Skip to main content
SimonMonai
SimonMonai
New Member
January 29, 2021
Question

FortiSIEM: LDAPS Certificate Validation

  • January 29, 2021
  • 1 reply
  • 1100 views
Hi everyone

I just enabled the LDAPS Authentication on the FortiSIEM and it works fine. The only thig that I'm not yet completely happy about is that I can not enable "Check Certificate" as the certificate check seems to fail.
I do have a local certificate authority, which also signed the certificate for the Active Directory servers. Now my question is: What certificate store does FortiSIEM use in order to verify the certificate? I already added the local root certificate to the CentOS certificate store (eg. wget accepts the web server certificate issued by the same CA.

Thanks for your feedback and have a great day.
Simon

    1 reply

    RobertEvans
    RobertEvans
    New Member
    January 29, 2021
    Hi Simon,

    If you are using a private CA, the certificate you need to import will go into Glassfish, the Java EE backend that FortiSIEM uses.

    On the supervisor:

    1) If you don't have the server's cert handy, you can query it directly and stuff in a file
    echo -n | openssl s_client -connect <ldap server ip>:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/<cert name>.cert

    2) The resulting cert file in /tmp you can then use keytool to import into Glassfish java cert store
    The below you can import the CA cert if you have it, or just use ldap server cert for both imports
    su admin
    keytool -import -trustcacerts -alias ldapserverx -keystore /opt/glassfish/domains/domain1/config/cacerts.jks -file /tmp/somecert.crt
    keytool -import -trustcacerts -alias ldapserverx -keystore /opt/glassfish/domains/domain1/config/keystore.jks -file /tmp/somecert.crt
    If password prompt, type: "changeit"

    3) Lastly restart java to take effect
    killall -9 java
    4) Wait about 3-6 minutes before UI responds again, relogin.

    I agree I think there should be a UI option to import certificates into the Java cert store dynamically, I'll talk to the Fortinet team and place that feature request.

    -Rob-------------------------------------------
    Original Message:
    Sent: Jan 29, 2021 03:08 AM
    From: Simon Monai
    Subject: FortiSIEM: LDAPS Certificate Validation

    Hi everyone

    I just enabled the LDAPS Authentication on the FortiSIEM and it works fine. The only thig that I'm not yet completely happy about is that I can not enable "Check Certificate" as the certificate check seems to fail.
    I do have a local certificate authority, which also signed the certificate for the Active Directory servers. Now my question is: What certificate store does FortiSIEM use in order to verify the certificate? I already added the local root certificate to the CentOS certificate store (eg. wget accepts the web server certificate issued by the same CA.

    Thanks for your feedback and have a great day.
    Simon
    SimonMonai
    SimonMonaiAuthor
    New Member
    February 1, 2021
    Hi Rob

    Thanks for the feedback. It worked as intended. I just got the following question (where I answered with yes):

    Certificate already exists in system-wide CA keystore under alias <certificatealias>
    Do you still want to add it to your own keystore? [no]:

    Furthermore when updating the kestore.jks file I got the following warning:

    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/glassfish/domains/domain1/config/keystore.jks -destkeystore /opt/glassfish/domains/domain1/config/keystore.jks -deststoretype pkcs12".

    Is this expected behavior? 
    Anyway thanks for bringing along this feature request and have a good week.
    Simon
    -------------------------------------------
    Original Message:
    Sent: Jan 29, 2021 12:31 PM
    From: Robert Evans
    Subject: FortiSIEM: LDAPS Certificate Validation

    Hi Simon,

    If you are using a private CA, the certificate you need to import will go into Glassfish, the Java EE backend that FortiSIEM uses.

    On the supervisor:

    1) If you don't have the server's cert handy, you can query it directly and stuff in a file
    echo -n | openssl s_client -connect <ldap server ip>:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/<cert name>.cert

    2) The resulting cert file in /tmp you can then use keytool to import into Glassfish java cert store
    The below you can import the CA cert if you have it, or just use ldap server cert for both imports
    su admin
    keytool -import -trustcacerts -alias ldapserverx -keystore /opt/glassfish/domains/domain1/config/cacerts.jks -file /tmp/somecert.crt
    keytool -import -trustcacerts -alias ldapserverx -keystore /opt/glassfish/domains/domain1/config/keystore.jks -file /tmp/somecert.crt
    If password prompt, type: "changeit"

    3) Lastly restart java to take effect
    killall -9 java
    4) Wait about 3-6 minutes before UI responds again, relogin.

    I agree I think there should be a UI option to import certificates into the Java cert store dynamically, I'll talk to the Fortinet team and place that feature request.

    -Rob
    Original Message:
    Sent: Jan 29, 2021 03:08 AM
    From: Simon Monai
    Subject: FortiSIEM: LDAPS Certificate Validation

    Hi everyone

    I just enabled the LDAPS Authentication on the FortiSIEM and it works fine. The only thig that I'm not yet completely happy about is that I can not enable "Check Certificate" as the certificate check seems to fail.
    I do have a local certificate authority, which also signed the certificate for the Active Directory servers. Now my question is: What certificate store does FortiSIEM use in order to verify the certificate? I already added the local root certificate to the CentOS certificate store (eg. wget accepts the web server certificate issued by the same CA.

    Thanks for your feedback and have a great day.
    Simon
    Terms & ConditionsAccessibility statement