Installing Tripwire Axon Agent using PKI

This section describes the process to install and configure the Axon Agent using PKI to authenticate communication with the Axon Access Point.

Note 

Tripwire strongly recommends installation using a pre-shared key instead of PKI unless you have an existing centralized public key infrastructure and are comfortable with creating and maintaining certificate keys. Using a pre-shared key is equally secure, and greatly simplifies the configuration process.

For installation instructions using a pre-shared key, see Installing Tripwire Axon Agent using a Pre-Shared Key.

For more information about these different authentication methods, see Choosing an Authentication Method for TLC Axon Agents.

Certificate Requirements

The Axon Access Point and Axon Agent X.509 certificates must meet the following requirements:

The certificates must use an RSA key of a minimum size defined by FIPS 140-3.

The certificates on the Access Point and on each Axon Agent must be signed by a common CA.

Step 1. Creating Certificates on the Tripwire Log Center Manager

To create certificates and place them in a key store on the Tripwire Log Center Manager:

1. Create an X.509 certificate to be used by the Axon Access Point.
2. Place the Access Point certificate and the signed certificate chain into a Java BCFKS key store. 

For example, if you have a PKCS#12 key store that contains the Access Point's key and signed certificate, convert it to BCFKS format using the following keytool command:

keytool -importkeystore -srckeystore <path_to_PKCS#12_key_store> ‑srcstoretype PKCS12 -destkeystore bridge.ks -deststoretype BCFKS ‑srcstorepass <PKCS#12_key_store_password>
-deststorepass <tw.cap.bridge.keyStorePassword> -providername BCFIPS ‑providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-providerpath <TLC_Manager_install_dir>\Tripwire Axon Access Point\lib\bc-fips-*.jar

If you have a traditional Java key store (JKS format) that contains the Access Point's key and signed certificate, use a similar keytool command to convert it to BCFKS format:

keytool -importkeystore -srckeystore <path_to_JKS_key_store>
-destkeystore bridge.ks -deststoretype BCFKS
-srcstorepass <java_key_store_password>
-deststorepass <tw.cap.bridge.keyStorePassword> -providername BCFIPS
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-providerpath <TLC_Manager_install_dir>\Tripwire Axon Access Point\lib\bc-fips-*.jar

Tip 

Remember this key store password value that you specify for -deststorepass. You will need to specify this password in the next step.

3. Import the CA cert used to sign the Access Point certificates. 

keytool -import -alias tw_agent_ca -file <path_to_CA_certificate>
-keystore <path_to_bridge.ks> -storepass <password_for_bridge.ks>
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-storetype BCFKS -providername BCFIPS
-providerpath <TLC_Manager_install_dir>\Tripwire Axon Access Point\lib\bc-fips-*.jar

Step 2. Configuring the Axon Access Point on a Tripwire Log Center Manager

Note 

The Axon Access Point only needs to be configured on a Tripwire Log Center Manager once, before connecting to an Axon Agent for the first time. If the Access Point has already been configured (that is, the Access Point is already connected to an Axon Agent) proceed to Step 3. (Optional) Configuring a DNS SRV Record for the Axon Agent's Domain.

To configure the Tripwire Axon Access point on a Tripwire Log Center Manager: 

1. Ensure that a supported version of Tripwire Log Center Manager is installed.
2. Verify that port 5670 is available on the Tripwire Log Center Manager.
3. At a command prompt, enter the following command to stop the Access Point service:

net stop TripwireAxonAccessPoint

4. Open the following file in a text editor:

<TLC_Manager_install_dir>\Tripwire Axon Access Point\
config\bridge.properties.sample

5. Save a copy of this file with the name bridge.properties in the same directory.
6. In the bridge.properties file, complete the following steps: 
a. Locate the following line: 

#tw.cap.bridge.port=5670

This entry specifies the port with which the Tripwire Axon Access Point will 'listen' for incoming log messages from Axon Agents (5670 by default). If you want to use another port, remove the pound sign (#) from the beginning of the line and replace "5670" with the new port number.

b. Locate the following line, then remove the pound sign (#) and set the value to PKI to configure PKI authentication mode:

#tw.cap.bridge.authMode=Pki

c. Locate the following line, then remove the pound sign and set the value to the certificate and key store’s password:

#tw.cap.bridge.keyStorePassword=<keystore_password>

where <keystore_password> is the certificate and key store password for the Access Point certificate key store.

d. By default, the Access Point uses TLSv1.2 with cipher suites TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. To change these settings, see Configuring TLS Versions and Cipher Suites.
e. Save the file.
7. Copy the previously created certificate key store into place:

TLC_Manager_install_dir>\Tripwire Axon Access Point\data\bridge\bridge.ks

Note 

The bridge directory will need to be created if it does not exist.

