If you're having trouble at any stage please contact us at support@skyformation.com.
IMPORTANT NOTE
This guide is for any SkyFormation version 2.1.21 and above. If you are using older version of SkyFormation make sure to upgrade SkyFormation first before running the below procedure.
Preface
SkyFormation platform allows integration with 3rd party systems as LDAP, SIEM and others.
In cases where the 3rd party system requires SSL for the integration (e.g. LDAPS in the LDAP integration) SkyFormation app will try to establish the communication over SSL if configured to do so. To allow SkyFormation app to establish SSL connectivity SkyFormation app must trust the 3rd party SSL certificate in use.
This post explains how to add to the SkyFormation store of trusted certificates the SSL certificate used by the 3rd party system.
The below procedure is needed for the following SkyFormation integrations:
- LDAP integration for identity enrichment (Settings->LDAP integration)
- Configure SkyFormation to use LDAP for authentication
- Send the SkyFormation events using syslog to the external SIEM over SSL
Option 1: Automated script
- Create a script file on the machine that runs SkyFormation, e.g. import_cert.sh, with the below content:
#!/usr/bin/env bash
# extracts ssl certificate from remote host. saves into a local file
# receives host, port, target folder
# creates a file ${host}.pem at execution location
download_cert(){
local _serverHost=$1
local _serverPort=$2
local _dstFolder=$3
docker exec sk4tomcat openssl s_client -connect ${_serverHost}:${_serverPort} -servername ${_serverHost} 2>/dev/null | openssl x509 > ${_dstFolder}/${_serverHost}.pem
echo ${_serverHost}.pem
}
import_cert_to_cacerts(){
local _certFile=$1
local _storeFile=$2
docker exec sk4tomcat keytool -import -trustcacerts -keystore /usr/local/tomcat/sk4conf/${_storeFile} -noprompt -storepass changeit -alias "${_certFile}" -file /usr/local/tomcat/sk4conf/${_certFile}
}
# USE: script.sh my.server.com 443
# maybe the folder is bound-mount
confDir=$(sudo docker inspect sk4_conf -f '{{.Options.device}}')
# and maybe not
[ "${confDir}" == "<no value>" ] && confDir=$(sudo docker inspect sk4_conf -f '{{.Mountpoint}}')
# download the cert. from the server to the conf dir.
certFile=$(download_cert $1 $2 ${confDir})
# import to cacerts
import_cert_to_cacerts ${certFile} sk4cacerts - Make the script executable:
chmod +x import_cert.sh
- Run the script with the server full host and port:
sudo ./import_cert.sh my.server.com 443
- Restart SkyFormation to take effect:
sudo systemctl restart sk4compose
Option 2: Manually perform the steps of the automated script
Steps
- On the SkyFormation machine, figure out where the certificate store is at by running the below commands:
# maybe the folder is bound-mount
confDir=$(sudo docker inspect sk4_conf -f '{{.Options.device}}')
# and maybe not
[ "${confDir}" == "" ] && confDir=$(sudo docker inspect sk4_conf -f '{{.Mountpoint}}') - Download the certificate as x.509 file into the folder from step 1:
Replace my.server.com and 443, with the real host, port
docker exec sk4tomcat openssl s_client -connect my.server.com:443 -servername my.server.com 2>/dev/null | openssl x509 > ${confDir}/my.server.com.pem - Import the extracted certificate into the cacerts store:
-
docker exec sk4tomcat keytool -import -trustcacerts -keystore /usr/local/tomcat/sk4conf/sk4cacerts -noprompt -storepass changeit -alias "my.server.com.pem" -file /usr/local/tomcat/sk4conf/my.server.com.pem
Restart SkyFormation to take effect: -
sudo systemctl restart sk4compose
Done
Comments
0 comments
Please sign in to leave a comment.