Audit Store Certificates

Certificates are used for secure communication with the Audit Store. These are used for communication between the Audit Store cluster nodes and its clients, such as, Log Forwarder and Analytics.

The default certificates provided are signed using the system-generated Protegrity-CA certificate. However, after installation custom certificates can be used. Ensure that all the certificates are signed by the same CA as shown in the following diagram.

Update the certificates in the following order:

  1. Audit Store Cluster certificate
  2. Audit Store REST certificate
  3. PLUG client certificate for Audit Store
  4. Analytics client certificate for Audit Store

The various certificates used for communication between the nodes with their descriptions are provided here. The passphrase for the certificates are stored in the /etc/ksa/certs directory.

  • Management & Web Services: These services manages certificate-based communication and authentication between the ESA and its internal components and between ESA and external clients (REST).

    For more information about Management and Web Services certificates, refer here.

  • Audit Store Cluster: This is used for the Audit Store inter-node communication that takes place over the port 9300. These certificates are stored in the /esa/ksa/certificates/as_cluster directory on the ESA.

    • Server certificate: The server certificate is used for for inter-node communication. The nodes identify each other using this certificate. The Audit Store Cluster and Audit Store REST server certificate must be the same.

    • Client certificate: The client certificate is used for applying and maintaining security configurations for the Audit Store cluster.

  • Audit Store REST: This is used for the Audit Store REST API communication over the port 9200. These certificates are stored in the /esa/ksa/certificates/as_rest directory on the ESA.

    • Server certificate: The server certificate is used for mutual authentication with the client. The Audit Store Cluster and Audit Store REST server certificate must be the same.

    • Client certificate:The client certificate is used by the Audit Store nodes to authenticate and communicate with the Audit Store.

  • Analytics Client for Audit Store: This is used for communication between Analytics and the Audit Store. These certificates are stored in the /esa/ksa/certificates/ian directory on the ESA.

    • Client certificate: The client certificate is used by Analytics to authenticate and communicate with the Audit Store.

  • PLUG Client for Audit Store: This is used for communication between logging components and the Audit Store. These certificates are stored in the /esa/ksa/certificates/plug directory on the ESA.

    • Client certificate: The client certificate is used by the Log Forwarder to authenticate and communicate with the Audit Store.

Using custom certificates in the Audit Store

The certificates used for the logging component are system-generated Protegrity certificates. If required, upload and use custom CA, Server, and Client certificates for the logging components.

For custom certificates, ensure that the following prerequisites are met:

  • Ensure that all certificates share a common CA.

  • Ensure that the following requirements are met when creating the certificates:

    • The CN attribute of the Audit Store Server certificate is set to insights_cluster.

    • The CN attribute of the Audit Store Cluster Client certificate is set to es_security_admin.

    • The CN attribute of the Audit Store REST Client certificate is set to es_admin.

    • The CN attribute of the PLUG client certificate for the Audit Store is set to plug.

    • The CN attribute of the Analytics client certificate for the Audit Store is set to insight_analytics.

    • The Audit Store Server certificates’ must contain the following in the Subject Alternative Name (SAN) field:

      • Required: FQDN of all the Audit Store nodes in the cluster
      • Optional: IP addresses of all the Audit Store nodes in the cluster
      • Optional: Hostname of all the Audit Store nodes in the cluster

      For a DNS server, include the hostname and FQDN details from the DNS sever in the certificate.

  • Ensure that the certificates are generated using a 4096 bit key.

For example, an SSL certificate with the SAN extension of servers ES1, ES2, and ES3 in a cluster will have the following entries:

  • ES1
  • ES2
  • ES3
  • ES1.protegrity.com
  • ES2.protegrity.com
  • ES3.protegrity.com
  • IP address of ES1
  • IP address of ES2
  • IP address of ES3

When upgrading from an earlier version to ESA 8.1.0.0 and later with custom certificates, run the following step after the upgrade is complete and custom certificates are applied for td-agent, Audit Store, and Analytics, if installed.

  1. From the ESA Web UI, navigate to System > Services > Audit Store.

  2. Ensure that the Audit Store Repository service is not running. If the service is running, then stop the service.

  3. Configure the custom certificates and upload it to the Certificate Repository.

  4. Set the custom certificates for the logging components as Active.

  5. From the ESA Web UI, navigate to System > Services > Audit Store.

  6. Start the Audit Store Repository service.

  7. Open the ESA CLI.

  8. Navigate to Tools.

  9. Run Apply Audit Store Security Configs.

  10. Continue the installation to create an Audit Store cluster or join an existing Audit Store cluster.

    For more information about creating the Audit Store cluster, refer here].