8. At a command prompt, enter the following command to start the Tripwire Axon Access Point Service:

net start TripwireAxonAccessPoint

Tip 

If you encounter a problem with the Axon Access Point after configuration, review the Access Point log file to assess the issue:

<TLC_Manager_install_dir>/Tripwire Axon Access Point/log/TripwireAAP.log

For additional assistance, contact Tripwire Support.

Step 3. (Optional) Configuring a DNS SRV Record for the Axon Agent's Domain

In a Domain Name System (DNS), an SRV record (or service record) defines the hostnames and port numbers of servers running various services. If you have a DNS Server with an SRV record for the domain(s) containing the Axon Agent host system, no further configuration of the host system will be required following the installation of Tripwire Axon Agent for TLC (see Step 4. Installing the Tripwire Axon Agent for TLC). Instead, following installation, the Agent will query the DNS Server for any SRV records in the DNS domains associated with any IP addresses assigned to the Axon Agent host system’s interfaces.

If you do not wish to employ DNS SRV records to configure the Axon Agent, proceed to Step 4. Installing the Tripwire Axon Agent for TLC.

Otherwise, edit one of the DNS SRV records for the Axon Agent host system's domains as described below.

To edit an SRV record on your DNS server:

1. Open the SRV record for a domain containing the Axon Agent host system. The name of the SRV record will appear in this format: 

_tw-tlc-agw._tcp.<domain_name>

where <domain_name> is the name of the domain.

2. To specify the Tripwire Log Center Manager to which the Axon Agent will send data, enter the server's IP address or host name in the Server Hostname field.
3. In the Port field, enter the number of the port on the Tripwire Log Center Manager to be used for communications with Axon Agents. To use the default port, enter 5670.

Step 4. Installing the Tripwire Axon Agent for TLC

Install Tripwire Axon Agent for TLC software on each Agent host system to be monitored. For instructions, see Step 3. Installing Tripwire Axon Agent for TLC.

Step 5. Creating Certificates on an Axon Agent

Follow the steps below to create certificates and place them in a key store on each Axon Agent that will connect with the Tripwire Log Center Manager.

To create certificates and place them in a key store on an Axon Agent:

1. Create an X.509 certificate for the Axon Agent.
2. Place the Agent's certificate and the signed certificate chain into a PKCS#12 key store.

Note 

The key store must use PBE-SHA1-3DES for obfuscation.

Remember the password you specify for the Axon Agent key store. You will need to specify this password in the next step.

Step 6. Configuring the Axon Agent

To configure an Axon Agent to communicate with the Tripwire Log Center Manager, you edit the Agent's configuration file twagent.conf. You must edit the configuration file on each system where Axon Agent is installed.

To configure the Axon Agent:

1. At a command prompt, enter one of the following commands to stop the Axon Agent service:

AIX:
stopsrc -s tw-axon-agent-tlc

Linux:
/sbin/service tw-axon-agent-tlc stop

Windows:
net stop TripwireAxonAgentTLC

2. Open one of the following files in a text editor:

AIX or Linux:
/etc/tripwire-tlc/twagent_sample.conf

Windows:
%PROGRAMDATA%\Tripwire\agent-tlc\config\twagent_sample.conf

3. Save a copy of this file with the name twagent.conf in the same directory.
4. If you did not configure an SRV record in Step 3. (Optional) Configuring a DNS SRV Record for the Axon Agent's Domain, you must manually enter the host name or IP address of the Tripwire Log Center Manager as the bridge.host option in the Axon Agent configuration file.

bridge.host=<product_server_hostname_or_IP>

If you did configure an SRV record, the Axon Agent will query the DNS Server when you restart the Axon Agent service (below). This query will attempt to identify an SRV record and use the hostname or IP address and port from the record to connect to the Axon Access Point. If the query is successful, the Axon Agent's running configuration will use these values as the bridge.host and bridge.port options (see Table 20).

5. The Axon Agent spools data to be sent to the Tripwire Log Center Manager's Access Point (see Getting Started with Tripwire Axon Agent for TLC). Based on the speed with which the Axon Agent collects data from the Agent host system, edit the spool.size.max option to adjust the size of the spool (see Table 19).

Note 

When the Axon Agent sends data to the Tripwire Log Center Manager, it first copies the data to the spool. If the connection is dropped, transmitted data may be lost. In this case, the server will ask the Axon Agent to re-send the spooled data. A spool size that is too small will limit the Agent's ability to respond to such requests, while a spool size that is too large will needlessly fill the Agent's disk space with old data.

Table 19. Guidelines for spool.size.max

Spool Size

If the Axon Agent collects ...

