Imperva Cyber Community

Has anyone tried using CA signed certs in version 4.10.  I am able to get our browser cert working by modifying the SonarFinder server.xml file in my local directory, however, when I do this it breaks the SSL to our agentless gateways.  Seems the assets in v4.10 are synched via a playbook and the call to our agentless gateway endpoint is failing to create an SSL connection.

Just curious if anyone has had any luck getting this to work as the process is not documented anywhere.
#DatabaseActivityMonitoring
#jSonar

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL
------------------------------

May I ask what documentation are you following?

Here are the steps in brief:


Copy the default server.xml config to the "local" folder, and set it's corerct ownership, by running the next commands
sudo cp $JSONAR_BASEDIR/sonarfinder/conf/server.xml $JSONAR_LOCALDIR/sonarfinder/
sudo chown sonarw.sonar $JSONAR_LOCALDIR/sonarfinder/server.xml

Copy the Certificate files to the "local" folder and set their permissions
sudo mkdir $JSONAR_LOCALDIR/ssl/certs
sudo cp <certificate and key files> $JSONAR_LOCALDIR/ssl/certs/
sudo chown -R sonarw.sonar $JSONAR_LOCALDIR/ssl/certs

Edit the local server.xml file that we copied in first step $JSONAR_LOCALDIR/sonarfinder/server.xml

<SSLHostConfig protocols="+TLSv1.2+TLSv1.1"
.....
<Certificate certificateKeyFile="<Full Path to the key>"
certificateFile="<Full Path to the certificate>"
type="RSA"/>
</SSLHostConfig>

Note: Must set full path to the certificate and key, do not use any environment variables.


Restart sonarfinder and test,

systemctl restart sonarfinder



------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message:
Sent: 12-23-2022 11:26
From: Tyler Somers
Subject: CA Signed Certs in v4.10

Has anyone tried using CA signed certs in version 4.10.  I am able to get our browser cert working by modifying the SonarFinder server.xml file in my local directory, however, when I do this it breaks the SSL to our agentless gateways.  Seems the assets in v4.10 are synched via a playbook and the call to our agentless gateway endpoint is failing to create an SSL connection.

Just curious if anyone has had any luck getting this to work as the process is not documented anywhere.
#DatabaseActivityMonitoring
#jSonar

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL
------------------------------

This is the documentation I followed (after it was provided by support, this documentation is NOT generally available).  I was successful in getting the browser cert to be valid, however, if you have an agentless gateway, you'll notice the "Synchronize assets and connections with all agentless gateways" dispatcher job will no longer work if you replace the certs referenced in the server.xml file.  You'll have to review the sonarFinder.log and you'll see a Failed to establish SSL connection error.

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL
------------------------------

Original Message:
Sent: 01-03-2023 10:33
From: Sarvesh Lad
Subject: CA Signed Certs in v4.10

May I ask what documentation are you following?

Here are the steps in brief:


Copy the default server.xml config to the "local" folder, and set it's corerct ownership, by running the next commands
sudo cp $JSONAR_BASEDIR/sonarfinder/conf/server.xml $JSONAR_LOCALDIR/sonarfinder/
sudo chown sonarw.sonar $JSONAR_LOCALDIR/sonarfinder/server.xml

Copy the Certificate files to the "local" folder and set their permissions
sudo mkdir $JSONAR_LOCALDIR/ssl/certs
sudo cp <certificate and key files> $JSONAR_LOCALDIR/ssl/certs/
sudo chown -R sonarw.sonar $JSONAR_LOCALDIR/ssl/certs

Edit the local server.xml file that we copied in first step $JSONAR_LOCALDIR/sonarfinder/server.xml

<SSLHostConfig protocols="+TLSv1.2+TLSv1.1"
.....
<Certificate certificateKeyFile="<Full Path to the key>"
certificateFile="<Full Path to the certificate>"
type="RSA"/>
</SSLHostConfig>

Note: Must set full path to the certificate and key, do not use any environment variables.


Restart sonarfinder and test,

systemctl restart sonarfinder



------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 12-23-2022 11:26
From: Tyler Somers
Subject: CA Signed Certs in v4.10

Has anyone tried using CA signed certs in version 4.10.  I am able to get our browser cert working by modifying the SonarFinder server.xml file in my local directory, however, when I do this it breaks the SSL to our agentless gateways.  Seems the assets in v4.10 are synched via a playbook and the call to our agentless gateway endpoint is failing to create an SSL connection.

Just curious if anyone has had any luck getting this to work as the process is not documented anywhere.
#DatabaseActivityMonitoring
#jSonar

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL
------------------------------

Hi,

So as sson as the cert change the gateway did not like it.

So two train of thoughts:

1. Is this a  AD Domain signed cert or a cert signed by trusted root CA (lets encrypt etc )
If its a internal CA signed cert, try adding the root cert to the gateway's trust store.

2. Have tried to re-setup federation ?
Maybe that process will add the certs to trust on GW and you will be in the clear?

If you can try these out, I can updated our support team and request a public facing KB to address these issues.

Regards


------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message:
Sent: 01-04-2023 11:09
From: Tyler Somers
Subject: CA Signed Certs in v4.10

This is the documentation I followed (after it was provided by support, this documentation is NOT generally available).  I was successful in getting the browser cert to be valid, however, if you have an agentless gateway, you'll notice the "Synchronize assets and connections with all agentless gateways" dispatcher job will no longer work if you replace the certs referenced in the server.xml file.  You'll have to review the sonarFinder.log and you'll see a Failed to establish SSL connection error.

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL

Original Message:
Sent: 01-03-2023 10:33
From: Sarvesh Lad
Subject: CA Signed Certs in v4.10

May I ask what documentation are you following?

Here are the steps in brief:


Copy the default server.xml config to the "local" folder, and set it's corerct ownership, by running the next commands
sudo cp $JSONAR_BASEDIR/sonarfinder/conf/server.xml $JSONAR_LOCALDIR/sonarfinder/
sudo chown sonarw.sonar $JSONAR_LOCALDIR/sonarfinder/server.xml

Copy the Certificate files to the "local" folder and set their permissions
sudo mkdir $JSONAR_LOCALDIR/ssl/certs
sudo cp <certificate and key files> $JSONAR_LOCALDIR/ssl/certs/
sudo chown -R sonarw.sonar $JSONAR_LOCALDIR/ssl/certs

Edit the local server.xml file that we copied in first step $JSONAR_LOCALDIR/sonarfinder/server.xml

<SSLHostConfig protocols="+TLSv1.2+TLSv1.1"
.....
<Certificate certificateKeyFile="<Full Path to the key>"
certificateFile="<Full Path to the certificate>"
type="RSA"/>
</SSLHostConfig>

Note: Must set full path to the certificate and key, do not use any environment variables.


Restart sonarfinder and test,

systemctl restart sonarfinder



------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 12-23-2022 11:26
From: Tyler Somers
Subject: CA Signed Certs in v4.10

Has anyone tried using CA signed certs in version 4.10.  I am able to get our browser cert working by modifying the SonarFinder server.xml file in my local directory, however, when I do this it breaks the SSL to our agentless gateways.  Seems the assets in v4.10 are synched via a playbook and the call to our agentless gateway endpoint is failing to create an SSL connection.

Just curious if anyone has had any luck getting this to work as the process is not documented anywhere.
#DatabaseActivityMonitoring
#jSonar

------------------------------
Tyler Somers
Senior Security Engineer
Chicago, IL
------------------------------