections collectively provide an overview of how to effectively use and troubleshoot the archive features in ArcSight, as well as some details about other related components like SmartConnectors and the management console.
The document appears to be a technical manual or guide related to troubleshooting and managing a software product named ArcSight Web, which is part of the broader ArcSight suite. Here's a summary of the contents based on the provided structure:
**Page 143**: A placeholder with no content visible.
**Manager**: Refers to management functionality within the system.
**ArcSight Web**: Describes features and functionalities related to this web application part of ArcSight.
**SSL (Secure Sockets Layer)**: Section discussing issues related to SSL, including connection problems and certificate errors like "cannot connect to the SSL server" or "PKIX exchange failed/could not establish trust chain". These issues are detailed on pages 146 and 147 with specific subtopics such as "Issuer certificate expired" (147) and "Certificate is invalid" (147).
**FIPS Mode**: A section addressing problems specifically related to running ArcSight Web in FIPS mode, which could be relevant for environments requiring certain security standards compliance.
**Appendix C: The Logfu Utility**: Introduces a utility named Logfu that seems to be used for logging and diagnostics within the system administration or troubleshooting process.
**Running Logfu**: Provides instructions on how to use this utility.
**Example**: Demonstrates an example of using Logfu.
**Troubleshooting**: Section dedicated to addressing issues that may arise while running Logfu.
**Menu**: Describes the interface or navigation within Logfu.
**Typical Data Attributes**: Lists common attributes or data elements typically involved in Logfu operations.
**Intervals**: Possible intervals or time frames related to the operation of Logfu, though specific details are not provided here but likely detailed elsewhere in more technical terms.
The document seems to be a troubleshooting guide aimed at system administrators and IT professionals, detailing how to identify and resolve issues with ArcSight Web's SSL connections and FIPS mode compliance, as well as utilizing the Logfu utility for diagnostic purposes.
The provided text appears to be a table of contents for two appendices in a guide, likely related to email template creation and FIPS (Federal Information Processing Standards) configuration. Here's a summary of each section:
**Appendix D: Creating Custom E-mails Using Velocity Templates**
**Overview**: Provides an introduction to creating custom emails using Velocity templates.
**Notification Velocity Templates**: Explains the purpose of email templates used for notifications.
**Commonly Used Elements in Email.vm and Informative.vm Files**: Lists key elements found in these template files.
The #if statement: A conditional logic element used to control the display of content based on conditions.
**Contents of Email.vm and Informative.vm**: Details what each template file typically includes.
**How the Email.vm and Informative.vm Template Files Work**: Explains the functionality and structure of these templates.
**Understanding the Customization Process**: Discusses how to customize the templates for specific needs.
**Sample Output**: Provides examples of how the customized templates might appear when used in emails.
**Appendix E: Configuration Changes Related to FIPS**
**Tools Used to Configure Components in FIPS**: Lists tools that can be used to set up components compliant with FIPS standards.
**Types of Certificates Used in FIPS Mode**: Describes the different types of certificates required for FIPS compliance, including self-signed and CA-signed certificates.
Using a Self-Signed Certificate: Steps and considerations for implementing such a certificate.
Using a Certificate Authority (CA) Signed Certificate: Similar steps but for certificates issued by a trusted CA.
**Steps Performed on the Manager**: Outlines the specific configuration actions to be taken on the management system.
**Steps Performed on ArcSight Web**: Details the necessary actions for configuring ArcSight web interface related to FIPS compliance.
These appendices likely form part of a larger document that serves as an administrator's guide, detailing how to set up and configure systems according to specific standards, particularly in security realms like FIPS compliance.
This document outlines a series of procedures for managing SSL (Secure Sockets Layer) certificates and keys within the ArcSight system. The steps are divided into sections based on whether they are performed on the ArcSight Manager, Console, or Web interface. Here’s a summary of each step mentioned in the text:
1. **Generating a Key Pair**: This involves creating both a public key (certificate) and a private key for use with SSL. The process is detailed separately for the Manager, Console, and Web components of ArcSight.
2. **Verifying Success**: After generating or importing keys, it's crucial to verify that they have been successfully created by checking their contents or status in the system database.
3. **Viewing Certificate Contents**: The contents of a certificate stored in the Manager’s NSS (Network Security Services) database should be reviewed to ensure accuracy and security settings are appropriate.
4. **Exporting Certificates**: For backup, recovery, or sharing purposes, certificates can be exported from ArcSight components. This includes exporting from both the Manager and Console interfaces.
5. **Importing Certificates**: If needed, existing SSL certificates can be imported into the NSS DB of different ArcSight components to maintain consistent security settings across all platforms.
6. **Setting up Server-Side Authentication**: Configure the system to use these certificates for server-side authentication during connections with clients.
7. **Setting up Client-Side Authentication**: If client devices or software need to authenticate using SSL, this involves configuring them to accept and use the ArcSight SSL certificates.
These procedures are essential for maintaining secure network communications in an environment where data encryption is critical, such as with ArcSight's log management and security monitoring capabilities.
The text appears to be a summary of various tasks and configurations related to a software or system, possibly focused on cybersecurity or digital certificates. Here's a breakdown of the summarized content:
**Changing the Password for NSS DB**: Instructions for modifying the password associated with the Network Security Services (NSS) database.
**Listing the Contents of the NSS DB**: How to view and list the contents stored in the NSS database, which is likely used for secure network communications by storing cryptographic keys and certificates.
**Veiwing the Contents of a Certificate**: Steps for examining details or properties of a digital certificate within the system.
**Setting the Expiration Date of a Certificate**: Procedures to determine when a certificate will expire and plan accordingly to avoid any service disruptions.
**Deleting a Certificate from NSS DB**: How to remove certificates from the NSS database, which is crucial for managing cryptographic material in secure networks.
**Replacing an Expired Certificate**: Techniques for updating or replacing a certificate that has expired to maintain network security and ensure continued access to services.
