Setting up SIEM Agent to use Transport Layer Security (TLS)
SIEM Agent allows you to protect the communication between SIEM Agent and SIEMS. Protection is provided by use of the TLS (Transport Layer Security) protocol. SIEM Agent supports TLS version 1.2.
In order to use TLS to encrypt a SIEM Agent connection, you must use a digital certificate. If your organization has already purchased a trusted digital certificate, copy the certificate file to your SIEM server and configure your SIEM solution settings accordingly. If a certificate is not available, you can create one using IBM’s Digital Certificate Manager. See To create a self-signed digital certificate.
To configure SIEM Agent to use TLS
-
Grant PTUSER *RX authority to the /QIBM/UserData/ICSS/Cert directory and all its subdirectories.
CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/') USER(PTUSER) DTAAUT(*RX) SUBTREE(*ALL) - Create a new Output of type *NETWORK, or modify an existing Output as follows.
- In SIEM Agent, from the Main Menu, choose option 3, Work with Outputs.
- Press F6 to create a new Output or select option 2 on an existing Output to modify it.
- Configure the Output to send data to the SIEM server. Specify the following to secure the connection:
- Type: *NETWORK
- Location: the IP address specified in the Certificate Authority
- Port: the port specified in the Certificate Authority
- Protocol: *TLS
NOTE: Consult the documentation of your SIEM solution for more information about identifying the required IP address and port required to use the Certificate Authority.
The following example demonstrates how to do this for the Kiwi Free Syslog server.
- Import the certificate to your Kiwi server:
Copy the certificate file to the server.
- Start / Run / mmc [Enter]
- Choose File > Add/Remove Snap-in…
- Choose Available snap-ins > Certificates.
- Select Add.
- Select Computer account and then Next.
- Select Local computer, then Finish.
- Choose OK.
- Expand Certificates (Local Computer).
- Right-click Personal, choose All Tasks > Import.
- Find the certificate file you copied over from the IBM i.
- Enter the password you entered when the certificate was exported and click Next.
- Select Certificate Store ‘Personal’ and click Next.
- Click Finish.
- Point Kiwi to this certificate.
- Choose File > Setup.
- Scroll down and expand Inputs.
- Click UDP and un-check Listen for UDP Syslog messages.
- Click on TCP and un-check Listen for TCP Syslog messages.
- Click on Secure TCP.
- Check Listen for secure (TLS) TCP Syslog messages.
- Click Select Certificate.
- In the Certificate Store drop-down, choose My.
- In the list of available certificates, find the one where ‘CN=xxx’ matches the common name noted during step 1 above.
- Highlight that entry and click Select.
- Enter the TCP port number you would like to use.
- Click OK.
Configure a *NETWORK Output in SIEM Agent that uses the *TLS protocol and the same port you entered in Kiwi. See above.
To create a self-signed digital certificate
- Open the Digital Certificate Manager by going to:
http://your server name :2001/QIBM/ICSS/Cert/admin/qycucm1.ndm/main0
STRTCPSVR SERVER(*HTTP) HTTPSVR(*admin)
- If no certificate authority was previously configured, click Create a Certificate Authority (CA) on the left side menu.
- Enter the requested information and click Continue.
- For 'Install Local CA Certificate,' review the text and click Continue.
- For 'Certificate Authority (CA) Policy Data,' verify information and click Continue.
- On the 'Policy Data Accepted' screen, click Continue again.
- On the Create a Server or Client Certificate screen, you are prompted to create the Certificate store *SYSTEM. Enter the requested information and click Continue.
- Select applications that should trust the Certificate Authority and click Continue.
- Continue to create an Object Signing Certificate.
- Copy the certificate file to your SIEM server and configure your SIEM solution settings accordingly.