Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  CA Signed Certs in v4.10

    Posted 12-23-2022 11:26
    Has anyone tried using CA signed certs in version 4.10.  I am able to get our browser cert working by modifying the SonarFinder server.xml file in my local directory, however, when I do this it breaks the SSL to our agentless gateways.  Seems the assets in v4.10 are synched via a playbook and the call to our agentless gateway endpoint is failing to create an SSL connection.

    Just curious if anyone has had any luck getting this to work as the process is not documented anywhere.
    #DatabaseActivityMonitoring
    #jSonar

    ------------------------------
    Tyler Somers
    Senior Security Engineer
    Chicago, IL
    ------------------------------


  • 2.  RE: CA Signed Certs in v4.10

    Posted 25 days ago
    May I ask what documentation are you following?

    Here are the steps in brief:


    Copy the default server.xml config to the "local" folder, and set it's corerct ownership, by running the next commands
    sudo cp $JSONAR_BASEDIR/sonarfinder/conf/server.xml $JSONAR_LOCALDIR/sonarfinder/
    sudo chown sonarw.sonar $JSONAR_LOCALDIR/sonarfinder/server.xml

    Copy the Certificate files to the "local" folder and set their permissions
    sudo mkdir $JSONAR_LOCALDIR/ssl/certs
    sudo cp <certificate and key files> $JSONAR_LOCALDIR/ssl/certs/
    sudo chown -R sonarw.sonar $JSONAR_LOCALDIR/ssl/certs

    Edit the local server.xml file that we copied in first step $JSONAR_LOCALDIR/sonarfinder/server.xml

    <SSLHostConfig protocols="+TLSv1.2+TLSv1.1"
    .....
    <Certificate certificateKeyFile="<Full Path to the key>"
    certificateFile="<Full Path to the certificate>"
    type="RSA"/>
    </SSLHostConfig>

    Note: Must set full path to the certificate and key, do not use any environment variables.


    Restart sonarfinder and test,

    systemctl restart sonarfinder



    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 3.  RE: CA Signed Certs in v4.10

    Posted 24 days ago
    This is the documentation I followed (after it was provided by support, this documentation is NOT generally available).  I was successful in getting the browser cert to be valid, however, if you have an agentless gateway, you'll notice the "Synchronize assets and connections with all agentless gateways" dispatcher job will no longer work if you replace the certs referenced in the server.xml file.  You'll have to review the sonarFinder.log and you'll see a Failed to establish SSL connection error.

    ------------------------------
    Tyler Somers
    Senior Security Engineer
    Chicago, IL
    ------------------------------



  • 4.  RE: CA Signed Certs in v4.10

    Posted 23 days ago
    Hi,

    So as sson as the cert change the gateway did not like it.

    So two train of thoughts:

    1. Is this a  AD Domain signed cert or a cert signed by trusted root CA (lets encrypt etc )
    If its a internal CA signed cert, try adding the root cert to the gateway's trust store.

    2. Have tried to re-setup federation ?
    Maybe that process will add the certs to trust on GW and you will be in the clear?

    If you can try these out, I can updated our support team and request a public facing KB to address these issues.

    Regards


    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------