**Using the Certificate Revocation List (CRL)**: Guidance on how to utilize CRLs to check if certificates have been revoked, which is essential for maintaining trust in digital certificates.
**Configuration Required to Support Suite B**: Details about setting up configurations to support specific security requirements outlined by Suite B. This might include details relevant to US government standards for high-assurance, cryptographic modules and systems.
**Generating a Keypair on the Manager**: Instructions for creating key pairs (public and private keys) within the manager role, which is fundamental in many cryptosystems.
**Exporting the Manager’s Certificate**: How to extract and export the certificate associated with the manager's account for backup or transfer purposes.
**Importing a Certificate into the Manager**: Steps for incorporating an existing digital certificate into the manager's profile, which is necessary for multi-factor authentication or other security enhancements.
**Changing a Default Mode Installation to FIPS 140-2**: A process of adjusting the installation settings to comply with the Federal Information Processing Standards (FIPS) 140-2 guidelines, ensuring cryptographic modules meet strict standards for US federal government use.
**Manager Console ArcSight Web Configure Your Browser for FIPS**: Instructions for configuring browser settings within the ArcSight web interface and manager console to support FIPS compliance. This is crucial for systems that handle sensitive information where compliance with national standards is mandatory.
**Index**: Typically a section at the end of documentation providing an alphabetical or numerically indexed reference to topics discussed in the document, allowing quick access to specific sections or terms.
This summary provides a concise overview of various administrative tasks and configurations related to cryptographic materials and digital certificates, which are critical for secure network operations and compliance with stringent security standards. The "Confidential Administrator's Guide" provides a detailed guide for effectively managing and administering ArcSight ESM™ components, which are used to monitor, analyze, and respond to security events. This chapter focuses on basic administration tasks such as starting components, configuring settings like reducing the impact of anti-virus scanning, tracking and auditing licenses, setting up a custom login banner, among others. The guide outlines specific steps and command line options for managing ArcSight Manager, including how to start it from a command or console window, set it up as a daemon, and configure decoupled process execution on UNIX-based systems. It also offers instructions for monitoring the service's success in loading after starting. The text discusses several aspects related to system administration and troubleshooting for an application called "ArcSight". Specifically, it mentions that by default, the process executor is used on all Unix platforms, running as a daemon before the main application (ArcSight Manager) starts. This setup has implications for managing startup or runtime issues of ArcSight Manager, such as its inability to start unless it detects a running Process Executor. The Process Executor operates within its own watchdog and automatically restarts if it stops for any reason. It is designed to be transparent to users regarding how the ArcSight Manager starts or stops, with execution details like stdout (standard output) and stderr (standard error) being logged in specific files under /tmp/
.stdout and .stderr.
Regarding operational procedures, stopping the ArcSight Manager can be done by running a command as user arcsight: /sbin/service arcsight_services stop manager. To start up the ArcSight Console, one should open a command window or shell window on /bin, type in "./arcsight console", and press Enter.
If the ArcSight Console loses its connection to the Manager, it will display a dialog box indicating a lost connection. After waiting for the Manager's restart if necessary, users can click Retry to re-establish the connection or use Relogin options as provided by the application.
This text is about setting up and starting ArcSight, a software for managing security information and event management (SIEM). To use ArcSight, you need to start several components including the Management Console, SmartConnectors, and ensure the Manager is running. The Management Console can be accessed through a specific URL in a browser once configured. SmartConnectors should also be started for proper functioning of the system.
When starting the console from a supported browser, use the following address: https://:8443/. To start ArcSight SmartConnectors, open a command window or terminal box and type "./arcsight agents". Before running this command, ensure that ArcSight Manager is already running for optimal performance. Also, keeping the Console running helps monitor the status of configured SmartConnectors and view messages in real-time.
To improve system performance under anti-virus scanning, exclude certain directories from virus scans, including "caches/server", "logs", "system", "tmp", "user" (but include user/agent/lib), and "archive". These actions are crucial to avoid negative impacts on CPU usage and disk write speeds.
Finally, the system automatically tracks license usage through an internal audit history that is accessible in specific reports within the ArcSight environment. Users receive warnings when their licenses are exceeded, and there are detailed licensing reports available for each feature within the /All Reports/ArcSight Administration/ESM directory.
The provided text outlines several aspects of managing and configuring an ArcSight system, including licensing reports, scheduled system tasks, updating policies (AUP), configuration settings for a custom login banner, and maintenance tasks related to data indexing and table statistics.
1. Licensing Reports: These provide a summary of the number of Actors, Assets, Users, Devices, and EPS identified over the last week. This information is crucial for understanding the system's usage and compliance with licensing requirements.
2. ArcSight System Tasks: These tasks are scheduled to run automatically one or more times per day depending on the task. Indirect control of these schedules can be achieved by changing retention periods. Specific tasks include AUP Updater, Dependent Resource Validator, Confidential Administrator's Guide 111 Basic Administration Tasks, PurgeStaleMarkSimilarConfigs, Resource Search Index Updater, Sortable Fields Updater, and Table Stats Updator.
3. Setting up a Custom Login Banner: The Manager can be configured to display a custom login message for users logging into the ArcSight Console. This is done by setting the property 'auth.login.banner' in the server.properties file to point to 'config/loginbanner.txt'. Users must close any displayed messages before they can log in.
4. Maintenance Tasks:
PurgeStaleMarkSimilarConfigs: This task maintains and removes annotation criteria that are stale.
Resource Search Index Updater: Updates the resource search index to ensure up-to-date metadata for searches.
Sortable Fields Updater: Keeps sortable event fields synchronized with current database indices.
Table Stats Updator: Updates statistics on non-partitioned schema tables, including resource tables, ensuring accurate data representation and performance optimizations.
Overall, this text provides a comprehensive guide to managing and maintaining an ArcSight system, covering aspects such as reporting, configuration, and task scheduling, as well as user interface enhancements like custom login banners.
The provided text discusses various configuration aspects of ArcSight software, focusing on how to manage and change settings in its properties files.
