If you're having trouble at any stage please contact us at support@skyformation.com.

IMPORTANT NOTE
This guide is for any SkyFormation version 2.1.21 and above. If you are using older version of SkyFormation make sure to upgrade SkyFormation first before running the below procedure.

Preface

SkyFormation platform allows integration with 3rd party systems as LDAP, SIEM and others.

In cases where the 3rd party system requires SSL for the integration (e.g. LDAPS in the LDAP integration) SkyFormation app will try to establish the communication over SSL if configured to do so. To allow SkyFormation app to establish SSL connectivity SkyFormation app must trust the 3rd party SSL certificate in use.

This post explains how to add to the SkyFormation store of trusted certificates the SSL certificate used by the 3rd party system.

The below procedure is needed for the following SkyFormation integrations:

- LDAP integration for identity enrichment (Settings->LDAP integration)

- Configure SkyFormation to use LDAP for authentication

- Send the SkyFormation events using syslog to the external SIEM over SSL

Option 1: Automated script

1. Create a script file on the machine that runs SkyFormation, e.g. import_cert.sh, with the below content:
   
   

   #!/usr/bin/env bash
   
   # extracts ssl certificate from remote host. saves into a local file
   # receives host, port, target folder
   # creates a file ${host}.pem at execution location
   
   download_cert(){
     local _serverHost=$1
     local _serverPort=$2
     local _dstFolder=$3
     docker exec sk4_sk4_tomcat_1 openssl s_client -connect ${_serverHost}:${_serverPort} -servername ${_serverHost} 2>/dev/null | openssl x509 > ${_dstFolder}/${_serverHost}.pem
     echo ${_serverHost}.pem
   }
   
   import_cert_to_cacerts(){
     local _certFile=$1
     local _storeFile=$2
     docker exec -w /usr/local/tomcat/sk4conf sk4_sk4_tomcat_1 keytool -import -trustcacerts -keystore ${_storeFile} -noprompt -storepass changeit -alias "${_certFile}" -file ${_certFile}
   }
   
   # USE: script.sh my.server.com 443
   # maybe the folder is bound-mount
   confDir=$(sudo docker inspect sk4_conf -f '{{.Options.device}}')
   # and maybe not
   [ "${confDir}" == "<no value>" ] && confDir=$(sudo docker inspect sk4_conf -f '{{.Mountpoint}}')
   # download the cert. from the server to the conf dir.
   certFile=$(download_cert $1 $2 ${confDir})
   # import to cacerts
   import_cert_to_cacerts ${certFile} sk4cacerts

2. Make the script executable:

   chmod +x import_cert.sh

3. Run the script with the server full host and port:

   sudo ./import_cert.sh my.server.com 443

4. Restart SkyFormation to take effect:

   sudo systemctl restart sk4compose

Option 2: Manually perform the steps of the automated script

Steps

1. On the SkyFormation machine, figure out where the certificate store is at by running the below commands:
   

   # maybe the folder is bound-mount 
   confDir=$(sudo docker inspect sk4_conf -f '{{.Options.device}}') 
   # and maybe not 
   [ "${confDir}" == "" ] && confDir=$(sudo docker inspect sk4_conf -f '{{.Mountpoint}}') 

2. Download the certificate as x.509 file into the folder from step 1:
   Replace my.server.com and 443, with the real host, port
   

   docker exec sk4_sk4_tomcat_1 openssl s_client -connect my.server.com:443 -servername my.server.com 2>/dev/null | openssl x509 > ${confDir}/my.server.com.pem

3. Import the extracted certificate into the cacerts store:
   
   

   docker exec -w /usr/local/tomcat/sk4conf sk4_sk4_tomcat_1 keytool -import -trustcacerts -keystore sk4cacerts -noprompt -storepass changeit -alias "my.server.com.pem" -file my.server.com.pem

4. Restart SkyFormation to take effect:

   sudo systemctl restart sk4compose

Done