SSL Configuration: an example. July 2016

Similar documents
plugin deployment guide

Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients

eroaming platform Secure Connection Guide

How to Enable Client Certificate Authentication on Avi

SSL/TLS Certificate Generation

SSL/TLS Certificate Generation

Provisioning Certificates

SSL/TLS Certificate Generation

How to use an EPR certificate with the MESH client

Wildcard Certificates

Mac OSX Certificate Enrollment Procedure

Configure IBM Security Privileged Identity Manager Appliance with a Load Balancer

Configure DNA Center Assurance for Cisco ISE Integration

SSL Configuration Oracle Banking Liquidity Management Release [April] [2017]

HPE Knowledge Article

Using Certificates with HP Network Automation

Certificate service - test bench. Project to establish the National Incomes Register

Configuring the RTP Server

Configure Cisco DNA Assurance

How to integrate CMS Appliance & Wallix AdminBastion

SAML with ADFS Setup Guide

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

OIOIDWS Integration testing

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

DEPLOYMENT GUIDE. SSL Insight Certificate Installation Guide

White Paper: Configuring SSL Communication between IBM HTTP Server and the Tivoli Common Agent

How to convert.crt SSL Certificate to.pfx format (with openssl Linux command) and Import newly generated.pfx to Windows IIS Webserver

Configuring NiFi Authentication and Proxying with Apache Knox

mobilefish.com Create self signed certificates with Subject Alternative Names

Managing Certificates

Server software page. Certificate Signing Request (CSR) Generation. Software

Creating a Media5 Device Host Certificate with OpenSSL

Managing TLS Certificate, KeyStore, and TrustStore Files

Purpose. Target Audience. Overview. Prerequisites. Nagios Log Server. Sending NXLogs With SSL/TLS

SSL Certificates SignOn Soltuions September 2018

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.6

Public-key Infrastructure

Securing A Basic HTCondor Pool

Installation Manual. Universitätsstraße Koblenz Germany. VERSION: 11.x

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Configuring Secure Communication to Oracle to Import Source and Target Definitions in PowerCenter

Configuring Java CAPS for SSL Support

Enabling Secure Sockets Layer for a Microsoft SQL Server JDBC Connection

Getting Started with the VQE Startup Configuration Utility

CP860, SIP-T28P, SIP-T26P, SIP-T22P, SIP-T21P, SIP-T20P, SIP-T19P, SIP-T46G, SIP-T42G and SIP-T41P IP phones running firmware version 71 or later.

Your Apache ssl.conf in /etc/httpd.conf.d directory has the following SSLCertificate related directives.

UCON-IP-NEO Operation Web Interface

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

An internal CA that is part of your IT infrastructure, like a Microsoft Windows CA

Creating an authorized SSL certificate

Configuring IBM Rational Synergy to use HTTPS Protocol

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

Avaya Callback Assist Application Notes for SSL or TLS Configuration

ADFS Setup (SAML Authentication)

No-Nonsense Guide to SSL

Managing User Accounts

Configuring Oracle Java CAPS for SSL Support

SSL or TLS Configuration for Tomcat Oracle FLEXCUBE Universal Banking Release [December] [2016]

Secure Communications User Guide

Weblogic Configuration Oracle FLEXCUBE Investor Servicing Release [October] [2015]

MSE System and Appliance Hardening Guidelines

Weblogic Configuration Oracle FLEXCUBE Universal Banking Release [May] [2017]

This documentation can used to generate a request that can be submitted to any of these CA types.

