This guide will help you to change the default SSL (https) server certificate with one provided by the customer.
When to use this guide (and when not to)
Use this guide when you'd like to have secure communication between the browser accessing the CC's Web UI and the server, i.e. to have a green URL bar in the browser.
DO NOT use this guide when
1. Cloud Connectors (a.k.a SkyFormation) is deployed behind a Proxy/Reverse Web gateway/Firewall that is terminating the SSL requests of traffic coming out of CC to the outside world and other systems we want to interact with, such as SIEMs, LDAP/AD.
2. Cloud Connectors need to communicate with any system that has self-signed/internally-signed SSL certificate, such as AD/LDAP (for authentication, or enrichment), SIEM via TLS.
For that use this guide: link
In all the steps, make sure you have root access.
Steps:
- Locate the sk4_conf directory under /opt/exabeam/data/sk4/conf OR /var/lib/docker/volumes/sk4_conf/_data .
change working directory to it.
If you can't find it under the above directory, run the following command to locate it:docker volume inspect sk4_conf
If the directory doesn't exist, please contact our support team at support@skyformation.com. - (IMPORTANT) backup sk4keystore.jks files.
cp sk4keystore.jks sk4keystore.jks.BAK
- Copy your certificate to the sk4_conf volume located in step 1.
- If openssl and keytool are not installed on the host machine - use the onces installed inside the CC's tomcat container.
Skip this step if they are installed.
Run this command to enter the tomcat container:docker exec -ti $(docker container ls | grep sk4 | grep tomcat | cut -f1 -d" ") bash
Navigate to the sk4conf directory inside the container:cd /usr/local/tomcat/sk4conf/
- Based on your certificate file format, run the corresponding command to convert it to PEM format:
pem format:
Rename your certificate file to SF_cert.pem
p7b format:openssl pkcs7 -inform der -print_certs -in <your-certificate-file>.p7b -out SF_cert.pem
crt format:openssl x509 -inform der -print_certs -in <your-certificate-file>.crt -out SF_cert.pem
- Merge your PEM certificate with the private key (app.key) into p12:
openssl pkcs12 -export -name skyformation -in SF_cert.pem -inkey app.key -out merged.p12
Note: the alias "skyformation" is important! - Create a new sk4keystore.jks by converting the p12 to a trust-store
Make sure to replace [ALIAS_SRC] with the correct alias of the key when it was generated
keytool -importkeystore -srckeystore merged.p12 -srcstoretype pkcs12 -srcalias [ALIAS_SRC]
-destkeystore sk4keystore.jks -deststoretype jks -deststorepass changeit -destalias skyformation -
If the certificate's password is not 'changeit' and the keystore password was left unchanged, then change the password in this case:
keytool -keypasswd -alias skyformation -keypass <old-password> -new changeit -keystore sk4keystore.jks -storepass changeit
The password for the keystore by default is changeit and must be equal to the SkyFormation alias password. -
(OPTIONAL) if you would like to set a password other than the default password, then follow these steps:
-
Run the following command to add your new password to the keystore:
keytool -storepasswd -new <new-password> -keystore sk4keystore.jks -storepass changeit
- Open /usr/local/tomcat/conf/server.xml for the update, change password from "changeit" to your new password:
-
- Exit the container:
exit
- Restart the app to take effect:
sudo systemctl restart sk4compose
- DONE!
Comments
7 comments
Hi,
the sk4 directory is located at /opt/ and not in /opt/exabeam/data/
Can i follow the procedure anyway?
Hi,
If you know the volume location you can proceed, anyway, you will get help how to detect sk4 directory location during the procedure
Actually i'm getting some permission errors
Make sure you are running on root, and not on exabeam:
sudo su -
I updated the cert using your procedure, no errors with commands but actually i can't see the login page anymore...it goes in time out.
I also updated the password of the keystore from the xml file because i can't use "changeit" for the new customer certificate.
is the Skyformation alias mandatory?
Yes it is mandatory. Please redo the procedure exactly as described, with the alias
Please sign in to leave a comment.