1. **Managing Properties File Settings**: It explains that different components use properties files for their configurations. These files are modified during certain procedures like using configuration wizards. Proper file format includes keys and values where the key defines a setting while the value specifies its configuration. Lines starting with '#' are comments, and blank lines are ignored.
2. **Property File Format**: The text explains that all properties files consist of pairs of keys and values in plain text format. Comments are indicated by lines beginning with '#', which are not read during processing.
3. **Defaults and User Properties**: Most configurations involve two property files - defaults and user properties. The former (like server.defaults.properties) contains default settings that should not be altered directly; they serve as a reference. The latter (server.properties), allows overriding default settings with specific installation values.
4. **Adjusting Console Memory, Pattern Discovery Memory**: These sections discuss setting up memory configurations for the ArcSight console and pattern discovery tools respectively. This involves understanding RAM usage patterns to optimize performance based on system specifications.
5. **Installing New License Files, Configuring Manager Logging, SSL Authentication, Reconfiguring ArcSight Manager, Managing Password Configuration, Compression and Turbo Modes, Sending Events as SNMP Traps, Asset Aging, Configuring Actors**: These topics cover various aspects of post-installation setup and configuration including managing logging settings, securing data with SSL, updating license files, adjusting performance through compression modes, configuring actors for event management, and more.
The document provides a comprehensive guide to maintaining and optimizing an ArcSight system post-installation, ensuring optimal performance across all its components.
This passage is about managing and customizing properties files for different components of an ArcSight system, which likely involves configuring security or monitoring software. Here's a summary:
1. **Automatic Creation of Properties Files:** When you configure a component using its configuration wizard, a user properties file specific to your environment is automatically created and modified. This file is not replaced during upgrades because it contains settings specified by the user. If an upgrade modifies any properties, these changes are made in the defaults file.
2. **Purpose of Properties Files:** Different components have different properties files:
**Manager Configuration**: `config/server.properties` and `config/server.defaults.properties`
**ArcSight Console**: `config/console.properties` and `config/console.defaults.properties`
**ArcSight Common Client**: `config/client.properties` and `config/client.defaults.properties`
**SmartConnector**: `user/agent/agent.properties` and `config/agent/agent.defaults.properties`
3. **Editing Properties Files:** Always start by looking at the defaults file for a property before editing the main properties file. Copy the desired property from the defaults to the main properties file and adjust it according to your needs. This ensures that customizations are preserved during upgrades. Use a simple text editor like Notepad for this task, avoiding those that add special characters.
4. **Special Case: Default Settings in Wizard** If you configured components (Console and SmartConnectors) using default settings from the configuration wizard, no automatic user properties file is created. In such cases, create these files manually using a text editor in the specified directories as per the table above.
5. **Editing Property Values:** When editing property values on a component, you must restart that component for changes to take effect. However, Manager properties do not require restarting after modification.
This document outlines how to manage and customize settings specific to each ArcSight component using properties files, ensuring compatibility with future software updates while maintaining tailored configurations.
This is a guide for configuring and managing a Manager system, focusing on communication ports and protocol settings. The text advises that when changing a communication port, such as switching from 8443 to another port like 9443 or 8000, it's crucial not only to update the Manager but also all connected clients (like Consoles, SmartConnectors, ArcSight Web) to ensure seamless functionality.
The document provides a detailed list of TCP and UDP ports used for different communications:
TCP 8443 is used for communication between the ArcSight Console and the Manager.
TCP 9443 is designated for ArcSight Web.
TCP 9090 is the port for ESM Service Layer Container, which is a dynamic property that can be configured in the server.properties file without restarting the Manager.
Other ports include LDAP (TCP 389 and 636), SMTP (port 25) for notifications, POP3 (110), IMAP (143), RADIUS (UDP 1645 or 1812), DNS (UDP/TCP 53), Whois (UDP/TCP 43).
ICMP is used for pinging targets without SSL.
Dynamic properties in the server.properties file can be adjusted without restarting the Manager, including settings like reenabling time for authentication, enforcing single sessions, maximum failed attempts for passwords, password age and length constraints, character type limitations, and others. The guide emphasizes that these changes will take effect immediately upon saving them in the configuration file.
In summary, this document outlines essential steps to ensure proper communication between different components of a management system by detailing how to configure ports and dynamic properties efficiently.
The text describes how changes are made and saved in a configuration file (server.properties) for a software system called M1, which likely stands for ArcSight Management Console or similar. Here’s the summarized process:
1. **Initial Setup**: When the system starts up, it has default settings in its server.properties file.
2. **Adding New Properties**: Administrators can add new properties like `notification.aggregation.max_notifications=150` and `notification.aggregation.time_window=2d` to this configuration file. These changes are made using the manager-reload-config command, which is successful in loading these modifications into the system’s memory.
3. **Backup Creation**: Every time the manager-reload-config command successfully updates the configuration, a backup of the current server.properties file is created and saved in the /config/history directory. This backup includes a timestamp to ensure that each version can be identified and retrieved later if needed.
4. **Example Sequence**:
On September 26, 2012, Manager M1 starts with default settings; its server.properties is backed up as `server.properties.2012_09_26_14_45_27_718`.
On September 27, 2012, the administrator adds `notification.aggregation.max_notifications=150`, and after reloading the configuration, a new backup is created: `server.properties.2012_09_27_01_05_40_615`.
On September 28, 2012, another property `notification.aggregation.time_window=2d` is added; this results in a backup with the timestamp of that day: `server.properties.YYYY_MM_DD_HH_MM_SS_XXX`, where YYYY is year, MM is month, DD is day, HH is hour, MM are minutes, and SSSS are additional milliseconds (not explicitly mentioned but implied by 'XXX').
5. **Current State**: The history directory now contains multiple versions of the server.properties file with different timestamps, allowing for a record of all changes made over time.
This process ensures that configurations can be modified without losing previous settings and provides a historical record of what was configured when.
The provided text outlines an issue with updating configuration settings in M1 (likely referring to some software or system management tool) and how to handle such updates correctly. Here's a summary of the key points:
1. **Backup Files**: There are three backup files for `server.properties` dated September 26, 27, and 28, respectively.
