Configuring ESM as a Transformation Hub Consumer - FIPS Mode (Server Authentication Only)

This section describes how to configure ESM to access Transformation Hub when FIPS mode is enabled. FIPS 140-2 is the only supported FIPS mode.

To configure ESM access to Transformation Hub in FIPS Mode:

  1. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  2. From the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  3. Use the keytool command to import the root CA certificate into the ESM client truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path to certificate file> -alias <alias for the certificate>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file /tmp/ca.crt -alias alias1

  4. As user arcsight, run the following command from the /opt/arcsight/manager/bin directory to start the managersetup wizard:

    ./arcsight managersetup -i console
  5. Provide the following information:
    Note: You do not need to provide the path to the Transformation Hub root certificate, as it has already been imported.

    1. Specify the host name and port information for the nodes in Transformation Hub. Include the host and port information for all nodes and not just the master node. Use a comma-separated list (for example: <host>:<port>,<host>:<port>).

      Note: You must specify the host name and not the IP address.

      Transformation Hub can only accept IPv4 connections from ESM.

      If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

    2. Specify the topics in Transformation Hub from which you want to read. These topics determine the data source.

      Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2). ESM will read Avro-format events from any topic where the name contains "avro" in lower case. For example, th-arcsight-avro.

    3. Leave the authentication type as None.

    4. Leave the user name and password as empty.

    5. If you specified an Avro topic, specify the host name and port for connecting to the Schema Registry in the format <host name:port>.

      Note: The default port for connecting to the Schema Registry is 32081.

      Transformation Hub runs a Confluent Schema Registry that producers and consumers use to manage compatibility of Avro-format events.

      The wizard uses this information to connect to the Schema Registry, read the Avro schemas for the Avro topics that you specified, and verify that the topics contain Avro events that are compatible with ESM. If ESM cannot retrieve the Avro schemas for the Avro topics that you specified and compare them to the schema that is packaged with ESM, or if incompatible schemas are detected, the wizard generates warning messages but allows you to continue. In some cases, you might already know that Transformation Hub will use a compatible schema when the Manager is running.

    6. If you choose to configure the Forwarding Connector to forward CEF events to Transformation Hub and then configure Transformation Hub to filter Avro events, use filters to ensure that ESM does not receive duplicate events. You might want to use filters to accomplish the following:

      • Filter out desired events from Connectors so that ESM does not process them

      • Filter out ESM's correlation events that were forwarded (CEF events that the Forwarding Connector sent to th-cef) so that ESM does not re-process its own events.

      If you do not configure filtering, ESM must consume from the th-arcsight-avro topic. If you configure filtering, ESM must consume from the mf-event-avro-esmfiltered topic. For more information, see configuring filters and local and global event enrichment.

  6. Advance through the wizard and complete the configuration.

  7. As user arcsight, restart the ArcSight Manager:

    In compact mode:

    /etc/init.d/arcsight_services start manager

    In distributed mode: 

    /etc/init.d/arcsight_services stop all
    /etc/init.d/arcsight_services start all

  8. Verify that the connection was successful:

    grep -rnw '/opt/arcsight/var/logs/manager/' -e 'Transformation Hub service is initialized' -e 'Started kafka readers'

    The output should be similar to the following:

    /opt/arcsight/var/logs/manager/default/server.std.log:5036:2021-07-13 09:51:36 =====> Transformation Hub service is initialized (49 s) <=====

    /opt/arcsight/var/logs/manager/default/server.log:11664:[2021-07-13 09:51:36,656][INFO ][default.com.arcsight.common.messaging.events.aa] Started kafka readers in PT0.115S

    /opt/arcsight/var/logs/manager/default/server.log:11665:[2021-07-13 09:51:36,657][INFO ][default.com.arcsight.server.NGServer] Transformation Hub service is initialized (49 s)