Log Exporter TLS Configuration
Log Exporter can export logs over an encrypted connection using the TLS protocol.
Only mutual authentication is allowed.
For mutual authentication, Log Exporter requires these certificates:
-
A Certificate Authority (CA) certificate file in the PEM format (this is the CA that signed both the client (Log Exporter side) and target server certificates)
-
A client certificate in the P12 format on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. / Log Server Dedicated Check Point server that runs Check Point software to store and process logs. with Log Exporter
|
Notes:
|
If you do not already have the required certificates, the procedure below is an example of how to create the required certificates.
The procedure below uses the openssl
commands on a Linux server (non-Check Point).
Run this if you do not already have a trusted CA certificates in the PEM format:
-
Generate the root CA key and do not give it to anyone:
openssl genrsa -out RootCA.key 2048
-
Generate the root CA certificate in the PEM format:
openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out RootCA.pem
-
Enter the Distinguished Name (DN) information for the certificate.
-
Common Name(CN) is the exact Fully Qualified Domain Name (FQDN) of the host on which you use the certificate.
-
All other fields are optional. If you purchase an SSL certificate from a Certificate Authority, these additional fields may be required.
-
-
Generate the client key and do not give it to anyone:
openssl genrsa -out log_exporter.key 2048
-
Generate the client certificate sign request:
openssl req -new -key log_exporter.key -out log_exporter.csr
-
Use the CA files to sign the certificate:
openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out log_exporter.crt -days 2048 -sha256
-
Convert the certificate file to the P12 format:
openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12
Note - The challenge phrase used in this conversion is required in the "
log_exporter
" TLS configuration.
After you created the required certificates, you must update the security parameters on the Check Point Management Server / Log Server.
-
Connect to the command line on the Management Server / Log Server.
-
Log in to the Expert mode.
-
On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. / Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., switch to the required Domain:
mdsenv <IP Address or Name of Domain Management Server / Domain Log Server>
-
Go to the directory with the applicable Log Exporter Configuration:
cd $EXPORTERDIR/targets/<Name of Log Exporter Configuration>
-
Create a new directory for the certificates:
mkdir -v certificates
cd certificates
-
Transfer these certificate files to the new directory "
certificates
":-
RootCA.pem
-
log_exporter.p12
-
-
Give the certificate files the execution permission:
chmod -v +r RootCA.pem
chmod -v +r log_exporter.p12
-
Go to the directory with the applicable Log Exporter Configuration:
cd $EXPORTERDIR/targets/<Name of Log Exporter Configuration>
-
Update the
targetConfiguration.xml
file:-
Edit the file:
vi targetConfiguration.xml
-
Configure the full path to the new certificate files and the challenge phrase used to create the P12 certificate.
-
Save the changes in the file and exit the editor.
-
-
Generate the server key and do not give it to anyone:
openssl genrsa -out syslogServer.key 2048
-
Generate the server certificate sign request:
openssl req -new -key syslogServer.key -out syslogServer.csr
-
Use the CA files to sign the certificate:
openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out syslogServer.crt -days 2048 -sha256