Log Exporter TLS Configuration

How to get a secured connection between the Log Exporter and the syslog server.

The only allowed authentication method via TLS is mutual authentication. For mutual authentication, Log Exporter needs these certificates:

• A pem Certificate Authority (CA) certificate

• A p12 format client certificate

If you do not already have the required certificates, this procedure is an example of how to create the required certificates. There are also alternative procedures.

All commands need to run on the CA server.

Note - The CA server needs to be routable from the Log Exporter device.

To create a self signed CA:

Run this if you do not already have a trusted CA pem:

1. Generate the root CA key and do not pass to anyone:

   openssl genrsa -out RootCA.key 2048

2. Generate the root CA pem:

   openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out RootCA.pem

3. Enter the Distinguished Name (DN) information for the certificate.

   • Common Name(CN) is the exact Fully Qualified Domain Name (FQDN) of the host that you use the certificate with.

   • All other fields are optional. If you purchase an SSL certificate from a certificate authority, these additional fields may be required.

An example of the prompt to provide information:

---

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:New York

Locality Name (eg, city) []:MyCity

Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany

Organizational Unit Name (eg, section) []:MyDepartment

Common Name (e.g. server FQDN or YOUR name) []:www.company.com

Email Address []:

To create a client (log_exporter) .p12 certificate file:

1. Generate the client key and do not pass to anyone:

   openssl genrsa -out log_exporter.key 2048

2. Generate the client certificate sign request:

   openssl req -new -key log_exporter.key -out log_exporter.csr

3. Use the CA files to sign the certificate:

   openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out log_exporter.crt -days 2048 -sha256

4. Convert to p12 format:

   openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12

Note - The challenge phrase used in this conversion is required in the log_exporter TLS configuration.

After you create the required certificates, update the security parameters on the Check Point exporting server:

To update the security parameters:

1. If running on Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. / Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., switch to the required domain. Run:

   mdsenv <IP Address or Name of Domain Management Server>

2. Go to the deployment directory:

   cd $EXPORTERDIR/targets/<Deployment Name>

3. Create a directory for the certificates:

   mkdir certs

4. Copy RootCA.pem and log_exporter.p12 to the certs directory

5. Give the RootCA.pem and log_exporter.p12 execution privilege

   chmod +r RootCA.pem

   chmod +r log_exporter.p12

6. Update the targetConfiguration.xml file with the full path to the certificates and the challenge phrase used to create the .p12 certificate

To create a server (target) certificate:

1. Generate the server key and do not pass to anyone:

   openssl genrsa -out syslogServer.key 2048

2. Generate the server certificate sign request:

   openssl req -new -key syslogServer.key -out syslogServer.csr

3. Use the CA files to sign the certificate:

   openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out syslogServer.crt -days 2048 -sha256