Management Center is unable to verify the CA certificate for syslog servers using TLS.
search cancel

Management Center is unable to verify the CA certificate for syslog servers using TLS.

book

Article ID: 176489

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

Management Center   is not accepting syslog server certificate signed by our Internal PKI chain

Management Center  sending Alert 21, Unknown CA  towards  TLS syslog server 

How to configure encrypted syslogging on Management Center  

syslog-ng[22825]: SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca' 

Environment

Management Center running code version 3.0.x and below (e.g. 2.4.x.x, 2.3.x.x, etc)

Management Center with TLS syslogging.  

 

Cause

Prior Management Center version 3.1.1.x, MC would only validate TLS syslog collector's certificate signed by Management Center's certificate named default_ca.   

Resolution

You would need to ensure that the Syslog's SSL server certificate is signed by Management Center's default_CA.  This requires exporting the default_CA private  key and certificate to openssl/syslog server.   Below are the steps needed on the Management Center side:


1. CLI commands to view default_ca's keypair and certificate:

en
conf terminal
ssl view keypair default_ca (this is the private key)
ssl view certificate default_ca  

2. Save above  private key and certificate to your openssl and/or syslog server.      Openssl would require these two files when signing syslog server's certificate- signing-request (CSR) and syslog client's CSR if mutual authentication is desired.

 3. You would need to edit/configure your syslog server conf file to locate the server key, certificate and likely ca-certificate signer.   For more information how to configure your syslog server, please refer to the OS distribution documentation, openssl project and syslog projects sites  (see site links below) related to organization syslog implementation.   

 https://www.openssl.org/
 https://www.syslog-ng.com/
 https://www.rsyslog.com/

4. When using syslog over TLS with mutual authentication, you would need to import the client private key and certificate created from your openssl to Management Center.   It's highly suggested to create new ssl-context and CCL specific for your syslog / TLS and; create new ca-certificate copying the contents of default_ca certificate.  

The following are sample commands importing the  client private key and certificate created from your openssl

en
conf terminal
ssl
  inline keyring syslog-client-cert showable yes
   
  inline certificate syslog-client-cert
     
 
5.  Creating new ssl-context, CCL, ca-certificate and how to associate them to be used by syslog/TLS

The following commands assumes you are still in MC's "(config-ssl)#" prompt

create ssl-context syslog-ssl-context
create ccl syslog-ccl
inline ca-certificate default-ca-certificate (copy/paste the default_ca certificate.  ctrl-d to save it)

edit ccl syslog-ccl
add default-ca-certificate
exit
edit ssl-context syslog-ssl-context
ccl syslog-ccl
keyring syslog-client-cert
exit
exit

6. Configure syslog over tls using syslog-ssl-context created above(assumption, you are at MC's (config)# prompt.

Command below  assumes you in MC's "(config)#" prompt


event-log syslog add tls host port ssl-context syslog-ssl-context

This solution is acceptable for FIPS certification but not for common criteria.     

If you need more information about cli commands given above, kindly refer to Management Center Command Line Reference document following the link below    

  https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/management-center/3-0.htmlhttps://support.symantec.com/us/en/article.DOC11538.html

Powered by Wolken Software