The instructions below are not officially supported by RSA NetWitness Engineering, Support, or Services. Use at your own risk.
In lab systems, it is often useful to generate an SSL certificate via a provider such as Let's Encrypt or ZeroSSL. Integrating these providers with NetWitness is made easier via the usage of acme.sh, an open source shell script which manages certificate issuance, renewal, and installation for a variety of ACME providers and verification methods.
AdminServer - NW Web UI
- First, install acme.sh, either directly from its GithHub repository, or via a curl command and helper script provided by the project:
curl https://get.acme.sh | sh -s email=webmaster.contact@example.com source /root/.bashrc
- The installer should have created a cronjob to handle automatic renewals. If not, add the below to /etc/crontab:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
- Next, issue a certificate for your domain using one of the below methods:
- Nginx Integration:
This method requires port 80 of your NetWitness installation to be publicly accessible. This is not recommended for most deployments.
acme.sh --issue --nginx -d netwitness.example.com
- DNS Integration:
DNS validation methods store the API credentials in /root/.acme.sh/ for usage during renewals
- CloudFlare
export CF_Token="xxxxxxxxxxxxx" export CF_Account_ID="xxxxxxxxxxxxx" acme.sh --issue --dns dns_cf -d netwitness.example.com
- AWS Route53:
export AWS_ACCESS_KEY_ID="xxxxxxxxxxxxx" export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxx" acme.sh --issue --dns dns_aws -d netwitness.example.com
- Further examples and details can be found on the acme.sh wiki.
- Following certificate creation, it is required to add the key to Nginx for usage by the platform. Helpfully, this integration is included with acme.sh:
acme.sh --install-cert -d netwitness.example.com \ --key-file /etc/pki/nw/web/web-server-key.pem \ --fullchain-file /etc/pki/nw/web/web-server-cert.pem \ --reloadcmd "systemctl reload nginx"
LogCollector - VLC TLS
- First, install acme.sh, either directly from its GithHub repository, or via a curl command and helper script provided by the project:
curl https://get.acme.sh | sh -s email=webmaster.contact@example.com source /root/.bashrc
- The installer should have created a cronjob to handle automatic renewals. If not, add the below to /etc/crontab:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
- Next, issue a certificate for your domain using one of the below methods:
- Standalone HTTP Server:
This method requires port 80 of your NetWitness installation to be publicly accessible. This is not recommended for most deployments.
acme.sh --issue --standalone -d vlc.example.com
- DNS Integration:
DNS validation methods store the API credentials in /root/.acme.sh/ for usage during renewals
- CloudFlare
export CF_Token="xxxxxxxxxxxxx" export CF_Account_ID="xxxxxxxxxxxxx" acme.sh --issue --dns dns_cf -d vlc.example.com
- AWS Route53:
export AWS_ACCESS_KEY_ID="xxxxxxxxxxxxx" export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxx" acme.sh --issue --dns dns_aws -d vlc.example.com
- Further examples and details can be found on the acme.sh wiki.
- Following certificate creation, it is required to add the key to the log collector. The UI configuration steps can be found in the Log Collection Configuration guide. The below commands make a directory to hold the certificates and configure auto-restart of syslog collection on certificate renewal:
mkdir -p /var/netwitness/logcollector/customcerts acme.sh --install-cert -d vlc.example.com \ --key-file /var/netwitness/logcollector/customcerts/logcollector_key.pem \ --fullchain-file /var/netwitness/logcollector/customcerts/logcollector_cert.pem \ --reloadcmd "NwConsole -q -c tlogin server=127.0.0.1 port=56001 username=admin group=Administrators cert=/etc/pki/nw/node/node.pem -c send /logcollection/syslog restart"