Cisco Stealthwatch Certificates

Troubleshooting Guide
Document Date: August 10, 2017

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT
TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS
MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY
PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET
FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED
HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the
University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating
system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE
SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS
DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM
A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR
LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF
CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology
diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of
actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

All printed copies and duplicate soft copies are considered un-Controlled copies and the original on-line
version should be referred to for latest version.

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)

© 2017 Cisco Systems, Inc. All rights reserved.

Contents
Introduction ........................................................................................................................................................... 4
Frequently Asked Questions .................................................................................................................................. 4
Troubleshooting..................................................................................................................................................... 4
Formats ............................................................................................................................................................. 4
TLS Enhanced Values ........................................................................................................................................ 5
Exporting Certificates ........................................................................................................................................ 5
Certificates Distribution ..................................................................................................................................... 6
Error Codes ....................................................................................................................................................... 7
Java Client Help ................................................................................................................................................ 8
Flow Collection Trend ....................................................................................................................................... 8
RSA Key ............................................................................................................................................................ 9
Related Resources............................................................................................................................................... 10
Introduction
This guide will cover common questions and issues customers might have while creating and installing
certificates on their Stealthwatch System.

Frequently Asked Questions

This section covers common questions about certificates on the Stealthwatch System.

 Can I use wildcards?

o Yes, you can use a wildcard for subdomains.
o Wildcard certificates secure all of the subdomains at the level you specify when you submit
your CSR. Just add an asterisk in the subdomain area of the common name where you want
to specify the wildcard. For example, if you configure *.company.com you can secure the
following: www.company.com, photos.company.com, blog.company.com, and so on.
 Can I use Subject Alternative Name (SAN)?
o Yes.
 What should the Fully Qualified Doman Name (FQDN) be?
o The full name of the appliance. For example, mysmc1.
 What can I expect back from the Certificate Authority (CA)?
o You will get a certificate back either alone, in a zip file, or as a few separated files.
 Can I use more than three steps in my certification path?
o Yes.
 Can I use my internal CA, Vinify, GoDaddy, or Active Directory?
o Stealthwatch accepts all certificates from third parties or internal Certificate Authorities,
provided they have the correct key.
 What is a cacerts file?
o A list of certificates trusted by Java. This file must be adjusted unless your root CA is already
signed by a CA that Java trusts.
 What format can I use?
o Stealthwatch only accepts the key in RSA and the certificate in PEM format. Refer to
“Formats” for more information.

Troubleshooting
This section covers common issues and troubleshooting tips for certificates.

Formats
The PEM certificate can have a few different file extensions: .pem, .cer, or .crt. Stealthwatch only accepts PEM
format so you will need to convert the certificate if it is any other format.

If the certificate is in PEM format, it should look like the following:

-----BEGIN CERTIFICATE-----

MIIIuDCCBqCgAwIBAgIKHbaV4wABAAC6q…

xvcUMPBOybHq7vfDpXaxDxw30zuTIFeww59EzA==

-----END CERTIFICATE-----

To test to see if the certificate is in DER format, type the following command:

openssl x509 -in cert.pem -text -noout

4
 *replace the cert.pem with your cert.

If you get the following error, it means that you are trying to view a DER encoded certificate:

unable to load certificate

12626:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate

To convert DER to PEM, type the following command:

openSSL x509 -inform der -in certificate.cer -out certificate.pem

To convert PKCS7 (P7B) to PEM, type the following command:

openSSL pkcs7 -print_certs -in certificate.p7b -out certificate.pem

To convert PKCS12 (PFX) to PEM, type the following command:

openSSL pkcs12 -in certificate.pfx -out certificate.pem –nodes

TLS Enhanced Values

Stealtwatch requires both the TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) and the TLS Web Client
Authentication (1.3.6.1.5.5.7.3.2) or neither of them.

To make sure you have the client and the server authentication, type the following command to check for these
values:
openssl x509 -in server.crt -text 2>/dev/null | grep 'Authentication'

If you have these values, you will get:

‘TLS Web Server Authentication, TLS Web Client Authentication’

If you only have one of these values, you will need to go to the Certificate Authority and request the missing
value be added to the certificate.

Exporting Certificates
Once you have extracted your certificate you need to view your endpoint certificate for your Stealthwatch device.

Note: You may already have your chain and CA certificates. If so, try using those certificates. This method is
meant to ensure you get the proper certificates from the actual endpoint certificate.

Step for Windows:

1. Double click on the certificate and the certificate viewer will open.

5
 2. Click Certification Path and choose your Issuing/secondary/intermediate CA. Then click View
Certificate.

