Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

simonai
New Contributor III

FortiSIEM: LDAPS Certificate Validation

Hi everyone

I just enabled the LDAPS Authentication on the FortiSIEM and it works fine. The only thig that I'm not yet completely happy about is that I can not enable "Check Certificate" as the certificate check seems to fail.
I do have a local certificate authority, which also signed the certificate for the Active Directory servers. Now my question is: What certificate store does FortiSIEM use in order to verify the certificate? I already added the local root certificate to the CentOS certificate store (eg. wget accepts the web server certificate issued by the same CA.

Thanks for your feedback and have a great day.
Simon
2 REPLIES 2
RobertEvans
New Contributor III

Hi Simon,

If you are using a private CA, the certificate you need to import will go into Glassfish, the Java EE backend that FortiSIEM uses.

On the supervisor:

1) If you don't have the server's cert handy, you can query it directly and stuff in a file
echo -n | openssl s_client -connect <ldap server ip>:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/<cert name>.cert

2) The resulting cert file in /tmp you can then use keytool to import into Glassfish java cert store
The below you can import the CA cert if you have it, or just use ldap server cert for both imports
su admin
keytool -import -trustcacerts -alias ldapserverx -keystore /opt/glassfish/domains/domain1/config/cacerts.jks -file /tmp/somecert.crt
keytool -import -trustcacerts -alias ldapserverx -keystore /opt/glassfish/domains/domain1/config/keystore.jks -file /tmp/somecert.crt
If password prompt, type: "changeit"

3) Lastly restart java to take effect
killall -9 java
4) Wait about 3-6 minutes before UI responds again, relogin.

I agree I think there should be a UI option to import certificates into the Java cert store dynamically, I'll talk to the Fortinet team and place that feature request.

-Rob
simonai
New Contributor III

Hi Rob

Thanks for the feedback. It worked as intended. I just got the following question (where I answered with yes):

Certificate already exists in system-wide CA keystore under alias <certificatealias>
Do you still want to add it to your own keystore? [no]:

Furthermore when updating the kestore.jks file I got the following warning:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/glassfish/domains/domain1/config/keystore.jks -destkeystore /opt/glassfish/domains/domain1/config/keystore.jks -deststoretype pkcs12".

Is this expected behavior? 
Anyway thanks for bringing along this feature request and have a good week.
Simon