2. **Configuration Update Issue**: On an unspecified date in September (likely interpreted as September 39), an administrator updated the `whine.notify.emails` property but encountered a problem when running the `manager-reload-config` command. The command failed because this particular property could not be loaded dynamically.
3. **Implications of Failure**: As a result, the updated `server.properties` file was not loaded into M1's memory, yet changes to it were still saved. Consequently, M1 continued using the properties from September 29th. No new backup copy was created in the `/config/history` directory.
4. **Effective Changes**: The changes made on September 30th did not take effect until M1 was restarted.
5. **Corrective Actions for Dynamic Property Updates**: To change properties dynamically:
Update the property in `server.properties`.
Optionally, use the `manager-reload-config` command with the `-diff` option to view differences.
Execute the `arcsight manager-reload-config` command to load new values for changed properties. If this fails and issues a warning about needing a Manager restart, none of the property changes are applied until M1 is restarted.
The text also provides guidance on how to handle such configuration updates correctly by emphasizing the importance of using the appropriate commands and understanding when system restarts might be necessary.
The provided text outlines several key configurations and procedures for managing an Arcsight Manager system, particularly focusing on properties, configuration updates, and security measures such as securing the server.properties file.
1. **Managing Property Changes**: When making changes to properties that require a restart of the Manager (such as changing auth.password.length.min but not search.enabled), use the command `arcsight manager-reload-config -as` to force an update. Properties that can be changed without restarting will take effect immediately, while those requiring a restart will be updated in the server.properties file and become effective after a restart. Be cautious with this option as improper changes might prevent the Manager from starting post-reboot.
2. **Changing the Service Layer Container Port**: The default port is 9090, which can be changed by modifying specific configuration files located under `` and `/config`. Update references to the default port with an unused number and then restart the Manager to apply the changes.
3. **Securing the Server Properties File**: This file contains critical information like database passwords and must be protected from unauthorized access. Ensure that only the user account running the Manager has read permissions for this file, using Unix-based security measures.
In summary, these guidelines provide a structured approach to managing configurations, updates, and security aspects of an Arcsight Manager system through detailed steps and considerations about property changes and port configuration adjustments.
This text talks about two different things related to software configurations for managing resources and access permissions.
Firstly, it mentions how to protect certain files using the `chmod` command in Unix-based systems or NTFS file system features on Windows. By running `chmod 600 server.properties`, only the owner of the file can read or write to it. This is typically done during the Manager installation. In case you're working with Windows, you can use Microsoft Windows Access Control Lists (ACLs) to secure the same files.
Secondly, it gives guidance on adjusting memory usage in the ArcSight Console for better performance and prevention of out-of-memory errors. This involves modifying Java Virtual Machine settings within the `console.bat` or `console.sh` scripts found in the bin/scripts directory. For Pattern Discovery specifically, there are properties related to transaction and event limits that can be adjusted in the server.defaults.properties file under the config folder. These include:
patterns.transactionbase.max for maximum transactions allowed in memory.
patterns.maxSupporterCost for maximum supporters allowed in memory.
patterns.maxUniqueEvents for maximum unique events allowed in memory.
Exceeding these limits can lead to the task aborting due to insufficient memory, and adjusting them might help avoid such issues by controlling the amount of data held in memory at any given time.
The provided text discusses several aspects related to managing and configuring an ArcSight Manager, a software for event management and pattern discovery in security information and event management (SIEM) systems.
Firstly, it explains how increasing memory usage limits in the pattern discovery task can be achieved by adjusting three parameters: `patterns.transactionbase.max`, `patterns.maxSupporterCost`, and `patterns.maxUniqueEvents`. To increase memory capacity by 25%, these values should be adjusted to 125% of their original amounts. Changes require editing a properties file with a text editor, followed by restarting the manager for the changes to take effect.
Secondly, it details how to install new license files from HP. This involves navigating to the Management Console's Administration tab and Configuration Management section, specifying or browsing to the .lic or .zip file containing the new license, clicking "Upload" to deploy the license, and optionally restarting certain ArcSight server processes based on HP's instructions.
Lastly, it explains how to configure manager logging by default located in `/logs/default/`. The number and size of log files are configurable, with a typical setting being 10 files each with a maximum size of 10 MB. Adjustments can be made based on system load, and changes require editing properties or using specific commands depending on the version of ArcSight Manager used.
Overall, these steps cover essential aspects for maintaining and optimizing performance in an ArcSight Manager environment through configuration adjustments and proper handling of license files.
The text provided is about configuring logging settings for a system, specifically for the Manager log file named "server.log" and other related logs. Here's a summary of the key points:
1. **Default Log Channel**: The default log channel is set to "file," which means all logs are initially stored in a single log file called "server.log."
2. **Log File Properties**:
**Maximum Size**: The maximum size for each individual log file is set at 10MB using the property `log.channel.file.property.maxsize=10MB`.
**Roll Over Files**: The number of roll over files is controlled by `log.channel.file.property.maxbackupindex=10`, which means up to 10 log files can be created, with the oldest having the largest number in its extension.
3. **Log File Location**: All log files are stored in the `/logs/default` directory.
4. **Related Logs**: Other related logs include:
**server.status.log**: For system status information like memory usage.
**server.channel.log**: For active channel logs.
**server.std.log**: For console outputs from the Manager when run in command line mode.
**server.pulse.log**: Used to detect service interruptions, with a new entry every 10 seconds.
**server.sql.log**: Logs SQL statements if database tracing is enabled.
**execproc.log**: Log information about externally executed processes (platform-specific).
**serverwizard.log**: Logging information from the Arcsight Manager setup utility.
5. **Sending Logs and Diagnostics**:
The system includes a "Send Logs" utility that automatically locates log files and compresses them for easier sharing with Customer Support when needed.
This utility can be run via both GUI in the Console interface and command-line interfaces of each component.