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

SSL Configuration on WebSphere Oracle FLEXCUBE Universal Banking Release [February] [2016]

jodbc Service and SQL Catalog

X-road MISP2 installation and configuration guide. Version 1.20

Unified Management Portal

Please select your version

FortiNAC. Analytics SSL Certificates. Version: 5.x Date: 8/28/2018. Rev: D

Dialogic PowerMedia Media Resource Broker (MRB)

Getting Started with the VQE Startup Configuration Utility

TLS encryption and mutual authentication using syslog-ng Open Source Edition

Deploying a Dialogic 4000 Media Gateway as a Survivable Branch Appliance for Microsoft Lync Server 2010

Configuring CA WA Agent for Application Services to Work with IBM WebSphere Application Server 8.x

Genesys Security Deployment Guide. What You Need

Assuming you have Icinga 2 installed properly, and the API is not enabled, the commands will guide you through the basics:

Director and Certificate Authority Issuance

HOWTO: Setup FTP with TLS support

Proftpd 지시자설정 10_29 페이지 년 10 월 29 일목요일 오후 2:08

How to Set Up External CA VPN Certificates

QMetry 7 Installation Guide - Linux Platform

Public-key Infrastructure

SECURE Gateway v4.7. TLS configuration guide

Public Key Enabling Oracle Weblogic Server

EJBCA Enterprise Cloud Edition CloudHSM Integration Guide

Public-key Infrastructure

Configure IBM Rational Synergy with 3 rd Party LDAP Server. Release

Controller Installation

Avaya Callback Assist Application Notes for HTTPS Configuration

Configuring SSL for EPM /4 Products (Cont )

Low Hanging Fruit: Securing Your Basic MongoDB Installation

SAP Business One Integration Framework

Product Support Notice

Corporate Infrastructure Solutions for Information Systems (LUX) ECAS Mockup Server Installation Guide

How SSL works with Middle Tier Oracle HTTP Server:

BusinessObjects Enterprise XI Release 1 and Release 2

Securing IoT applications with Mbed TLS Hannes Tschofenig

PKI and TLS. Project 2, EITF55 Security, Ben Smeets Dept. of Electrical and Information Technology, Lund University, Sweden

Transcription:

SSL Configuration: an example July 2016

This document details a walkthrough example of SSL configuration in an EM managed mongodb environment. SSL certificates are used to enforce certificate based security and network encryption. 2

ROOT KEY AND CA CERTIFICATE CREATION: This will be used to sign the mongodb and agent certificates. For the mongodb instance the trusted CA maps to the parameter sslcafile. mkdir /etc/ssl/mongo cd /etc/ssl/mongo openssl genrsa -out rootca.key 4096 We now have a root key: rootca.key Generate the root certificate (only required if you need a new one): openssl req -x509 -new -nodes -key rootca.key -days 3650 -out rootca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:AIDEV UK Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:AIDEV ROOT CA Email Address []:info@aidev.uk We also now have a root certificate and key: rootca.key rootca.pem 3

MONGO KEY AND CERTIFICATE CREATION This will be used by the mongodb instance and maps to the parameter sslpemkeyfile. IMPORTANT: PLEASE ENSURE THAT THE COMMON NAME MATCHES THE HOSTNAME OR IP ADDRESS OF THE MONGODB HOST. openssl genrsa -out mongodb.key 4096 openssl req -new -key mongodb.key -out mongodb.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:AIDEV UK Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:192.168.0.51 Email Address []:info@aidev.uk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:welcome1 An optional company name []: openssl x509 -req -in mongodb.csr -CA rootca.pem -CAkey rootca.key -CAcreateserial -out mongodb.crt -days 3650 Signature ok subject=/c=gb/st=some-state/o=aidev UK/CN=osboxes/emailAddress=info@aidev.uk Getting CA Private Key For the mongodb side, we now have: mongodb.crt mongodb.csr mongodb.key 4

AGENT KEY AND CERTIFICATE CREATION This will be used by the EM agent. openssl genrsa -out agent.key 4096 openssl req -new -key agent.key -out agent.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:AIDEV UK Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:emcc.example.com Email Address []:info@aidev.uk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:welcome1 An optional company name []: openssl x509 -req -in agent.csr -CA rootca.pem -CAkey rootca.key - CAcreateserial -out agent.crt -days 3650 Signature ok subject=/c=gb/st=some-state/o=aidev UK/CN=emcc.example.com/emailAddress=info@aidev.uk Getting CA Private Key For the agent side we now have: agent.crt agent.csr agent.key 5

