21.3.2 Auditing using TLS over TCP

Keys and certificates are required for TLS to work. Each instance of Identity Server, Access Gateway, and Administration Console must have private key, public key certificate, root CA certificate, and CA certificate of the remote Syslog server.

Various tools are available for generating the required key files and certificates. For example, OpenSSL, GnuTLS, and Let's Encrypt. You can also use Administration Console to create these. For information about how to use Administration Console for creating certificates and key files, see Creating Certificates and Managing Certificates and Keystores.

IMPORTANT:Use the DNS name or IP address of Identity Server, Access Gateway, and Administration Console while setting up the subject or common name (CN) of its public certificate. The CA certificate needs to be distributed to the remote server and vice versa.

Perform the following steps to enable sending audit events to the remote syslog sever by using TLS over TCP protocol:

  1. Perform the steps in Auditing using UDP.

  2. In nam.conf and namMultiTarget.conf, add double @ character before the remote host and the following macros to send messages over TCP:

    For information about how to modify a file, see Modifying Configurations.

    $DefaultNetstreamDriver gtls
    $DefaultNetstreamDriverCAFile <filepath of remote peer's CA certificate>
    $DefaultNetstreamDriverCertFile <filepath of own public key certificate>
    $DefaultNetstreamDriverKeyFile <filepath of own private key>
    $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    $ActionSendStreamDriverAuthMode <mode> #Authentication mode to be used during TLS handshake
    $ActionSendStreamDriverPermittedPeer <ID>

    In ActionSendStreamDriverAuthMode <mode>, you can specify one of the following authentication modes for validating a remote peer:

    • anon: Anonymous authentication. It does not allow authenticating a remote peer.

    • x509/certvalid: Certificate validation only.

    • x509/name: Certificate validation and subject name authentication.

    $ActionSendStreamDriverPermittedPeer <ID> is an optional tag. In $ActionSendStreamDriverPermittedPeer <ID>, specify remote peer’s identifier. Connections from only these peers are accepted. You can set PermittedPeer to a single peer or an array of peers of type IP or name, depending on the TLS certificate. For example,

    Single peer: ActionSendStreamDriverPermittedPeer ”127.0.0.1”

    Array of peers: ActionSendStreamDriverPermittedPeer [“test1.ex.net”,”10.1.2.3”,”*.ex.net”]

    If array syntax does not work, configure each entry individually.

    A sample nam.conf:

    $DefaultNetstreamDriver gtls
    $DefaultNetstreamDriverCAFile /var/opt/novell/novlwww/server_CA.pem
    $DefaultNetstreamDriverCertFile /var/opt/novell/novlwww/client_Cert.pem
    $DefaultNetstreamDriverKeyFile /var/opt/novell/novlwww/client_Key.pem
    $ModLoad imtcp # load TCP listener
    $InputTCPServerRun 1290
    $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    $ActionSendStreamDriverAuthMode x509/name
    $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
    local0.* @@164.100.150.10:1468;ForwardFormat

    Here, audit logs are being forwarded to the remote server 164.100.150.10 and port 1468 using TLS.

  3. Restart the rsyslog service.