Prepare for External Log Shipping over TLS (Optional)
Keyfactor Command offers the option to copy audit logs in real time to a separate server for collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). and analysis with a centralized logging solution (e.g. rsyslog Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network., Splunk, Elastic Stack). This can be done either over standard UDP/TCP connections, or you can opt to secure the connection to the backend log collection solution using TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers.. This requires a backend solution that supports receiving logs over TLS and, typically, a client certificate on the Keyfactor Command server and a server certificate on the backend server.
The following instructions cover using rsyslog on the backend and will differ if you are using an alternative log collection solution.
SSL Server Certificate on the Log Server
To acquire an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. server certificate on the log server to allows communications with the log server to be secured TLS, first create or identify a template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that has an extended key usage (EKU) of Server Authentication and make it available for enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). on a CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. to which the server from which you are requesting the certificate has access with enrollment permissions for the server or user from which you are requesting the certificate. The certificate should be acquired using the Fully Qualified Domain Name (FQDN) of the server or alias used for the log server(s). For example:
You can enroll for an SSL certificate for the log server in a variety of ways. For example:
-
Use OpenSSL to generate a CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA., use the Keyfactor Command CSR enrollment method to enroll for a certificate using the CSR, and then copy the certificate to the log server, marrying it with the private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. generated on the server. You can do this through the Keyfactor Command Management Portal or using the Keyfactor API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. to submit a request.
-
Use the Microsoft MMC on a Windows server to enroll for a certificate (see below) and then copy the PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. file to the log server and break into components as described below.
-
Use the command-line certreq command with a request.inf file on a Windows server and then copy the PFX file to the log server and break into components as described below.
-
If you have an existing Keyfactor Command implementation, use Keyfactor Command to enroll for the certificate using the PFX enrollment method, opt to download it as a ZIP PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key., copy the zip file to the rsyslog server, unzip, and distribute the files as described in the final step, below. You can enroll through the Keyfactor Command Management Portal or using the Keyfactor API to submit a request.
To enroll for a server certificate using the MMC:
-
On a Windows server with appropriate enrollment access, do one of following:
-
Using the GUI:
- Open an empty instance of the Microsoft Management Console (MMC).
- Choose File->Add/Remove Snap-in….
- In the Available snap-ins column, highlight Certificates and click Add.
- In the Certificates snap-in popup, choose the radio button for Computer account, click Next, accept the default of Local computer, and click Finish.
- Click OK to close the Add or Remove Snap-ins dialog.
-
Using the command line:
- Open a command prompt using the “Run as administrator” option.
-
Within the command prompt type the following to open the certificates MMC:
certlm.msc
-
- Drill down to Certificates in the Personal folder under Certificates for the Local Computer and locate your newly created certificate. Right-click on the certificate and choose All Tasks->Export….
- Follow the certificate export wizard, being sure to answer Yes, export the private key and choosing the option to Include all certificates in the certificate path if possible. Set a password to secure the exported private key.
- In the MMC, drill down to the Personal folder under Certificates for the Local Computer, right-click, and choose All Tasks->Request New Certificate….
- Follow the certificate enrollment wizard, selecting the template you created or identified for use for this purpose, and providing any required information, being sure to set the CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). to the FQDN of the server or alias used for the server to which the logs will be shipped (the rsyslog server in this example).
- Securely copy the resulting PFX file to your rsyslog server and place it in a temporary working directory.
-
Use openssl to break the PFX file apart into separate certificate and key files and remove the encryption on the key file (rsyslog does not provide a method for providing the password necessary to use the encrypted file) as follows:
-
Execute the following command to pull the key out of the PFX file (provide the input password for the PFX when prompted and the output password for the PEM key file when prompted):
openssl pkcs12 -in mycertfile.pfx -nocerts -out mykey.pem -
Execute the following command to pull the certificate out of the PFX file (provide the input password for the PFX when prompted):
openssl pkcs12 -in mycertfile.pfx -clcerts -nokeys -out mycert.pem -
Execute the following command to pull the chain certificate(s) out of the PFX file (provide the input password for the PFX when prompted):
openssl pkcs12 -in mycertfile.pfx -cacerts -nokeys -chain -out cacerts.pem -
Execute the following command to remove the encryption from the key so that a password will not be required when accessing the key file (provide the PEM key password you set in the first step):
openssl rsa -in mykey.pem -out mynewkey.key
-
- Identify a secure location on the rsyslog server to store the certificates and key file (e.g. /etc/tls/certs and /etc/tls/private) and copy the certificates and key to these locations, setting appropriately secure permissions on the files. The key needs to be readable by the rsyslog daemon.