Recommended value for spool.size.max

Small

... 1 to 5 events (i.e., log messages) per second (EPS)

100 MB

Medium

... 6 to 10 events per second (EPS)

500 MB

Large

... 11 or more events per second (EPS)

1 GB

6. As needed, edit the values of the other options in the Axon Agent configuration file (see Table 20).
7. (Optional) To configure the Axon Agent to communicate through a SOCKS5 proxy, edit the values for the SOCKS5 settings. For more information, see Table 21.
8. (Optional) By default, the Axon Agent uses TLSv1.2 with cipher suites DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384. To change these settings, see Configuring TLS Versions and Cipher Suites.
9. Set the following values in the twagent.conf file to enable PKI authentication mode:

bridge.auth.mode=pki

keystore.password=<keystore_password>

where <keystore_password> is the certificate and key store password for this Axon Agent's certificate store.

10. Copy the keystore.p12 certificate store for this Axon Agent into one of these directories:

AIX or Linux: /etc/tripwire-tlc/trust

Windows: %PROGRAMDATA%\Tripwire\agent-tlc\config\trust

Note 

The trust directory will need to be created if the Axon Agent has not been previously started.

11. At a command prompt, enter one of the following commands to start the Axon Agent service:

AIX:

startsrc -s tw-axon-agent-tlc

Linux: 

/sbin/service tw-axon-agent-tlc start

Windows: 

net start TripwireAxonAgentTLC

12. After completing these steps, you should see an Auto Discovery message for the Axon Agent in the TLC Manager log. For information on using the Axon Agent with Tripwire Log Center, see the Tripwire Log Center User Guide.

Tip 

If you encounter a problem with the Axon Agent after configuration, review the Agent log file to assess the issue:

AIX or Linux: /var/log/tripwire-tlc/twagent.log

Windows: %PROGRAMDATA%\Tripwire\agent-tlc\log\twagent.log

For information on interpreting error messages, see Axon Agent Error Messages. For additional assistance, contact Tripwire Support.

Table 20. Options in the Axon Agent configuration file

Option

Description

bridge.host

The host name or IP address of the TLC Manager to which this Axon Agent will connect. For more information, see Step 2. Configuring the Axon Access Point on a Tripwire Log Center Manager.

bridge.port

The port on the TLC Manager used for communication between the Axon Access Point and the Axon Agent. (Default = 5670)

dns.service.domain

Specifies a DNS domain other than the Axon Agent host system's domain for SRV record lookup.

dns.service.name

Specifies a DNS service name. (Default = _tw-tlc-agw)

registration.file.name

The name of the file containing the registration pre-shared key (defined in Step 1. Configuring the Axon Access Point on a Tripwire Log Center Manager) for the Axon Agent to register with the Access Point. (Default = registration_pre_shared_key.txt) The Agent searches for the specified file name in the following directory:

Linux: /etc/tripwire-tlc
Windows: %PROGRAMDATA%\Tripwire\agent-tlc\config

spool.size.max

The maximum size of the spool with which the Axon Agent collects data from the Agent host system. (Default = 1GB)

For sizing guidelines, see Table 19.

Table 21. SOCKS5 proxy options in the Axon Agent configuration file

Option

Description

socks5.host

The host name or IP address of the SOCKS5 proxy through which the Axon Agent communicates with the Axon Access Point.

socks5.port

The port on the SOCKS5 proxy through which the Axon Agent communicates with the Axon Access Point.

Default value: 1080

socks5.user.name

The username with which the Axon Agent will authenticate with the SOCKS5 proxy.

If the SOCKS5 proxy is using username/password authentication, enter the username here and enter the password using the socks5.user.password setting.

If the SOCKS5 proxy is using the "no authentication" method, leave this field and the socks5.user.password setting blank.

socks5.user.password

The password that the Axon Agent will use to authenticate with the SOCKS5 proxy if the proxy is using username/password authentication.

Table 22. TLS version and supported protocols in the Axon Agent configuration file

Option

Description

tls.version

The TLS version used to connect with the Axon Access Point. Valid options are TLSv1, TLSv1.1, and TLSv1.2. Only one TLS version can be specified here.

For information on changing the TLS version and cipher suites, see Configuring TLS Versions and Cipher Suites.

Default value: TLSv1.2

tls.cipher.suites

A colon-delimited list of cipher suites used by the Axon Agent when it connects to the Axon Access Point. Only OpenSSL FIPS-compatible cipher suites which utilize RSA keys are supported.

Default value: DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384

Table 23. Public key infrastructure options in the Axon Agent configuration file

Option

Description

bridge.auth.mode

The authentication mode for this Axon Agent. Valid options are pki and registration.

Default value: registration

keystore.password

The password for the key store and private key.