The cluster maintains its own certificate authority (CA) to issue certificates for external communication. A self-signed CA is generated during the installation of CDF by default. Pods of the deployed products use the certificates generated by the CA on pod startup. When configuring SSL, you must create a new CA and add the CA to CDF, which will be used by all the products in the cluster.
IMPORTANT:If you change the CA after deploying ESM for Fusion, you will have to uninstall and reinstall the CDF suite. Uninstalling the CDF suite will also uninstall all the installed capabilities such as Fusion, ArcSight Command Center, and ArcSight Layered Analytics. We recommend that you perform this procedure when you first install ESM for Fusion to avoid downtime and data loss.
To create a new CA and add the CA to CDF:
To create a new CA, complete the following steps:
Create a directory and configure the directory permissions using the following command:
mkdir /root/cacd /root/camkdir certs crl newcerts privatechmod 700 privatetouch index.txtecho 1000 > serial
Open the configuration file in a text editor (vi /root/ca/openssl.cnf).
Add the following content to the configuration file:
NOTE:The values shown here are examples. You should change parameter values to match your environment.
# OpenSSL root CA configuration file.
# Copy to `/root/ca/openssl.cnf`.
[ ca ]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = Locality
0.organizationName = EntCorp
organizationalUnitName = OrgName
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = <your country code>
stateOrProvinceName_default = <your state or province>
localityName_default =
0.organizationName_default = <your company name>
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
To generate a CA root key, run the following commands:
cd /root/caopenssl genrsa -out private/ca.key.pem 4096chmod 400 private/ca.key.pem
To create a CA cert, run the following command:
openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 375 -sha256 -extensions v3_ca -out certs/ca.cert.pem
To verify the root CA, run the following commands:
chmod 444 certs/ca.cert.pemopenssl x509 -noout -text -in certs/ca.cert.pem
To add the CA, run the following command:
<K8S_HOME>/scripts/cdf-updateRE.sh write --re-key=private/ca.key.pem --re-crt=certs/ca.cert.pem --re-ca=certs/ca.cert.pem
For example:
opt/arcsight/kubernetes/scripts/cdf-updateRE.sh write --re-key=private/ca.key.pem --re-crt=certs/ca.cert.pem --re-ca=certs/ca.cert.pem
To verify, read the CDF CA file by executing the following command and ensure that it is same as the ca.cert.pem file. You must execute the following command on the initial master node:
<K8S_HOME>/scripts/cdf-updateRE.sh read
For example:
opt/arcsight/kubernetes/scripts/cdf-updateRE.sh read