6. **Diagnostic Information**: The utility also allows gathering additional diagnostic information such as session wait times and thresholds, which might be used to analyze performance or troubleshoot issues.
This text is about using a tool called "Send Logs" for HP ESM (Extended Systems Management) systems to gather logs and diagnostic information from various components like consoles, managers, databases, SmartConnectors, and CORR-Engine. The utility allows users to collect local logs when connected as any valid user or requires admin access to collect logs from other components. It supports versions 4037 or later of SmartConnectors for remote collection. Logs are gathered and compressed automatically, with no option to select specific files. The utility generates a compressed file that can be sent by email to HP Customer Support if requested.
The provided text discusses configuring a utility called "Send Logs" in a product related to security information and event management (SIEM). The purpose of this utility is to ensure that only the appropriate amount of information, including IP addresses, host names, and email addresses, is sent to support. Here are some key points from the text:
1. **Information Removal Options**: The Send Logs utility offers three options for removing or sanitizing information in log files before compression:
**Send log as generated** (default): This option does not remove any information from the logs.
**Only remove IP address**: This option removes only IP addresses, leaving host names and email addresses intact.
**Remove IP address, host names, e-mail addresses**: This advanced option removes all IP addresses and allows users to specify a list of host-name suffixes for which all related host names and email addresses are removed from the logs. For instance, if 'company.com' is specified as a host-name suffix to remove, references to domains like 'www.company.com' and emails like 'john@company.com' in the logs would be sanitized or removed.
2. **Gathering Logs and Diagnostic Information**: The utility gathers log files and diagnostic information (if applicable) for specific components such as SmartConnectors. For ArcSight Console, Manager, or Web interfaces, users can choose to gather logs and diagnostic information for all ESM components or a selected subset.
3. **Running the Utility**:
For SmartConnectors, run the command `./arcsight agent sendlogs` in `/bin`.
For ArcSight Console, Manager, or Web interfaces, use the commands `./arcsight sendlogs` (on Console, Manager, or Web) or click on Tools > SendLogs from the ArcSight Console interface.
4. **Wizard Usage**: The Send Logs wizard remembers most of the settings made during its first run for subsequent uses. Users can choose to reuse previous settings unless they wish to adjust them.
This configuration helps in managing and securing sensitive information while facilitating efficient log analysis and diagnostic support through a standardized process.
When using the Send Logs utility, there are several steps and options that determine what type of logs are collected. Here’s a summary based on your description:
1. **Initial Setup**:
If this is the first time you run `sendlogs` after installation, it will gather logs from all components by default.
If you have previously run `sendlogs`, it will use the same setting as the previous run.
2. **Gathering Logs**:
**Local Logs Only**:
You can choose to include all time ranges or specify a specific time range for which logs are collected from the local component where you ran the utility.
**Logs from Other Components (Requires Manager Credentials)**:
You need to select the components and optionally the diagnostic utilities to run, as well as specify a time range.
Available diagnostic utilities are listed in Appendix A or may be labeled differently based on the product version.
3. **User Interface**:
If you choose to gather logs from other components, you will be prompted to select the specific components and their corresponding log information.
After selecting the components and time range, you can decide whether to include diagnostic utilities or not.
4. **Time Range Specification**:
For local logs only, you can either choose all time ranges or specify a custom time range.
If choosing specific time ranges for other components, enter the start and end times manually.
5. **Manager Credentials**:
When requesting logs from other components, you need to provide Manager credentials to access the necessary information.
This process allows users to tailor log collection based on their needs, whether it's just local logs or including logs from multiple interconnected components with appropriate permissions.
The provided text outlines a process for using SmartConnectors and collecting diagnostic logs for troubleshooting purposes. Here's a summarized version of the steps and information presented:
1. **Ensure SmartConnectors Version**: Users must ensure their SmartConnectors are running version 4037 or later to proceed with the configuration.
2. **Select Diagnostic Utilities (Optional)**: If desired, users can select diagnostic utilities on a subsequent screen; otherwise, they should navigate directly to Step 2 on page 26 of the Confidential Administrator's Guide.
3. **Log Sanitization Settings**: Users are asked if they want to sanitize logs before collection. Choices include keeping current settings or changing/reviewing them, which may involve selecting what types of information (e.g., IP addresses, host names, email addresses) should be removed. For detailed guidelines on log sanitization, refer to the "Guidelines for using the Send Logs utility" on page 21.
4. **Proceed to Next Step**: Based on user's choices regarding log sanitization and other options selected in earlier steps, users are directed to either Step 3 (if no changes were made) or further customize removal of specific information if they opted for changing settings.
5. **Enter Incident Number**: If applicable, provide the Customer Support incident number which helps in naming the compressed log file. This step is crucial as it aids support personnel in correlating the logs with the reported issue.
6. **Start Compression and Finish**: Click 'Next' to initiate the compression of log files using the Send Logs utility. Most settings from previous runs are retained, but users might need to re-enter a few settings initially required for setup. Finally, click 'Finish' on the last screen to complete the process.
7. **SSL Authentication**: The text briefly mentions SSL (Secure Sockets Layer) authentication as part of communication technology used in certain processes; however, no detailed information is provided about its implementation or implications within this context.
This summary captures the main points and actions required when using SmartConnectors and sending diagnostic logs for troubleshooting, including handling log sanitization and naming conventions based on incident numbers.
SSL (Secure Sockets Layer) is used to provide secure communication among different components of the system, including the Manager (referred to as a "server"), Console, SmartConnectors, and ArcSight Web. This encrypted communication ensures several benefits: authentication, encryption, and data integrity.
By default, clients authenticate using their valid user names and passwords when connecting to the server. However, SSL client authentication can also be configured for additional security. Notably, SSL is not used between the Manager and the ArcSight Database.
Key terminology in this context includes:
**Certificate**: A digital document that contains a public key, identifying information about the machine (such as its name), and the authority that issued it. Certificates follow the ISO X.509 standard.
**Key pair**: Consisting of a private key (kept secret) and a public key (shared with others), these keys are used to establish an SSL session for secure communication between machines.
