Database Activity Monitoring 4.x HTTPS Certificate Configuration Guide

HTTPS Certificate Configuration

TRADEMARK ATTRIBUTIONS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,

McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee

QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource,

VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.

Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS

AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER

RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE

PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT

AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF

PURCHASE FOR A FULL REFUND.

HTTPS Certificate Configuration 3

Contents

Overview .......................................................................................................................... 4

Generate a Keystore .......................................................................................................... 4

Generate a Certificate Signing Request (CSR) ........................................................................ 5

Import a signed certificate .................................................................................................. 5

Install the new keystore on DAM Server ............................................................................... 6

Disable HTTP (non-SSL) communication (Optional) ................................................................ 6

Enable Client Certificate Authentication (Optional) ................................................................. 6

Specify Cipher Suites to use for HTTPS (Optional) .................................................................. 7

HTTPS Certificate Configuration

Overview

McAfee DAM provides a rich Web Console that is accessible over HTTPS. The default installation of

McAfee DAM contains a pre-configured SSL certificate for HTTPS access. The pre-configured SSL

certificate is not signed by a trusted certificate authority. As a result, costumers accessing the DAM

Console over https will receive a browser security warning about the certificate.

This document explains how to replace the pre-configured SSL certificate with an organization specific

certificate.

This document assumes the reader has basic knowledge regarding SSL certificates.

Note: When running the DAM server in cluster mode, all nodes must use the same certificate or each

node must trust the other server certificates (see Import a signed certificate on how to import a

certificate as trusted).

Generate a Keystore

The keystore is used to hold the certificate used by the DAM Server. To generate a new keystore you

will need to use the keytool executable. The keytool executable can be found as part of the DAM

Server installation at the following locations:

 <Server install root>\Mcafee\McAfee Database Security \java\jre6\bin\keytool.exe. For

example: C:\Program Files\Mcafee\McAfee Database Security\java\jre6\bin\keytool.exe

To generate a new keystore:

1 Run the following command to generate a new keystore containing a new key:

<keytool dir>/keytool -genkey -alias tomcat -keystore newkeystore -keyalg RSA -

keysize 2048

2 When prompted to enter a keystore password, enter: changeit.

3 When prompted to enter first and last name, enter the hostname of the machine where the DAM

Server is installed.

4 Fill in details regarding your organization when prompted. When prompted to accept entered

details, enter: yes. When prompted to enter a key password, enter: changeit.

A new file named newkeystore is created.

Sample Output

The following is an example of the output (and sample input) when generating a new keystore:

c:\Program Files\Mcafee\McAfee Database Security\java\jre6\bin>keytool -genkey -

alias tomcat -keystore newkeystore -keyalg RSA -keysize 2048

Enter keystore password:

Re-enter new password:

HTTPS Certificate Configuration

Generate a Certificate Signing Request (CSR)

What is your first and last name?

[Unknown]: Dan deMan

What is the name of your organizational unit?

[Unknown]: mycompany.com

What is the name of your organization?

[Unknown]: Mycompany

What is the name of your City or Locality?

[Unknown]: Santa Clara

What is the name of your State or Province?

[Unknown]: CA

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=Dan deMan, OU=mycompany.com, O=Mycompany, L=Santa Clara, ST=CA, C=US corre

ct?

[no]: yesFor more information on the keytool utility, see:

http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html

Generate a Certificate Signing Request (CSR)

After a new keystore file is generated, you can generate a Certificate Signing Request (CSR).

The CSR can be used to obtain an SSL Certificate from a trusted Certificate Authority (CA).

To generate a CSR:

1 Run the following command:

<keytool dir>/keytool –certreq –file certreq.csr -alias tomcat -keystore

newkeystore

2 When prompted to enter a keystore password, enter: changeit.

A new file named: certreq.csr is created. You can use this file to generate an SSL certificate at a

trusted CA.

Import a signed certificate

After a certificate has been signed by a CA, you can import it back into the keystore.

IMPORTANT: You must import the certificates into the same keystore file that was used to generate

the private key and certificate request in the previous two steps. Additionally, you must import all CA

certificates in the chain of trust, including intermediate certificates (import with aliases: root1, root2

and so on).

To import the CA certificate:

1 Run the following command (assuming the CA certificate is included in the file: ca.cer):

keytool -import -alias root1 -file ca.cer -keystore newkeystore

2 When prompted to enter a keystore password, enter: changeit.

HTTPS Certificate Configuration

Install the new keystore on DAM Server

To import the signed certificate:

1 Run the following command (assuming the CA certificate is included in the file: cert.cer):

keytool -import -alias tomcat -file cert.cer -keystore newkeystore

2 When prompted to enter a keystore password, enter: changeit.

The keystore now contains the signed certificate and is ready for installation on the DAM Server.

