Log Insight Agent and SSL Parameters

Log Insight 4.0 changed the default option of “ssl” from off to on as I covered in this post. Using encryption by default is a best practice, but you should be aware of the four SSL parameters that can be set in the [server] section of the Log Insight agent configuration. Read on to learn more!

li-agent-logo

Behavior

The vRealize Log Insight Agent stores certificates and uses them to verify the identity of the server during all but the first connection to a particular server. If the server identity cannot be confirmed, the vRealize Log Insight Agent rejects the connection with server and writes an appropriate error message to the log file:

Certificates received by the Agent are stored in cert folder:

  • Windows = C:\ProgramData\VMware\Log Insight Agent\cert
  • Linux = /var/lib/loginsight-agent/cert

Rules

  • If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives a different valid self-signed certificate with the same public key, then the agent accepts the new certificate. This can happen when a self-signed certificate is regenerated using the same private key but with different details like new expiration date.
  • If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives valid CA-signed certificate, the vRealize Log Insight Agent silently replaces new accepted certificate.
  • If the vRealize Log Insight Agent receives a self-signed certificate after having a CA-signed certificate, the Log Insight Agent rejects it. The vRealize Log Insight Agent accepts self-signed certificate received from vRealize Log Insight Server only when it connects to the server for the first time.
  • If the vRealize Log Insight Agent has a locally stored CA-signed certificate and receives a valid certificate signed by another trusted CA, the Agent rejects it.

Parameters

ssl_ca_path

This specifies the location of the trusted root certificates on the client system. By default, the agent looks in the following locations:

  • Windows: System root certificate stores (no way to change)
  • Linux
    • /etc/pki/tls/certs/ca-bundle.crt
    • /etc/ssl/certs/ca-certificates.crt

IMPORTANT: Some versions of Linux do not include either file specified above (e.g. SLES 11). If you need to generate this file, you can use the script provided here. Be sure to name the file according to the standards above unless you plan to define the ssl_ca_path yourself.

ssl_accept_any=no and ssl_accept_any_trusted=no

Based on the SSL rules defined about, the Log Insight agent will only accept:

  • The first self-signed certificate it receives (by default, the Log Insight server ships with a self-signed certificate)
  • Another self-signed certificate with the same public key as the first self-signed certificate
  • The first trusted certificate as defined by the ssl_ca_path parameter
  • The first trusted certificate as defined by the ssl_ca_path parameter after the first self-signed certificate

If you change from:

  1. One self-signed certificate to another with a different private key
  2. One trusted certificate to a self-signed certificate
  3. A different trusted certificate after the first trusted certificate

Then the Log Insight agent will not accept the change unless:

  • The ssl_ca_path specified includes the self-signed certificate (which it will not by default).
  • The ssl_accept_any is set to “yes”. This option can get around all three limitations, but at the expense of security. It is recommended that you DO NOT change this setting.
  • The ssl_accept_any_trusted is set to “yes”. This will overcome the third limitation defined above only.¬†It is recommended that you DO NOT change this setting.

NOTE: While not supported and not recommended, you can overcome all three limitations once more by removing the certificates listed in the cert directory of the agent.

ssl_cn

The default common name that the Log Insight agent expects is “VMware vCenter Log Insight”. If this common name does not match then the agent looks attempts to match the hostname field as defined in the [server] section of the Log Insight agent configuration.

NOTE: If the common name of the SSL certificate is based on a wildcard certificate (e.g. *.sflanders.net) then the agent will attempt to match based on the hostname field properly (e.g. li.sflanders.net will match).

If both attempts fail to match then the agent will deny the SSL certificate and not send events. If the common name is some other value, then you can define it with the ssl_cn option.

© 2017 – 2016, Steve Flanders. All rights reserved.

Leave a Reply