The keytoolgui utility, which is discussed in "Tools for SSL Configuration," manages the creation and configuration of SSL certificates and keys, referring to them collectively as a key pair.
This document outlines the configuration of SSL (Secure Sockets Layer) for various components in the ArcSight Manager and its related products. The setup involves authentication through keystores and truststores, which are encrypted repositories containing certificates and private keys to ensure secure communication between servers and clients.
Key Points:
1. **Keystore Configuration**:
A keystore is an encrypted repository on the SSL server (Manager) that holds both the SSL certificate and the server’s private key. The keystores are located in specific directories as listed in a table provided, with file names remaining unchanged across components unless otherwise specified.
2. **Truststore Configuration**:
A truststore is an encrypted repository on SSL clients (SmartConnectors, Console, Browsers, and ArcSight Web) that contains a list of certificates for issuers the client trusts. This helps in verifying the authenticity of the server's certificate during the SSL handshake process.
The truststores are named 'cacerts', and their locations are specified as part of the JRE security libraries or specific configuration directories across different components.
3. **SSL Handshake**:
When an issuer issues a certificate to the server, it signs the certificate with its private key. During communication, the client uses the issuer’s public key from its truststore to verify the signature of the server's certificate. If they match, the client accepts the certificate, ensuring secure communication based on trust.
4. **Utility for Truststore Management**:
The 'keytoolgui' utility is mentioned as a tool that can be used to view and manage the truststore, which might involve additional configuration steps outlined elsewhere in the document.
This setup ensures robust security through SSL encryption, enabling reliable authentication and communication between different components of the ArcSight system.
ArcSight Web uses Jetty as its web server, with specific configurations for managing truststores to facilitate client-side authentication. The Manager machine hosts utilities like archive and uses a cacerts file for authenticating itself to these clients. For browser connections, there's a separate webtruststore used in addition to the cacerts truststore within ArcSight Web.
In this setup:
1. Truststores are used for client-side authentication, with two truststores present: one for Manager (cacerts) and another for browsers (webtruststore), both located under /config/jetty.
2. Certificates and key pairs in a keystore or truststore are identified by an alias.
3. Truststore passwords are managed through the *.defaults.properties file, which contains default passwords that are typically not changed unless obfuscation is required. The changepassword utility can be used to change these passwords for security reasons.
4. Keystore and truststore files need to be encrypted with specific passwords (keystore password and truststore password) to protect their contents. These passwords are stored in the properties file of each ESM component, obfuscated for security.
The provided text discusses the management of keystore passwords and cipher suites for various components, including clients, managers, connectors, and web servers. It outlines where these properties should be stored within their respective configuration files, specifically mentioning "client.properties", "server.properties", "webserver.properties", and "agent.properties".
Key points include:
1. The keystore password is encrypted and stored in specific property names within each component's file.
2. For client-side authentication, the relevant properties are found under "ssl.keystore.password.encrypted" in "client.properties".
3. Cipher suites define the cryptographic algorithms used for secure data exchange; default enabled suites include those mentioned and other supported variants.
4. The text suggests that cipher suite settings can be adjusted within each respective configuration file (e.g., server.properties, webserver.properties, client.properties) by setting them as a comma-delimited list in the "ssl.cipher.suites" property.
5. The existence of these files is crucial; if they do not exist, they should be created using a text editor.
The provided information is about SSL configuration and using the Keytoolgui tool for managing keystores in an SSL setup, particularly within ArcSight components. Here's a summarized breakdown of the text:
SSL Handshake Process: During the Secure Socket Layer (SSL) handshake, the client presents a list of preferred cipher suites to the server. The server then selects one from its own set of acceptable cipher suites based on preference and communicates this selection back to the client.
Keytoolgui Utility: This is a tool designed for SSL configuration tasks such as creating keystores, key pairs, certificates, and performing other related operations. It supports various functions including creating new keystores, generating key pairs, requesting CA-signed certificates, exporting and importing key pairs and certificates.
Using Keytoolgui on Windows or Unix: The utility can be run from the command line with specific commands depending on the platform (e.g., ./arcsight keytoolgui for Windows and Unix environments where X11 is enabled).
Keytoolgui Commands and Steps:
Running the tool: Command to execute the tool in different environments as mentioned above.
Opening keystore: Navigate to the component's keystore file while running the command, entering the required password when prompted.
Exporting a key pair: Right-click on the desired key pair within the interface, select export options, and follow prompts for private key and certificates radio button, setting and confirming passwords as needed, and specifying an output filename with .pfx extension.
Importing a key pair: Similar steps but used when importing rather than exporting; navigate to the keystore file containing the new key pair information which will be verified using the provided password.
This summary captures the main points of how SSL configuration is managed through Keytoolgui, highlighting its functionality and usage within different environments.
To use Keytoolgui for exporting or importing certificates, follow these steps:
**Exporting a Certificate:**
1. Open the command prompt in your component's `/bin` directory and run `./arcsight keytoolgui`.
2. In the GUI, go to "File" > "Open keystore", navigate to your component’s truststore, and enter the truststore password (default is "changeitpassword").
3. Right-click on the certificate you want to export and select "Export".
4. Choose "Head Certificate as Export Type" and "DER Encoded as Export Format".
5. Navigate to where you want to save the exported certificate, name it with a `.cer` extension, and click "Export".
6. If your destination component is on a different machine, copy the certificate there.
**Importing a Certificate:**
1. Open the command prompt in your component’s `/bin` directory and run `./arcsight keytoolgui`.
2. In the GUI, go to "File" > "Open keystore", navigate to your component’s keystore, and enter the keystore password (default is "changeitpassword").
3. Go to "Tools" > "Import Key Pair", navigate to the location of the key pair file, select it, and click "Choose".
4. Enter the password for the key pair file when prompted and click OK.
5. Select the key pair and click "Import".
6. Enter an alias for the key pair and click OK.
7. Enter a new password for the key pair file to be imported, confirm it, and click OK. You will see a message saying "Key Pair Import Successful".
