App Control: API Unable to Connect Due to Insecure Certificate
search cancel

App Control: API Unable to Connect Due to Insecure Certificate

book

Article ID: 291209

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • API access shows "API is Not Reachable" under Administration (Gear) > System  Configuration
  • Able to access https://servername/api/bit9platform page
  • API error log found in C:\Program Files (x86\Bit9\Parity Console\WebUI\Logs shows repeated API Authentication error 0
  • Console Certificate Signature Algorithm is SHA1

Environment

  • App Control Server (formerly CB Protection): All Supported Versions

Cause

  • While most Self Signed certificates will work, certain security issues will cause this certificate to fail
  • Typically this falls into an issue with the Subject name (default server name) not being listed in the Subject Alternate Name field
  • This causes SSL connections to fail saying the SSL traffic is not secure
  • API also requires SHA256 algorithm

Resolution

Generate a new certificate which will allow the connection
  1. Create a new folder that's in an easy location to get to, such as C:\Certificate\
  2. Copy the contents of the folder C:\Program Files (x86)\Bit9\Parity Server\Cert\ into the folder created
  3. Create a text file in the new folder called OpenSSLConfig.txt and Copy in the contents below
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = MA
L = Waltham
O = Bit9, Inc.
OU = Support
CN = **ENTER THE FULL FQDN OF THE SERVER**
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = **ENTER THE FULL FQDN OF THE SERVER**
DNS.2 = **ENTER THE ANY OTHER FQDN's OF THE SERVER**
DNS.3 = **ENTER IN THE IP OF THE SERVER**
IP.1 = **ENTER IN THE IP OF THE SERVER**
  1. Open an administrative command prompt and navigate to the folder created
  2. Run the following commands making sure to enter the respective details
openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\FOLDERYOUCREATED\cert.pem -out C:\FOLDERYOUCREATED\cert.pem -config
C:\PathToConfigFileAbove\OpenSSLConfig.txt
  1. Once that completes run the following command
openssl.exe pkcs12 -export -out C:\FOLDERYOUCREATED\cert.pfx -in C:\FOLDERYOUCREATED\cert.pem -name "CERTIFICATENAME" -passout
pass:ENTERPASSWORD
  1. Import the certificate in IIS by navigating to the server name on the left. Then selecting Certificates
  2. Once Imported select the Carbon Black Protection site on the left > Then select the Bindings options on the right
  3. Double click the HTTPS binding, and select the new certificate