Install the new keystore on DAM Server

To install the new keystore on DAM Server:

1 Copy the new keystore file: newkeystore, generated in the previous steps, to the DAM conf dir.

Name the file custom-keystore in the conf dir. Conf dir is located at:

<Server install root>\McAfee\McAfee Database Security\conf.

For example: C:\Program Files\Mcafee\McAfee Database Security\conf

2 Open the server.xml file for editing located in the conf dir. Search for the keystore entry (it is part

of the Connecter element). Modify the keystore entry to point to the copied custom-keystore file.

Keystore value will be:

keystore="<Server install root>\McAfee\McAfee Database Security\conf\custom-keystore" ,

for example: keystore=" C:\Program Files\McAfee\McAfee Database Security\conf\custom-

keystore"

3 Restart the DAM Server.

Disable HTTP (non-SSL) communication (Optional)

To enforce SSL communication for all DAM Console access, it is possible to disable HTTP (non-SSL)

communication to the DAM Server. To disable HTTP communication modify the configuration file

server.xml located in the DAM conf dir. Conf dir is located at:

<Server install root>\McAfee\McAfee Database Security\conf . For example: C:\Program

Files\McAfee\McAfee Database Security\conf.

Delete or comment out the “Connector” element which does not have “scheme=https” enabled. This

connector is usually listening on port 8080.

It is also possible to enable HTTP communication only for local connections (from the same machine)

by adding the attribute: address="127.0.0.1" to the “Connector” entry.

Enable Client Certificate Authentication (Optional)

It is possible to configure client certificate authentication. Depending upon company policy, client side

certificates usually qualify for 2-factor authentication. With this enabled only users with a valid ssl

client certificate will be able to connect to the console.

To configure client certificate authentication modify the configuration file server.xml located in the

DAM conf dir. Conf dir is located at:

HTTPS Certificate Configuration

Specify Cipher Suites to use for HTTPS (Optional)

<Server install root>\McAfee\McAfee Database Security\conf . For example: C:\Program

Files\McAfee\McAfee Database Security\conf.

Modify the SSL Connector element by changing the value of the attribute clientAuth from "false" to

"true".

Add to the SSL Connector element the attribute truststoreFile with the value of the keystore

containing trusted CA certificates to use for validating client certificates. This file may be the same as

used for the keystore element. See sections: “Generate a Keystore” and “Import a signed certificate”

on how to create a keystore and import trusted certificates.

Sample configuration change

The following is a sample configuration change of the connector element in sever.xml:

<Connector port="8443" server="McAfee WebServer" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"

disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"

clientAuth="true" truststoreFile="C:\Program Files (x86)\Mcafee\McAfee Database

Security\httpsKeystore\.keystore" sslProtocol="TLS" keystore="C:\Program Files

(x86)\McAfee\McAfee Database Security\httpsKeystore\.keystore" />

Specify Cipher Suites to use for HTTPS (Optional)

It is possible to specify the cipher suites that are used for HTTPS communication, thereby disabling

cipher suites that do not match company policy.

The cipher suites are specified by modifying the configuration file server.xml located in the DAM conf

dir. Conf dir is located at:

 <Server install root>\McAfee\McAfee Database Security\conf . For example: C:\Program

Files\McAfee\McAfee Database Security\conf.

Open the server.xml file for editing and modify the SSL Connector element by adding to it an attribute

ciphers with a value of a comma separated list of supported ciphers.

After the configuration change, you need to restart the DAM Server for the change to take effect.

Sample configuration change

The following is a sample configuration change of the connector element in sever.xml:

<Connector port="8443" server="McAfee WebServer" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"

disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" keystore="C:\Program Files (x86)\McAfee\McAfee

Database Security\httpsKeystore\.keystore" ciphers="SSL_RSA_WITH_RC4_128_SHA,

TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

Supported ciphers

List of supported ciphers (more info available at:

http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJ

SSEProvider ):

HTTPS Certificate Configuration

Specify Cipher Suites to use for HTTPS (Optional)

 SSL_RSA_WITH_RC4_128_MD5

 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA

 SSL_RSA_WITH_3DES_EDE_CBC_SHA

 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

 SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA

 SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5

 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_MD5

 SSL_RSA_WITH_NULL_SHA

 SSL_DH_anon_WITH_RC4_128_MD5

 TLS_DH_anon_WITH_AES_128_CBC_SHA

 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA

 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

 TLS_KRB5_WITH_RC4_128_SHA

 TLS_KRB5_WITH_RC4_128_MD5

 TLS_KRB5_WITH_3DES_EDE_CBC_SHA

 TLS_KRB5_WITH_3DES_EDE_CBC_MD5

 TLS_KRB5_WITH_DES_CBC_SHA

 TLS_KRB5_WITH_DES_CBC_MD5

 TLS_KRB5_EXPORT_WITH_RC4_40_SHA

 TLS_KRB5_EXPORT_WITH_RC4_40_MD5

 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA

 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5