8. Click OK in any subsequent dialogs to close them.
9. Go to "File" > "Save keystore" to save the changes to the keystore and exit Keytoolgui.
The instructions provided outline a series of steps for managing certificates and keystores using the `keytoolgui` utility, which is part of ArcSight software. Here's a summary of the process:
### Importing a Trusted Certificate
To import a certificate into the truststore:
1. Run the command `./arcsight keytoolgui` from the `/bin` directory to start the utility.
2. Click on "File->Open keystore" and navigate to the truststore located at `/jre/lib/security`.
3. Select the store named `cacerts` and click "Open."
4. Enter the default password, which is 'changeitpassword'.
5. Go to "Tools->Import Trusted Certificate," browse to the location of the certificate you want to import, select it, and click "Import."
6. Confirm the message displayed by clicking "OK."
7. The certificate details will be shown; confirm them with a click on "OK."
8. A final confirmation message appears; click "Yes" to proceed.
9. Enter an alias for the trusted certificate, typically the fully qualified host name.
10. Click "OK" through any additional messages and save the truststore file.
### Creating a Keystore
To create a new keystore:
1. Run `./arcsight keytoolgui` from the component's `/bin` directory.
2. Click on "File->New keystore," select JKS, and click "OK."
3. Save the keystore by clicking "File->Save keystore."
### Generating a Key Pair
To generate a key pair:
1. Run `./arcsight keytoolgui` from the component's `/bin` directory.
2. Click on "File->Open keystore" and navigate to your existing keystore.
3. Go to "Tools->Generate Key Pair," fill in the fields, and click "OK."
4. Enter an alias for the key pair and save it by clicking "File->Save keystore."
### Using Keytool Utility Directly (Command Line)
The `keytool` utility can be used on UNIX environments without graphical interfaces to manage keystores and truststores directly:
Use `./arcsight keytoolgui` to start the utility.
Refer to specific commands in the command line for file operations, such as opening a new keystore or importing certificates into it.
This process is crucial for configuring security settings within ArcSight components, ensuring that all communications are encrypted and trusted.
This summary provides an overview of using keytool for managing keystores and truststores in ArcSight, a system designed to monitor network traffic and security events. Keytool is used through command lines or graphical interfaces (keytoolgui) on both SmartConnector hosts and ArcSight Console computers. It allows users to create new keys, export existing ones as certificates, and view or modify SSL certificates for authentication purposes. The summary also explains the process of SSL certificate validation when a client connects to an SSL server, ensuring the hostname matches the one initially contacted.
SSL certificates are used in secure communication between a client and server, ensuring that the connection is private and data integrity is maintained. This process involves several steps including certificate validation, key exchange, and encryption for data transmission. Here's a summary of the main points from the provided text:
1. **Certificate Validation**: The SSL certificate must be trusted by the client due to its presence in the truststore (a repository of CA-trusted certificates) within the JRE security library. Additionally, the certificate should pass signature verification using the corresponding CA's public key stored in the truststore. The current time on the client machine must also fall within the validity period specified in the certificate for it to be considered valid.
2. **Session Key Exchange**: If the certificate is successfully validated, the client generates a random session key, encrypts it using the server's public key, and sends this encrypted key to the server. The server then decrypts the session key using its private key. This decrypted session key is used for all future secure communications between the client and server.
3. **Client-Side Authentication**: In SSL handshakes involving client-side authentication, after the client sends its certificate to the server, the server requests the client's certificate in return. The client responds by sending both its certificate and an encrypted session key.
4. **Certificate Replacement**: If a certificate expires or needs replacement, it should first be deleted from the truststore (cacerts) and then re-imported into the same location. This process requires using the graphical tool 'keytoolgui' for import operations after deleting the expired certificate to avoid having both certificates in the truststore simultaneously.
5. **Types of SSL Certificates**: There are three types: CA-signed, self-signed (only applicable in default mode), and demo (also only applicable under default conditions). A CA-signed certificate is issued by a trusted third party such as a commercial Certificate Authority.
This process ensures secure communication with the use of encryption keys for protected data exchange between systems using SSL certificates.
The passage discusses two types of certificates used in securing communication between clients and servers: self-signed and CA-signed (Certification Authority signed) certificates. It explains that organizations might rely on third-party Certification Authorities like VeriSign or Thawte for certificates, which are trusted by default in client truststores. For a CA-signed certificate, configuration is typically required only once across the network when setting up servers; however, with self-signed certificates, each server must be individually configured in clients' truststores if they are to accept that specific server's certificate.
The security of both types of certificates is equivalent, but CA-signed certificates offer scalability advantages over self-signed ones. For example, managing multiple self-signed certificates across several servers requires repeated client configuration for each new server added to the network. In contrast, configuring clients once for a CA-signed certificate allows them to accept any number of future issuers without further action needed.
The method to create and use these certificates varies based on whether clients communicate with one or multiple managers. If clients only need to communicate with a single manager, they should follow steps to generate a self-signed key pair on the manager's server using specific commands (detailed in the original text but not repeated here for brevity). The configuration wizard would then be used to set up this key pair as a self-signed certificate. This process is similar for both types of certificates and involves straightforward setup once the appropriate steps are followed.
The process involves setting up an SSL certificate for the Manager in Arcsight. Here’s a step-by-step summary:
1. **Open the Configuration Wizard**: Follow through the Configuration Wizard to proceed.
2. **Enter SSL Keystore Password**: Provide and remember the password for the keystore associated with the certificate.
3. **Complete the Configuration Wizard**: As you go through, ensure all steps are followed correctly.
4. **Post-Configuration Actions**: At the end of the wizard:
The Manager’s existing keystore at `/config/jetty/keystore` will be replaced with a newly created one.
A selfsigned.cer certificate file will be generated in `/config/jetty`.
This new self-signed certificate will be added to the Manager’s truststore file, `/jre/lib/security/cacerts`.