3. The Chain certificate will pop-up as a new window. Click Details tab and then click Copy to file.

4. Run through the export wizard making sure to select X.509 as the export type.

Note: You will need to do this for every step in the certificate path including the Root CA. Refer to
Creating and Installing SSL Certificates for information on how to create the chain.

Certificates Distribution
The following diagram illustrates how to distribute certificates on your appliances:

6
*This is the Customer Success preferred method. This setup takes up slightly more disk space, less than a MB,
but has the best results.

For example, if you are creating certificates for the Flow Collector and the SMC:

 The SMC will need the certificate created for the Flow Collector and the certificate created for the
SMC.
 The Flow Collector will need the certificate created for the SMC and the certificate created for the
Flow Collector.
 The Flow Sensor will need the certificate created for the SMC.

Error Codes
You can check two logs for error codes:

 The SWA-agent.log on the Flow Collector under /lancope/var/swa-agent/log/.

 The smc.log located under /lancope/var/smc/log/.

An error dialog box will look similar to the following image:

Following are the common error codes you might encounter when installing certificates:

 400
 401
 403

Run through the following steps if you get one of the previous error codes:

 Use the following command, on each appliance, to verify that you have the correct chain and root CA
installed on your machine:
opensssl s_client –connect [IP address>:443 –CAfile
\lancope\var\nginx\ssl\client.crt
o Return code zero means your certificates are correct. Anything but zero, continue to the next
steps.
 The certificate loaded on the appliance might not match the one on the other devices. Check the
uploaded certificates on all appliances. For more information, refer to the “Certificates Distribution”
section.
 Check the root CA uploaded to the appliances is correct. For more information on how to get the root
CA, refer to the “Exporting Certificates” section.

7
  Check the TLS Enhanced Values on the certificate. For more information, refer to the “TLS Enhanced
Values” section.

Java Client Help

If you are using a third-party certificate that is not one of Java’s trusted CAs, the Java client will likely be
broken and they will get a “Peer Not Authenticated” error. To add the certificate to the Java trust store, use the
following steps:

Note: You will need administrative access to fix this issue.

1. Import the endpoint certificate to the Java Runtime Environment’s (JRE) cacerts file on every computer
that is using the SMC client interface by following these steps:
a. Open a command prompt as an administrator.
b. Change the directory to your Java Home Bin folder.
Note: Install the endpoint certificate to the version of Java that you are using. Your path may
be different from the following examples.
i. Example path on Windows:

cd C:\Program Files(x86)\Java\jre1.8.0_101\bin

ii. Example path on Mac OS/X:

cd /System/Library/Internet Plug
Ins/JavaAppletPlugin.plugin/Home/bin

c. Type the following command to import the endpoint certificate into the trust store:
i. Command on Windows:

.\keytool –import –alias <alias> -keystore

..\lib\security\cacerts -file <path to cert>

ii. Command on Mac OS/X:

sudo ./keytool –import –alias <alias> -keystore

../lib/security/cacerts -file <path to cert>

d. Type the keystore password.

Note: The default keystore password is changeit.

e. Type yes to trust the certificate.

Flow Collection Trend

The Flow Collection Trend can indicate different issues. Go to the SMC client interface. Open the Flow
Collector Dashboard. The following image is an example of the dashboard:

8
The two important pieces are the Flow Collection Trend and the Flow Collector Status:

 The Flow Collection Trend Chart shows if the Flow Collector can talk to the SMC using its SSL
Certificate. If this section does not have data, check the certificate uploaded to the Flow Collector.
 The Flow Collector Status table shows if the SMC can talk to the Flow Collector properly with its new
SSL Certificate. If this section does not have data, check the certificate uploaded to the SMC.

RSA Key
The Key MUST be in RSA. It will look similar to this if you view it in a text editor:

-----BEGIN RSA PRIVATE KEY-----

kLlwKAXB5eo41p7IBTzIN/T8atL9JYip6aVssxWzo88/2Jgyw22wrpNAbVyzEw6Y

doByuYI2LFfI2GokCJ4Mye/ms9lNpYV2+U/ZBwphdQ5d+zKDZ4txbWjYs4Z32PLf

ohMuNkUfvyFlgMCRQuLzMuBRBmji4FEj3xIG4KmFwTwqmfN/eSrtkKu7TLh+oN1V

-----END RSA PRIVATE KEY-----

If it is not decrypted, it will look like this:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,906EDB2B750F2083

To decrypt the private key, type the following commands:

cp server.key server.key.org

9
 openssl rsa –in server.key.org –out server_smc1.key

Related Resources
For more information about certificates on the Stealthwatch Systerm, refer to Creating and Installing SSL
Certificates on the Customer Community.

Note: You are required to create an account on your first visit to the site.

10