How to setup TLS Client Authentication for Graylog


(Ganeshbabu Ramamoorthy) #1

Hi All,

I am currently unable to setup TLS Client Authentication (TLS Client Auth Trusted Certs) to my graylog application.

Consider this our scenario,

I am running with graylog 2.3.0 version and I bought the valid certificate & key files from third party and configured in server.conf and application was running fine with secured. Since my certificate has Common Name like this *.companysoft.com and whatever the prefix comes before the certificate will authenticate and make application secured.

Since I will be using this certificates for all my clients, I want to try & enabling the TLS client authentication to my each client. I want to ensure my prod application should reach to my each client with their own TLS client auth Trusted certs.

I couldn’t find any documentation related to TLS client authentication in graylog and its navigating to wikipedia page

Please kindly share us some reference documentation and let me know your thoughts.

Any help would be really appreciated.

Thanks,
Ganeshbabu R


(Jochen) #2

With which part of Graylog would you like to use TLS client authentication?


(Ganeshbabu Ramamoorthy) #3

@jochen
We want to connect graylog application through beats input with TLS client authentication


(Jochen) #4

That should work with a correctly configured Beats input.

What specific problems did you run into? Please provide the relevant configuration snippets and log messages.


(Ganeshbabu Ramamoorthy) #5

Hi @jochen

Below is my beats input configured with valid cert & key in DEV graylog environment,

bind_address: 0.0.0.0
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: /etc/companysoft/devcluster/graylog-certificate.pem
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/companysoft/devcluster/graylogkey.pem

Metricbeat.yml

output.logstash:
  # The Logstash hosts
  hosts: ["dev.companysoft.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: [""]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/metricbeat/graylog-certificate.pem"

  # Client Certificate Key
  ssl.key: "/etc/metricbeat/graylogkey.pem"

Let me explain more clear,

We have two environments DEV & UAT of graylog application with SSL setup running parallely, and it was working fine without any issues,

DEV graylog URL :- https://dev.companysoft.com/
UAT graylog URL :- https://uat.companysoft.com/

Consider a client A sending data to DEV graylog URL through metricbeats to port 5044, and I have created beats input in DEV and it was running.

Similarly client B sending data to UAT graylog URL through metricbeats to port 5045, and beats are configured in UAT and it was running.

The above setup were working fine and able to send data to respective environments without any issues. I can see the data coming to graylog successfully.

But now If I changed the DEV graylog URL to UAT graylog URL in metricbeats of client A. I can able to send data, since the input beat is running with that port in UAT. I don’t want this to happen in client and need to avoid this scenario, so that’s why I am trying to creating TLS client base auth certs. But I am not sure how to build certificate authority??

Note:- I know if I have different certificates I can avoid this scenario but the certificates which i bought something like this,

Owner: CN=*.companysoft.com, O=CompanySoft, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US

So my objective is simple, client A should only send data to DEV Graylog & client B should only send data to UAT Graylog. I thought while creating TLS client based authentication I can easily achieve my goal but I was not sure how to do that.

I hope my understanding is correct about the TLS client based authentication and please correct me If I am wrong in this approach.

Kindly let me know your thoughts.

Regards,
Ganeshbabu R


(Jochen) #6

If you want to use TLS client authentication, you have to configure the tls_client_auth_cert_file setting of the Beats input accordingly.


(Ganeshbabu Ramamoorthy) #7

@jochen

How to create that TLS client auth cert file?
Is there any specific format for that file?

I have only two pem file,

  1. graylog-certificate.pem
  2. graylogkey.pem

Could you please share some reference document or any command to generate Auth cert file?


(Jochen) #8

PKCS#8 in PEM encoding.


(Ganeshbabu Ramamoorthy) #9

Yes my key file (graylogkey.pem) has this format only…
Should I need to use this key file for generating TLS client Auth cert ?

Pls correct me if I am wrong


(Jochen) #10

The TLS client authentication certificate should be a CA certificate against which the client TLS certificates can be checked.


(Ganeshbabu Ramamoorthy) #11

I can create CA.crt of self signed by using the below commands,

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

But we got the original valid TLS certificates from the third party,

should I need to generate CA certificate manually or should I ask the third party owner to generate CA certificate to my TLS certificates?


(Johnb) #12

(system) #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.