If you're having trouble at any stage please contact us at support@skyformation.com.
When to use this guide (and when not to)
Use this guide when
1. Cloud Connectors (a.k.a SkyFormation) is deployed behind a Proxy/Reverse Web gateway/Firewall that is terminating the SSL requests of traffic coming out of CC to the outside world and other systems we want to interact with, such as SIEMs, LDAP/AD.
2. Cloud Connectors need to communicate with any system that has self-signed/internally-signed SSL certificate, such as AD/LDAP (for authentication, or enrichment), SIEM via TLS.
DO NOT use this guide when you'd like to have secure communication between the browser accessing the CC's Web UI and the server, i.e. to have a green URL bar in the browser.
For that use this guide: link
Preface
SkyFormation platform allows integration with 3rd party systems as LDAP, SIEM and others.
In cases where the 3rd party system requires SSL for the integration (e.g. LDAPS in the LDAP integration) SkyFormation app will try to establish the communication over SSL if configured to do so. To allow SkyFormation app to establish SSL connectivity SkyFormation app must trust the 3rd party SSL certificate in use.
This post explains how to add to the SkyFormation store of trusted certificates the SSL certificate used by the 3rd party system.
The below procedure is needed for the following SkyFormation integrations:
- LDAP integration for identity enrichment (Settings->LDAP integration)
- Configure SkyFormation to use LDAP for authentication
- Send the SkyFormation events using syslog to the external SIEM over SSL
Option 1: Automated script
- Create a script file on the machine that runs SkyFormation, e.g. import_cert.sh, with the below content:
#!/usr/bin/env bash
# extracts ssl certificate from remote host. saves into a local file
# receives host, port, target folder
# creates a file ${host}.pem at execution location
download_cert(){
local _serverHost=$1
local _serverPort=$2
local _dstFolder=$3
docker exec sk4tomcat openssl s_client -connect ${_serverHost}:${_serverPort} -servername ${_serverHost} 2>/dev/null | openssl x509 > ${_dstFolder}/${_serverHost}.pem
echo ${_serverHost}.pem
}
import_cert_to_cacerts(){
local _certFile=$1
local _storeFile=$2
docker exec sk4tomcat keytool -import -trustcacerts -keystore /usr/local/tomcat/sk4conf/${_storeFile} -noprompt -storepass changeit -alias "${_certFile}" -file /usr/local/tomcat/sk4conf/${_certFile}
}
# USE: script.sh my.server.com 443
# maybe the folder is bound-mount
confDir=$(sudo docker inspect sk4_conf -f '{{.Options.device}}')
# and maybe not
[ "${confDir}" == "<no value>" ] && confDir=$(sudo docker inspect sk4_conf -f '{{.Mountpoint}}')
# download the cert. from the server to the conf dir.
certFile=$(download_cert $1 $2 ${confDir})
# import to cacerts
import_cert_to_cacerts ${certFile} sk4cacerts - Make the script executable:
chmod +x import_cert.sh
- Run the script with the server full host and port:
sudo ./import_cert.sh my.server.com 443
- Restart SkyFormation to take effect:
sudo systemctl restart sk4compose
Option 2: Manually perform the steps of the automated script
Steps
- On the SkyFormation machine, figure out where the certificate store is at by running the below commands:
# maybe the folder is bound-mount
confDir=$(sudo docker inspect sk4_conf -f '{{.Options.device}}')
# and maybe not
[ "${confDir}" == "<no value>" ] && confDir=$(sudo docker inspect sk4_conf -f '{{.Mountpoint}}') - Download the certificate as x.509 file into the folder from step 1:
Replace my.server.com and 443, with the real host, port
docker exec sk4tomcat openssl s_client -connect my.server.com:443 -servername my.server.com 2>/dev/null | openssl x509 > ${confDir}/my.server.com.pem
- Import the extracted certificate into the cacerts store:
-
docker exec sk4tomcat keytool -import -trustcacerts -keystore /usr/local/tomcat/sk4conf/sk4cacerts -noprompt -storepass changeit -alias "my.server.com.pem" -file /usr/local/tomcat/sk4conf/my.server.com.pem
Restart SkyFormation to take effect: -
sudo systemctl restart sk4compose
Done
Comments
0 comments
Please sign in to leave a comment.