Syslog Encryption
TLS support is added to the Luna Network HSM 7 syslog implementation to encrypt log messages being sent to a remote server. This improves security of your logs by preventing their interception during transit. Such protection is desirable to safeguard details that could reveal the current state of the appliance.
The primary focus of the feature is to support the following use cases.
>Server authentication with self-signed certificates
>Server authentication with CA signed certificates
>Mutual authentication with self-signed certificates
>Mutual authentication with CA signed certificates
NOTE When configuring two or more remote servers, certificates from multiple chains of trust are not supported. All server and client certificates must be signed by the same entity. This limitation is tied to the existing version of rsyslog supported by CentOS.
Server Authentication with Self-Signed Certificates
1.Server generates a private key and self-signed certificate.
2.Server passes the root certificate to the LNH.
3.LNH adds this certificate to its trust store.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts/ca
{
"file": "sample_ca.pem"
}
4.User configures server information.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts
{
"address": "1.2.3.4",
"protocol": "tcp",
"port": 514,
"mode": "server",
"name": "1.2.5.6",
"tls": true
}
Server Authentication with CA Signed Certificates
1.Server generates a private key and CSR and gets the CSR signed from the CA.
2.Server adds the acquired certificate.
3.LNH adds the CA certificate to its trust store.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts/ca
{
"file": "sample_ca.pem"
}
4.User configures server information.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts
{
"address": "1.2.3.4",
"protocol": "tcp",
"port": 514,
"mode": "server",
"name": "1.2.5.6", M
"tls": true
}
Mutual Authentication with Self-Signed Certificates
1.Server and the LNH each generate a private key and self-signed certificate.
At LNH:
PUT | PATCH
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts/certificate
{
"cn": "1.2.3.4",
"startDate": "2024-02-12",
"days": 300,
"country": "CA",
"state": "Ontario",
"location": "Ottawa",
"organization": "Thales",
"orgunit": "GPHSM",
"email": "sample@email.com",
"subjectAltNames": ["IP:1.2.3.4", "DNS:example.com"],
"keySize": 2048,
"keyType": "rsa"
}
2.Server sends the self-signed certificate to the LNH, and the LNH adds the acquired certificate.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts/ca
{
"file": "sample_ca.pem"
}
3.The LNH sends the self-signed certificate to the server, and the server adds the acquired certificate.
[CAserver]# scp client_sign.pem operator@192.168.14.93:
4.User configures server information.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts
{
"address": "1.2.3.4",
"protocol": "tcp",
"port": 514,
"mode": "server",
"name": "1.2.5.6",
"tls": true
}
Mutual Authentication with CA Signed Certificates
1.Server and the LNH each generate a private key and CSR.
At LNH:
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts/csr
{
"cn": "1.2.3.4",
"startDate": "2024-02-12",
"days": 300,
"country": "CA",
"state": "Ontario",
"location": "Ottawa",
"organization": "Thales",
"orgunit": "GPHSM",
"email": "sample@email.com",
"subjectAltNames": ["IP:1.2.3.4", "DNS:example.com"],
"keySize": 2048,
"keyType": "rsa"
}
2.Server and the LNH add the received signed certificates.
PUT
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts/certificate
{
"file": "sample_certificate.pem"
}
3.Server and LNH add the CA certificate to their trust store.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts/ca
{
"file": "sample_ca.pem"
}
4.User configures server information.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/syslog/remoteHosts
{
"address": "1.2.3.4",
"protocol": "tcp",
"port": 514,
"mode": "server",
"name": "1.2.5.6",
"tls": true
}