5. **Export Manager’s Certificate**: Export the Manager’s certificate from `/jre/lib/security/cacerts`.
6. **Distribute Certificate to Clients**: Copy the Manager’s certificate to each machine where clients connect to the Manager.
7. **Import Certificate to Clients**: Import the Manager’s certificate into the `/jre/lib/security` directory on all client machines. Ensure this is done for all existing clients before proceeding further, as otherwise, only new clients with the updated certificate will be able to connect.
8. **Restart Services**: Restart the Manager and all clients to ensure the self-signed certificate takes effect.
9. **Repeat for New Clients**: When installing a new client, repeat steps 2-4 of this procedure.
10. **Web Server Configuration**: O,n the ArcSight Web server, follow specific steps outlined in another section to set up SSL Client Authentication.
This setup is crucial for secure communication between the Manager and clients using SSL certificates.
The text provided outlines a procedure for setting up SSL client-side authentication using a self-signed certificate on the ArcSight Console when clients communicate with multiple Managers. Here's a summarized step-by-step guide based on the instructions:
1. **Setup SSL Client-Side Authentication**: Follow the steps outlined in section “Setting up SSL Client-Side Authentication on ArcSight Console” starting from page 51 of the Confidential Administrator's Guide.
2. **Multiple Managers Deployment**: For a deployment where clients communicate with more than one Manager, perform these additional steps for each Manager:
Follow Step 1 from the previous procedure on all Managers.
Copy the self-signed certificate file (selfsigned.cer) from all Managers to the `/jre/lib/security` directory on one client. Rename each certificate file uniquely if multiple have the same name, for example, `SelfSigned_MgrA.cer`.
Use the keytoolgui utility in `/bin` to import certificates into the truststore (cacerts):
Run the command `./arcsight keytoolgui`.
Click File->Open keystore and select the store named cacerts using the password ‘changeit’.
Import the self-signed certificate for a Manager:
Select the certificate and click Import. Confirm with OK.
Enter an alias name typically the fully qualified host name and confirm with OK.
Save the truststore file.
Repeat these steps for all imported certificates.
On the client, stop the CLI using the command `./arcsight cli`.
This process ensures that each Manager's self-signed certificate is added to the client's truststore without overwriting the existing cacerts, allowing clients to communicate securely with multiple Managers.
To replace the existing demo or self-signed certificate with a CA-signed SSL certificate, follow these steps:
1. **For SmartConnectors**, run the command: `./arcsight agent tempca –rc`.
2. **Repeat this cacerts procedure** on all other clients.
3. Restart the Manager service so that the Manager can start using the self-signed certificate.
4. Restart the client.
5. When installing a new client, copy the cacerts file from any previously updated client in this procedure.
6. Obtain two CA-signed certificates: one for the Manager and optionally another for ArcSight Web if they are installed on separate machines.
7. **Create a Key Pair for a CA-Signed Certificate**:
On the Manager machine, run `./arcsight keytoolgui` to launch the keytoolgui utility in `/bin`.
Click "File->New keystore" and select JKS as the keystore type.
Create a new keystore by clicking "Tools->Generate Key Pair". Enter information such as validity period (in days) for the certificate, using the fully qualified domain name of the Manager for the Common Name (CN). Provide an email address in Email (E), which is used by CAs to send renewal notifications.
Click OK and follow prompts to complete key pair creation.
8. **Send for the CA-Signed Certificate** from your Certificate Authority (CA).
9. Import the CA Root Certificate into the keystore.
10. Import the CA-signed certificate into the Manager's keystore.
11. Restart the Manager service to activate the new CA-signed certificate.
12. If applicable, repeat these steps for ArcSight Web and any additional ESM components.
To obtain a CA-signed certificate, follow these steps:
1. **Generate a New Key Pair**: Create a new key pair and alias for it using the `keytoolgui` utility by entering commands to generate a keystore with a specified name (e.g., `keystore.request`) containing your private key and CSR (Certificate Signing Request). Use a strong password to secure your keystore, preferably different from your existing password if you have one. If you don't remember the password, change it during the setup process.
2. **Send the CSR for CA Signature**:
In `keytoolgui`, right-click on the alias name and select "Generate CSR" to create a Certificate Signing Request (CSR). Choose a path and filename where you want to save this file, then click "Generate." The CSR will be saved in your current working directory.
Send the generated CSR to the chosen Certificate Authority (CA) for electronic signing.
3. **Import the CA Root Certificate**: After receiving the signed certificate from the CA, import the root CA certificate into the truststore file. This is usually located at `/jre/lib/security/cacerts`. Use the default password or the one provided by the CA to open this keystore file and then import the Root CA certificate (`rootca.cer`) saved in step 1. Repeat these steps on all machines where the Manager is installed. By following these detailed instructions, you can successfully request and obtain a CA-signed certificate for your ArcSight installation or renewal of an existing one. To import a CA-signed certificate into the Manager's keystore, follow these steps: 1. Open the cacerts file by following the instructions for your specific system (e.g., running `keytool -importcert` in Java Keytool on Windows or macOS). 2. Click "Tools" then select "Import Trusted Certificate." Choose the rootca.cer file containing the CA-signed certificate you received from the CA. 3. You may encounter a warning about establishing a trust path for the certificate. Click "OK" to proceed, and confirm your trust in the certificate displayed after it is shown. 4. If there are intermediate CA certificates in the chain (as indicated by the CA), follow the same procedure to import each one into the Truststore. 5. Update the CA root certificate on other ESM components such as Consoles, Logger or Connector Appliances, and any PCs with installed Consoles, Connectors, or ArcSight Web. 6. Restart all services after copying the updated cacerts file to ensure they recognize the new certificates. Remember that SSL certificates used for web servers must be 128-bit X.509 Version 3 certificates in base64 encoded format, and are typically provided by CAs in this form. To import a signed certificate into ArcSight, follow these steps: 1. **Save or copy the certificate text**: If provided as a file with extensions .CER or .CRT, save it directly to `/config/jetty`. If given as plain text, include the lines "
Comments