/path/to/tls/certificates/** r,
/path/to/tls/certificate/keys/** r,
Client Authentication Certificate
Your logging solution may or may not require a client authentication certificate on the Keyfactor Command side. If it does, acquire the client certificate(s) using the Fully Qualified Domain Name (FQDN) of the server or alias used for the Keyfactor Command server(s) (see Hostname Identification and Resolution). For example:
The certificate must be installed on the Keyfactor Command server(s) prior to installation of the Keyfactor Command software.
To acquire a client authentication certificate for use in log shipping, first create or identify a template that has an extended key usage (EKU) of Client Authentication and make it available for enrollment on a CA to which the Keyfactor Command server has access with enrollment permissions for the Keyfactor Command server. If desired, you can use a template that has both the Client Authentication and Server Authentication EKUs and use it for certificates on both sides of the communication. Start by copying a computer template if you’re using a Microsoft CA and you want to enroll for the certificate using the Microsoft MMC as described below and without needing to set the private key of the certificate as exportable.
You can enroll for a client authentication certificate for log shipping in a variety of ways. For example:
-
Use IIS or the certificates MMC on the Keyfactor Command server to generate a CSR, use the Keyfactor Command CSR enrollment method to enroll for a certificate using the CSR, and then import the certificate on the Keyfactor Command server, marrying it with the private key generated on the server. You can do this through the Keyfactor Command Management Portal or using the Keyfactor API to submit a request.
-
Use the Microsoft MMC on the Keyfactor Command server to enroll for a certificate (see below).
-
Use the command-line certreq command with a request.inf file on the Keyfactor Command server.
-
If you have an existing Keyfactor Command implementation, use Keyfactor Command to enroll for the certificate using the PFX enrollment method and then import the PFX file on the Keyfactor Command server. You can do this through the Keyfactor Command Management Portal or using the Keyfactor API to submit a request.
-
If you have an existing Keyfactor Command implementation and there is a Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. managing stores on the Keyfactor Command server (see Installing Custom-Built Extensions), use the Keyfactor Command PFX enrollment method and push the certificate out to the certificate store on the Keyfactor Command server using Keyfactor Command. You can do this through the Keyfactor Command Management Portal or using the Keyfactor API to submit a request.
To enroll for a client certificate using the MMC:
-
On the Keyfactor Command server, do one of following:
-
Using the GUI:
- Open an empty instance of the Microsoft Management Console (MMC).
- Choose File->Add/Remove Snap-in….
- In the Available snap-ins column, highlight Certificates and click Add.
- In the Certificates snap-in popup, choose the radio button for Computer account, click Next, accept the default of Local computer, and click Finish.
- Click OK to close the Add or Remove Snap-ins dialog.
-
Using the command line:
- Open a command prompt using the “Run as administrator” option.
-
Within the command prompt type the following to open the certificates MMC:
certlm.msc
-
- Drill down to the Personal folder under Certificates for the Local Computer, right-click, and choose All Tasks->Request New Certificate….
- Follow the certificate enrollment wizard, selecting the template you created or identified for use for this purpose, and providing any required information, being sure to set the CN to the FQDN of the Keyfactor Command server.
Configuring rsyslog for TLS Support
Configuration of rsyslog for TLS support may vary depending on your needs. In addition to the standard rsyslog package for your Linux server, you will need GNU TLS packages to support TLS communication. For example, for Ubuntu the required packages are:
rsyslog-gnutls
gnutls-bin
The following is an example rsyslog.conf file configured for TLS support:
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages - It can be helpful to set this 'off' during initial Keyfactor Command testing
$RepeatedMsgReduction off
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
#
# Configuration for TLS
#
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/tls/certs/cacerts.pem
$DefaultNetstreamDriverCertFile /etc/tls/certs/mycert.pem
$DefaultNetstreamDriverKeyFile /etc/tls/private/mynewkey.key
$ModLoad imtcp
$InputTCPServerKeepAlive on
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514
A filter similar to the following can be used to redirect all Keyfactor Command related traffic to a particular file: