Configuring the ArcSight Database for MinIO Storage (Examples Only)

Note: The information on this page is provided for illustrative purpose only, is not verified for production use, and no support is provided by Micro Focus for this information. Please utilize MinIO official support resources to assist you with deploying and configuring MinIO.

The setup examples below incorporated MinIO version Release.2021-10-13T00-23-17Z.

The procedures in this section for setting up the MinIO storage solution using MinIO Gateway in NFS mode are for example purposes only. Additionally, the procedures are not necessarily contiguous and provide more than one way of configuring MinIO. For example, the type of certificate used or setting up with or without TLS.

As you proceed with your own MinIO setup, ensure that you thoroughly run the processes that you configure in a test environment before deploying to your operational system. For more information, see "Understanding Object Storage Options for the ArcSight Database."

Server addresses and the like are from our test environment and should not be taken literally.

Setting Up the NFS Server

Example for configuring the NFS Server for MinIO:

  1. Log in to the NFS Server and run the following commands:

    systemctl restart rpcbind
    systemctl enable rpcbind
    systemctl restart nfs-server
    systemctl enable nfs-server				
  2. Create the MinIO NFS directory:

    mkdir /opt/minio-nfs
    chown -R 1999:1999 /opt/minio-nfs
    
    echo "/opt/minio-nfs 10.000.0.0/16(rw,sync,anonuid=1999,anongid=1999,all_squash)" > /etc/exports
  3. Restart the NFS Server:

    systemctl restart nfs-server
    showmount -e			

Setting Up MinIO - Non-TLS

Example for setting up MinIO without TLS on the NFS server.

  1. Log in to the MinIO Server and create the start-minio.sh script:

    start-minio.sh
    #!/bin/bash
    NFS_SERVER=<NFS server-IP/FQDN>
    NFS_DIR=/opt/minio-nfs
    MINIO_DIR=/opt/minio-nfs-data
    DATA_DIR=/opt/minio-nfs-data/minio/data
    
    mkdir -p $MINIO_DIR
    mount $NFS_SERVER:$NFS_DIR $MINIO_DIR
    mkdir -p $DATA_DIR
    
    export MINIO_ROOT_USER=access_key
    export MINIO_ROOT_PASSWORD=change_me
    
    ./minio gateway nas $DATA_DIR --console-address :42497 &
    Port 42497 is an example. You need to configure your own unused port. You also need to get your own Minio binary code.
  2. Run the start.minio.sh script:

    ./start.minio.sh

    Output example:

    Output:
    echo ========================================
    echo "$DATA_DIR has been created"
    echo "Data will be placed in $DATA_DIR"
    echo "Check output for more information"
    echo ========================================
    API: http://10.000.000.000:9000 http://192.168.122.1:9000 http://127.0.0.1:9000
    RootUser: access_key
    RootPass: change_me
    Console: http://10.000.000.001:42497 http://192.168.122.1:42497 http://127.0.0.1:42497
    RootUser: access_key
    RootPass: change_me	
    Command-line: https://docs.min.io/docs/minio-client-quickstart-guide
    $ mc alias set myminio http://10.000.000.001:9000 access_key change_me		
    Documentation: https://docs.min.io
  3. Create the stop-minio.sh script:

    stop-minio.sh
    #!/bin/bash
    ps -ef | grep minio | awk '{print $2}' | xargs kill -9
    NFS_SERVER=<NFS server-IP/FQDN>
    NFS_DIR=/opt/minio-nfs
    MINIO_DIR=/opt/minio-nfs-data
    DATA_DIR=/opt/minio-nfs-data/minio/data
  4. Run the stop-minio.sh script:

    ./stop-minio.sh

    Output example:

    Output:
    echo ========================================
    echo "$DATA_DIR still contains data"
    echo "Clean them if needed"
    echo "$MINIO_DIR is still mounted"
    echo "umount it if needed"
    echo ========================================	

Setting Up MinIO Using a TLS-Signed Certificate

Example for configuring a TLS-signed certificate for MinIO.

  1. Log in to the MinIO server and create the Sign-CA directory:

    mkdir Sign-CA
    cd Sign-CA
  2. Generate the self-signed certificate:

    openssl req -newkey rsa:4096 -sha256 -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.crt -subj "/C=<country>/ST=<state>/L=<locality>/O=<organization>/OU=<organizational unit>/CN=RootCA/emailAddress=<admin@myCompany.com>" -nodes
  3. Generate a private key for MinIO:

    openssl genrsa -out private.key 4096
  4. Update the MinIO server's IP address and FQDN:

    create openssl.conf ### Update minio server's IP and FQDN
    [req]
    distinguished_name = req_distinguished_name
    x509_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = <country>
    ST = <XX>
    L = <locality>
    O = <organization>
    OU = <organizational unit>
    CN = <fqdn>
    [v3_req]
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = <IP-address>
    DNS.1 = <fqdn>
  5. Create the MinIO signing request:

    #minio server IP: 10.000.000.001
    
    openssl req -new -key private.key -out minio.csr -config openssl.conf -nodes
  6. Sign the CSR:

    openssl x509 -req -in minio.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions server -days 3650 -outform PEM -out public.crt -sha256 -extensions v3_req -extfile openssl.conf
  7. Run the start-minio.sh script:

    ./start-minio.sh
    cp public.crt private.key /root/.minio/certs
    cp ca.crt /root/.minio/certs/CAs
  8. Stop and restart MinIO:

    ./stop-minio.sh
    
    ./start-minio.sh
    

    Example output:

    Output:
    ========================================
    /opt/minio-nfs-data/minio/data has been created
    Data will be placed in /opt/minio-nfs-data/minio/data
    Check output for more information
    ========================================
    [root@n10-000-000-h001 minio]#
    API: https://10.000.000.001:9000 https://192.168.122.1:9000 https://127.0.0.1:9000
    RootUser: access_key
    RootPass: change_me
    Console: https://10.000.000.001:42497 https://192.168.122.1:42497 https://127.0.0.1:42497http://127.0.0.1:42497
    RootUser: access_key
    RootPass: change_me				
    Command-line: https://docs.min.io/docs/minio-client-quickstart-guide
    $ mc alias set myminio http://10.000.000.000:9000 access_key change_me		
    Documentation: https://docs.min.io
  9. Connect to the ArcSight database server:

    scp ca.crt <All-database-nodes>:/tmp
  10. Run this command on all ArcSight database nodes:

    cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors;update-ca-trust			

Setting Up MinIO Using a TLS Self-Signed Certificate

Example for setting up MinIO without TLS self-signed certificate/

  1. Log in to the MinIO server and create the self-sign directory:

    mkdir self-sign
    cd self-sign
  2. Update the MinIO server's IP address and FQDN:

    create openssl.conf ### Update minio server's IP and FQDN
    [req]
    distinguished_name = req_distinguished_name
    x509_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = <country>
    ST = <XX>
    L = <locality>
    O = <organization>
    OU = <organizational unit>
    CN = <fqdn>
    [v3_req]
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = <IP-address>
    DNS.1 = <fqdn>
  3. Generate the self-signed certificate:

    openssl req -newkey rsa:4096 -sha256 -keyform PEM -keyout private.key -x509 -days 3650 -outform PEM -out public.crt -config openssl.conf -nodes
  4. Run the start-minio.sh script:

    ./start-minio.sh
    cp public.crt private.key /root/.minio/certs
    cp public.crt /root/.minio/certs/CAs
  5. Stop and restart MinIO:

    ./stop-minio.sh
    
    ./start-minio.sh
    

    Example output:

    Output:
    ========================================
    /opt/minio-nfs-data/minio/data has been created
    Data will be placed in /opt/minio-nfs-data/minio/data
    Check output for more information
    ========================================
    [root@n10-000-000-h001 minio]#
    API: https://10.000.000.001:9000 https://192.168.122.1:9000 https://127.0.0.1:9000
    RootUser: access_key
    RootPass: change_me
    Console: https://10.000.000.001:42497 https://192.168.122.1:42497 https://127.0.0.1:42497http://127.0.0.1:42497
    RootUser: access_key
    RootPass: change_me				
    Command-line: https://docs.min.io/docs/minio-client-quickstart-guide
    $ mc alias set myminio http://10.000.000.000:9000 access_key change_me		
    Documentation: https://docs.min.io
  6. Connect to the ArcSight database:

    scp public.crt <All-database-nodes>:/tmp
  7. Run this command on all ArcSight database nodes:

    cp /tmp/public.crt /etc/pki/ca-trust/source/anchors;update-ca-trust			

Creating a Bucket and Folder in MinIO

These are the basic steps for creating a bucket and folder in MinIO:

  1. Log in to the MinIO console. For example:

    1. Enter the console address in a browser. For example (http://10.000.000.000:42497).

    2. Enter MinIO credentials (access key and password).

  2. Create the bucket.

  3. Select the new bucket, and create the folder (for example, "data").

To see how the Yaml configuration corresponds to the MinIO bucket, see Yaml Configuration File Example

Yaml Configuration File Example

The following is an example of the Yaml configuration file used for the MinIO setup. For more information, see Using the Configuration Files.

Non-TLS:

s3:
 type: preconfigured
 server: <fqdn>
 port: 9000
 url: s3://<bucketName>/<folderName>
 access-key: <access_key>
 tls-enabled: False
 region: <region>

TLS:

s3:
 type: preconfigured
 server: <fqdn>
 port: 9000
 url: s3://<bucketName>/<folderName>
 access-key: <access_key>
 tls-enabled: True
 region: <region>

Configuring MinIO TLS Mode for ArcSight Database Back Up and Restore

These sections have instructions for configuring MinIO TLS mode to back up and restore the ArcSight database using a TLS-signed certificate and self-signed certificate:

Configuring the MinIO Backup Server Using a TLS-Signed Certificate

Follow these steps to configure the MinIO backup server using a TLS-signed certificate:

  1. Log in to the MinIO source server.

  2. Change to the Certificate directory:

    cd Sign-CA
  3. Generate the private key for MinIO's backup server:

    openssl genrsa -out backup_minio_private.key 4096
  4. Create the backup_minio_openssl.conf file:

    [req]
    distinguished_name = req_distinguished_name
    x509_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = <country>
    ST = <XX>
    L = <locality>
    O = <organization>
    OU = <organizational unit>
    CN = <MinIOBackupfqdn>
    [v3_req]
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = <MinioBackupIP-address>
    DNS.1 = <MinIOBackupfqdn>
  5. Create the MinIO backup server signing request:

    openssl req -new -key backup_minio_private.key -out backup_minio.csr -config backup_minio_openssl.conf -nodes
  6. Sign the certificate sign-request using ca.crt from the MinIO source server:

    openssl x509 -req -in backup_minio.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions server -days 3650 -outform PEM -out backup_minio_public.crt -sha256  -extensions v3_req -extfile backup_minio_openssl.conf
  7. Run this command on the MinIO backup server:

    ./start-minio.sh
  8. Run these commands on the MinIO server:

    cd Sign-CA
    scp backup_minio_public.crt <backup_minio_server_IP>:/root/.minio/certs/public.crt
    scp backup_minio_private.key <backup_minio_server_IP>:/root/.minio/certs/private.key
    scp ca.crt <backup_minio_server_IP>:/root/.minio/certs/CAs
    scp ca.crt <backup_minio_server_IP>:/tmp
  9. Stop and start the MinIO backup server:

    ./stop-minio.sh
    ./start-minio.sh
  10. Log into the Console and create a bucket and folder on MinIO backup server. For more information, see Creating a Bucket and Folder in MinIO.

Configuring the MinIO Backup Server Using a TLS Self-Signed Certificate

Follow these steps to configure the MinIO backup server using a TLS self-signed certificate:

  1. Log in to the MinIO backup server and create the self-sign directory:

    mkdir self-sign
    cd self-sign
  2. Create the backup_minio_openssl.conf file:

    [req]
    distinguished_name = req_distinguished_name
    x509_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = <country>
    ST = <XX>
    L = <locality>
    O = <organization>
    OU = <organizational unit>
    CN = <MinIOBackupfqdn>
    [v3_req]
    subjectAltName = @alt_names
    [alt_names]
    IP.1 = <MinioBackupIP-address>
    DNS.1 = <MinIOBackupfqdn>
  3. Generate the self-signed certificate:

    openssl req -newkey rsa:4096 -sha256 -keyform PEM -keyout backup_private.key -x509 -days 3650 -outform PEM -out backup_public.crt -config backup_minio_openssl.conf -nodes
  4. Start MinIO:

    ./start-minio.sh
  5. Copy the backup_private.key and backup_public.crt files to the certificate directory:

    cp backup_private.key backup_public.crt /root/.minio/certs
    cp backup_public.crt /root/.minio/certs/CAs/ca.crt
  6. Stop and restart MinIO:

    ./stop-minio.sh
    ./start-minio.sh
  7. Log into the Console and create a bucket and folder on MinIO backup server. For more information, see Creating a Bucket and Folder in MinIO.

  8. Connect to the ArcSight database:

    scp backup_public.crt <All-database-nodes>:/tmp
  9. Run this command on all ArcSight database nodes:

    cp /tmp/backup_public.crt /etc/pki/ca-trust/source/anchors;update-ca-trust

Configuring the ArcSight Database for Backup

Run these commands on ArcSight database node1 to configure the ArcSight database for backup:

cd /opt/acsight-db-tools/config
vi backup_restore_cloud_storage_base.ini
change
; cloud_storage_ca_bundle = /home/user/ssl_folder/ca_bundle.pem
to
cloud_storage_ca_bundle = /etc/pki/tls/certs/ca-bundle.crt

You are now ready to proceed with the backup procedures.