How do I implement Security Reporting Center so that it uses a secure connection? (SRC 2.0)


This article applies to:

  • Security Reporting Center 2.0

Question:

  • How do I implement Security Reporting Center so that it uses a secure connection?
  • Can Security Reporting Center use an SSL connection?

Procedure:

SSL Overview
Sensitive information is often transmitted between Web clients and Web servers. Protecting this information is typically accomplished by sending the data in an encrypted form and subsequently decrypting the data on the receiving side. The Secure Sockets Layer (SSL) protocol provides several features that enable secure transmission of Web traffic. These features include data encryption, server authentication, and message integrity. To enable secure communication from Web clients to Security Reporting Center using SSL, you must first enable SSL support.

Important!
The steps provided below describe how to enable basic SSL functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the SSL resources at the following two sites. 

http://www.apache.org/ 

http://www.modssl.org/

SSL Installation Procedure - Windows

  1. Install Security Reporting Center, using the instructions described in chapter two of the user guide, which can be found on the following Web page.

    https://support.trustwave.com/Security-Reporting-Center/documentation.asp

  2. Download the file SRC20_sslupdate.zip from the Article Attachments section below.

  3. Create a directory called sslupdate on your desktop.

  4. Unzip the contents of SRC20_sslupdate.zip into the directory on your desktop.

  5. From this directory, execute SSLUpdate.exe. This enables SSL for Apache and installs a self-signed certificate for testing purposes. You may access the secure interface at https://<hostname>:9443.

    * You may opt to install your own certificate at this point, or follow the instructions below.

To create a valid SSL certificate, follow these steps.

Using the openssl command line utility, generate an RSA private key.  The openssl utility is included in the Security Reporting Center distribution, and can be found in /common/apache/bin directory of your Security Reporting Center installation.

  1. Type the following at the command line.

     cd <Install Directory>/common/apache/bin

  2. Run openssl.exe.

  3. At the openssl> prompt, type the following.

    genrsa -des3 -rand ssl.rnd -out server.key 1024

  4. The openssl utility prompts you for a pass-phrase. Save this pass-phrase in a secure location.

    Note: If you want a DSA private key, replace genrsa with gendsa. To encrypt your key with DES rather than 3DES, replace -des3 with -des.

  5. Typically, the Apache Web server prompts for your pass phrase when the server is started. If you want to start Security Reporting Center without manual interventions, perform the following steps.

    • To copy the server key, type the following at the command line.

      copy server.key server.key.org

    • Run openssl.exe

    • At the openssl> prompt, type the following.

        rsa -in server.key.org -out server.key

    • Copy the private key to your Apache installation by typing the following. 

      copy server.key <Install Directory>/common/apache/conf/ssl.key

  6. Create a certificate signing request.

    • Run openssl.exe.

    • Type the following at the OpenSSL> prompt. 

      req -new -config openssl.cnf -key server.key -out server.csr

  7. The openssl utility prompts you for a variety of information. Provide information based on your Security Reporting Center installation. This creates the server.csr file. Send this file to a Certificate Authority for signing.

  8. When you get a response (signed certificate) from the Certificate Authority, copy the response to your Apache installation using the following command.

     copy <signed certificate> <Install Directory>/common/apache/conf/ssl.crt/server.crt

  9. Restart the NetIQ - Apache service. 

To create a valid SSL certificate, follow these steps.

Using the openssl command-line utility, generate an RSA private key.  The openssl command-line utility is included in the Security Reporting Center distribution, and can be found in the following directory.

<Install Directory>/common/apache/bin

  1. At the command line, type the following.

    cd <Install Directory>/common/apache/bin ps -ef > ~/.rnd ./openssl genrsa -des3 -rand ssl.rnd -out server.key 1024

  2. The openssl utility prompts you for a pass-phrase. Save this pass-phrase in a secure location.

    Note: If you want a DSA private key, replace genrsa with gendsa. To encrypt your key with DES rather than 3DES, replace -des3 with -des.

  3. Typically, the Apache Web server prompts you for your pass phrase when the server is started. If you want to start the DCS without manual interventions, use the following steps.

    • Type the following at a command-line.

        cp server.key server.key.org
        openssl rsa -in server.key.org -out server.key

    • To change the mode of the server.key file, type the following.

        chmod 400 server.key

    • To copy the private key to your Apache installation, type the following.

      cp server.key <Install Directory>/common/apache/conf/ssl.key

  4. Create a certificate signing request. Using the openssl command-line utility, type the following.

     ./openssl req -new -config openssl.cnf -key server.key -out server.csr

  5. The openssl utility prompts you for a variety of information. Provide information based on your Security Reporting Center installation. This creates the server.csr file. Send this file to a Certificate Authority for signing.

  6. When you get a response (signed certificate) from the Certificate Authority, copy the response to your Apache installation.

     cp <signed cert.> <Install Directory>/common/apache/conf/ssl.crt/server.crt

  7. Restart Apache with SSL enabled by typing this command. 

    <Install Directory>/common/bin/restartallui.sh

  8. To verify that your SSL-enabled Web server started, type the following.

     ps -elf | grep httpd

  9. If Apache has started, you should see several httpd processes running. If not, look at the <Install Directory>/common/apache/logs/error_log file for indications of the problems.

 

Notes:

With the release of Security Reporting Center 2.1, SSL configuration has changed.  For more information about configuring SSL for version 2.1, please see the following knowledge base article:

https://support.trustwave.com/kb/article.aspx?id=10359

This article was previously published as:
NETIQKB18260

Last Modified 6/25/2008.
https://support.trustwave.com/kb/KnowledgebaseArticle10360.aspx