CONFIGURE MONGOD Create the pem files for the agent and mongodb: cat mongodb.key mongodb.crt > mongodb.pem cat agent.key agent.crt > agent.pem IMPORTANT: ensure the following files are chmod 600 by the mongodb operating system user: mongodb.pem rootca.pem Start mongo: /root/mongo/mongodb-linux-x86_64-ubuntu1404-3.0.4/bin/mongod \ --fork --rest --port 28001 \ --dbpath /data_new/db/ssl_01 \ --logpath /data_new/db/logs/mongod_ssl_01.log \ --auth \ --sslpemkeyfile /etc/ssl/mongo/mongodb.pem \ --sslmode requiressl \ --sslcafile /etc/ssl/mongo/rootca.pem Alternatively if using a configuration file add in the following: sslpemkeyfile = /data_new/db/keys/ssl_01.pem sslcafile =/etc/ssl/mongo/rootca.pem sslmode = requiressl #sslmode = allowssl #sslmode = preferssl Please refer to the official mongodb documentation for a detailed description of the sslmode options. 6

TRUSTSTORE CONFIGURATION Create the truststore - this is required on the agent side: IMPORTANT: use welcome1 as the password for this agent internal store Firstly, to ensure the private key and certificates are imported we need to convert the agent cert/key to pkcs12: openssl pkcs12 -export -in agent.crt -inkey agent.key -out agent.p12 - name agentkey -CAfile rootca.pem -caname root We can then import using keytool: keytool -importkeystore -deststorepass welcome1 -destkeystore truststore.ts \ -srckeystore agent.p12 -srcstoretype PKCS12 -srcstorepass welcome1 - alias agentkey Then add in the root CA: keytool -importcert -trustcacerts -file /etc/ssl/mongo/rootca.pem -alias rootca -keystore./truststore.ts -storepass welcome1 Now verify that all is ok: keytool -list -keystore./truststore.ts Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries rootca, 04-Sep-2015, trustedcertentry, Certificate fingerprint (MD5): 4F:3E:51:A8:B7:A2:74:F8:47:0B:82:4B:71:F8:FC:4D agentkey, 04-Sep-2015, PrivateKeyEntry, Certificate fingerprint (MD5): 36:CD:0A:D0:D4:6E:BC:F4:F8:BF:5A:81:2C:62:5C:F3 7

AGENT AND TARGET CONFIGURATION Copy the following files to the agent hosttruststore.ts agent.pem rootca.pem IMPORTANT: chmod 600 each of the above files to ensure only the agent operating system user can access them. In this example we will hold these in /home/oracle/ssl_cert: -rw------- 1 oracle dba -rw------- 1 oracle dba -rw------- 1 oracle dba 5154 Sep 6 03:30 agent.pem 2025 Sep 6 03:38 rootca.pem 5363 Sep 6 02:33 truststore.ts Targets within EM require the SSL enabled and SSL Truststore parameters to be set. This will allow SSL configuration to function for agent monitoring. An example target configuration: 8

The mongodb.js job execution feature requires the definition of rootca, sslpemkeyfile and sslcafile parameters. An example.js job definition: 9

NEED FURTHER INFORMATION? contact info@aidev.uk for more details on this product and how to join up with us. Copyright 2016 Aidev [A trading name of Wardrop Consulting Limited]. All rights reserved. MongoDB and the leaf logo are trademarks or registered trademarks of mongodb Inc or its affiliates in the U.S. and other countries. Microsoft, SQL Server, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Oracle and Oracle Enterprise Manager are trademarks or registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Specifications and product offerings subject to change without notice. Please ensure you have appropriate licenses for running this product. Aidev takes no responsibility whatsoever re. site licensing of Oracle EM, mongodb or any other software used with this plugin this responsibility lies solely with the Client. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback