Imperva Cyber Community

View Only

Back to discussions

Expand all | Collapse all

CA Signed Certs in v4.10

1. CA Signed Certs in v4.10

Like
Tyler Somers
Posted 12-23-2022 11:26
Has anyone tried using CA signed certs in version 4.10. I am able to get our browser cert working by modifying the SonarFinder server.xml file in my local directory, however, when I do this it breaks the SSL to our agentless gateways. Seems the assets in v4.10 are synched via a playbook and the call to our agentless gateway endpoint is failing to create an SSL connection.

Just curious if anyone has had any luck getting this to work as the process is not documented anywhere.
#DatabaseActivityMonitoring
#jSonar

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL
------------------------------
2. RE: CA Signed Certs in v4.10

Like
Sarvesh Lad
Posted 01-03-2023 10:33
May I ask what documentation are you following?

Here are the steps in brief:

Copy the default server.xml config to the "local" folder, and set it's corerct ownership, by running the next commands
sudo cp $JSONAR_BASEDIR/sonarfinder/conf/server.xml $JSONAR_LOCALDIR/sonarfinder/
sudo chown sonarw.sonar $JSONAR_LOCALDIR/sonarfinder/server.xml

Copy the Certificate files to the "local" folder and set their permissions
sudo mkdir $JSONAR_LOCALDIR/ssl/certs
sudo cp <certificate and key files> $JSONAR_LOCALDIR/ssl/certs/
sudo chown -R sonarw.sonar $JSONAR_LOCALDIR/ssl/certs

Edit the local server.xml file that we copied in first step $JSONAR_LOCALDIR/sonarfinder/server.xml

<SSLHostConfig protocols="+TLSv1.2+TLSv1.1"
.....
<Certificate certificateKeyFile="<Full Path to the key>"
certificateFile="<Full Path to the certificate>"
type="RSA"/>
</SSLHostConfig>

Note: Must set full path to the certificate and key, do not use any environment variables.

Restart sonarfinder and test,

systemctl restart sonarfinder

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------
3. RE: CA Signed Certs in v4.10

Like
Tyler Somers
Posted 01-04-2023 11:09
This is the documentation I followed (after it was provided by support, this documentation is NOT generally available). I was successful in getting the browser cert to be valid, however, if you have an agentless gateway, you'll notice the "Synchronize assets and connections with all agentless gateways" dispatcher job will no longer work if you replace the certs referenced in the server.xml file. You'll have to review the sonarFinder.log and you'll see a Failed to establish SSL connection error.

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL
------------------------------

Original Message
4. RE: CA Signed Certs in v4.10

Like
Sarvesh Lad
Posted 01-05-2023 11:25
Hi,

So as sson as the cert change the gateway did not like it.

So two train of thoughts:

1. Is this a AD Domain signed cert or a cert signed by trusted root CA (lets encrypt etc )
If its a internal CA signed cert, try adding the root cert to the gateway's trust store.

2. Have tried to re-setup federation ?
Maybe that process will add the certs to trust on GW and you will be in the clear?

If you can try these out, I can updated our support team and request a public facing KB to address these issues.

Regards

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message

Imperva Cyber Community

CA Signed Certs in v4.10

Tyler Somers12-23-2022 11:26

Sarvesh Lad01-03-2023 10:33

Tyler Somers01-04-2023 11:09

Sarvesh Lad01-05-2023 11:25

1. CA Signed Certs in v4.10

2. RE: CA Signed Certs in v4.10

3. RE: CA Signed Certs in v4.10

4. RE: CA Signed Certs in v4.10

Contact Us

Membership

Privacy & Terms