Users Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Pro

Table Of Contents

● The "Certificate" type is now populated in the Type of Notification column of the All Notification Report in Compliance

Reporter. [DDPS-5217]

● Upgrade no longer fails when the Run As Service account is changed during the upgrade. [DDPS-5226]

● Audit events can be exported to a SIEM/syslog server with TLS/SSL over TCP, with the following configuration changes:

To use TLS/SSL, the syslog server must be configured to listen for TLS/SSL messages. The root certificate used for the

syslog server configuration must be added to the Dell Server Java keystore.

The following example shows necessary configurations for a Splunk server with default certificates. Configurations are

specific to individual environments. Property values vary when using non-default certificates.

1. Configure the Splunk server to use the Splunk Server certificate and root certificate to listen on TCP for TLS/SSL

messages:

$SPLUNK_HOME\etc\system\local\inputs.conf

[tcp-ssl:<port number>]

disabled = 0

[SSL]

serverCert = $SPLUNK_HOME\etc\auth\server.pem

sslPassword = <password>

requireClientCert = false

$SPLUNK_HOME\etc\system\local\server.conf

[sslConfig]

sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem

sslPassword = <password>

2. Restart the Splunk server.

After the restart, splunkd.log will have entries similar to the following:

07-10-2017 16:27:02.646 -0500 INFO TcpInputConfig - IPv4 port 5540 is reserved for raw input (SSL)

07-10-2017 16:27:02.646 -0500 INFO TcpInputConfig - IPv4 port 5540 will negotiate new-s2s protocol

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 5540 is reserved for raw input (SSL)

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 5540 will negotiate new-s2s protocol

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 9997 will negotiate new-s2s protocol

07-10-2017 16:27:02.653 -0500 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 5540 with SSL

07-10-2017 16:27:02.653 -0500 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 5541 with Non-SSL

07-10-2017 16:27:02.654 -0500 INFO TcpInputProc - Creating fwd data Acceptor for IPv4 port 9997 with Non-SSL

3. Configure the Dell Server to communicate with the Splunk server and export audit events.

Use the keytool command to add the Splunk server's root certificate (cacert.pem) to the Dell Server operating system

Java keystore. The certificate is added to the operating system Java keystore and not to the Dell Server application Java

keystore.

keytool -keystore <keystore_location> -alias <alias-name> -importcert -file

<certificate_file>

For Security Management Server - Add the Splunk server's root certificate (cacert.pem) to the

Java keystore, which in Windows is usually located in this path: C:\Program Files\Dell\Java

Runtime\jre1.8\lib\security\cacerts

For Security Management Server Virtual - Add the Splunk server's root certificate (cacert.pem) to /etc/ssl/certs/

java/cacerts and restart the Dell Server.

4. Modify the Dell Server database to change the SSL value from false to true.

In the database, navigate to the information table, SIEM-specific support configuration.

Change the "SSL":"false" value to "SSL":"true" - for example:

Dell Security Management Server Technical Advisories