Insight Certificates

Certificates are used in Insight for secure communication. These are used for communication between the Insight components, such as, Audit Store cluster nodes, Log Forwarder and Analytics.

Note: The default certificates provided are signed using the system-generated Protegrity-CA certificate. However, after installation you can use custom certificates. Also ensure that all the certificates are signed by the same CA as shown in the following diagram.

Audit Store Certificates

Note: When you are updating certificates, ensure that the certificates are updated in the following order:

  1. Audit Store Cluster certificate.
  2. Audit Store REST certificate.
  3. PLUG client certificate for Audit Store.
  4. Analytics client certificate for Audit Store.

The various certificates used for communication between the nodes with their descriptions are provided here.

  • Management & Web Services: These services manages certificate-based communication and authentication between the ESA and its internal components and between ESA and external clients (REST).

    For more information about Management & Web Services certificates, refer to Certificate Management in ESA.

    Management and Web Services

  • Audit Store Cluster: This is used for the Audit Store inter-node communication that takes place over the port 9300.

    • Server certificate:

      The server certificate is used for for inter-node communication. The nodes identify each other using this certificate.

      Note: The Audit Store Cluster and Audit Store REST server certificate must be the same.

    • Client certificate:

      The client certificate is used for applying and maintaining security configurations for the Audit Store cluster.

      Audit Store Cluster

  • Audit Store REST: This is used for the Audit Store REST API communication over the port 9200.

    • Server certificate:

      The server certificate is used for mutual authentication with the client.

      Note: The Audit Store Cluster and Audit Store REST server certificate must be the same.

    • Client certificate:

      The client certificate is used by the Audit Store nodes to authenticate and communicate with the Audit Store.

      Audit Store REST

  • Analytics Client for Audit Store: This is used for communication between Analytics and the Audit Store.

    • Client certificate:

      The client certificate is used by Analytics to authenticate and communicate with the Audit Store.

      Analytics Client for Audit Store

  • PLUG Client for Audit Store: This is used for communication between the logging components and the Audit Store.

    • Client certificate:

      The client certificate is used by the Log Forwarder to authenticate and communicate with the Audit Store.

      PLUG Client for Audit Store

Using Custom Certificates in Insight

The certificates used for the Insight component are system-generated Protegrity certificates. If required, you can upload and use your custom CA, Server, and Client certificates for Insight.

When you use custom certificates, ensure that they meet the following prerequisites:

  • Ensure that all certificates share a common CA.

  • Ensure that the following requirements are met when creating the certificates:

    • The CN attribute of the Audit Store Server certificate is set to insights_cluster.
    • The CN attribute of the Audit Store Cluster Client certificate is set to es_security_admin.
    • The CN attribute of the Audit Store REST Client certificate is set to es_admin.
    • The CN attribute of the PLUG client certificate for the Audit Store is set to plug.
    • The CN attribute of the Analytics client certificate for the Audit Store is set to insight_analytics.
    • The Audit Store Server certificates’ must contain the following in the Subject Alternative Name (SAN) field:

      • Required: FQDN of all the Audit Store nodes in the cluster.

      • Optional: IP addresses of all the Audit Store nodes in the cluster.

      • Optional: Hostname of all the Audit Store nodes in the cluster.

        Note: If you are using a DNS server, then also include the hostname and FQDN details from the DNS sever in the certificate.

  • Ensure that the certificates are generated using a 4096 bit key.

For example, an SSL certificate with the SAN extension of servers ES1, ES2, and ES3 in a cluster will have the following entries:

  • ES1
  • ES2
  • ES3
  • ES1.protegrity.com
  • ES2.protegrity.com
  • ES3.protegrity.com
  • IP address of ES1
  • IP address of ES2
  • IP address of ES3

Note: If you are upgrading from an earlier version to ESA 8.1.0.0 and later and use custom certificates, then run the following step after the upgrade is complete. Custom certificates are applied for td-agent, Audit Store, and Analytics, if installed.

  1. From the ESA Web UI, navigate to System > Services > Audit Store.

  2. Ensure that the Audit Store Repository service is not running. If the service is running, then stop the service.

  3. Configure the custom certificates and upload it to the Certificate Repository.

  4. Set the custom certificates for the logging components as Active.

  5. From the ESA Web UI, navigate to System > Services > Audit Store.

  6. Start the Audit Store Repository service.

  7. Open the ESA CLI.

  8. Navigate to Tools.

  9. Run Apply Audit Store Security Configs.

  10. Continue the installation to create an Audit Store cluster or join an existing Audit Store cluster.

    For more information, refer the Connecting to the Audit Store topic in the Protegrity Analytics Guide 8.1.0.0.

Last modified February 7, 2025