Articles

    Securing Endpoints

    The Agents and the Manager can be secured by enabling endpoint security feature on each agent. This feature is disabled by default. To enable, edit the boot.properties and add the following system property:

    -Dendpoint.security.enabled=true
    This property needs to be on the Mangers boot.properties and any Forwarder or IndexStore that wants to participate in the Logscape deployment.

    Host Based Authorization

    Host Filter

    An explicit list of hosts that are allowed to join the deployment can be configured. The following system property

    -Dhosts.filter=$IPADDRESS-PATTERN

    is set to a regular expression that matches a valid set of Agents. If the host.filter can not match all the agents in an environment a hosts file can be used instead.

    Hosts File

    The host file contains a list of address patterns. Each patterns should be on a new line. The file is located at

    $LOGSCAPE_HOME/hosts

    An example of patterns used to match a range of hosts. 

    10.28.1.[160-170]
10.28.1.[130-140] 
10.28.3.15.*

    Authority Tokens

    The authority tokens are used to mutually authenticate the Manager with an Agent and vice-versa. When endpoint security is enabled this happens by default , using a default token. Agents that do not belong to your deployment could potentially join the environment. The following properties are used to override the default authentication tokens.

    -Dclient.auth.token=$CLIENT_SECRET
    -Dserver.auth.token=$SERVER_SECRET

    Both these properties need to be in the boot.properties for the security handshake to be successful. The Auth Tokens are encrypted and then exchanged using the public keys on the Agent.

    Public and Private Key Locations

    To set up public key encryption in Logscape perform the following steps.

    • Generate your private and public keys. You can use the java keytool or openssl to interact with non java keystore (JKS)
    • Decide whether to store the keys in a file ( e.g public.key and private.pem) or in the JKS.
    • Distribute the public keys to the IndexStores and Forwarders. On the Forwarders and indexstores copy the public.key and the private.pem into the ssl folder or use the keytool to add to the JKS
    Overriding System Defaults

    The keys,locations and key aliases that Logscsape uses for encryption and authentication can be overridden in the boot.properties. They keys can be stored in the Java Keystore or externally.

    Key Store Location
    		Default Location of the keystore is
    $LOGSCAPE_HOME/ssl/.keystore.
    To override the keystore location use the following system property
    -Dcert.keystore.file=ssl/.keystore
    Key Store Password
    		The default keystore pass can be overwritten with using a system property
    -Dcert.keystore.pass=mynewpassphrase
    Key Alias
    		The default keystore alias is '1'. If you use a different alias in your keystore update the following system property to override the defaults
    -Dcert.keystore.alias=certalias
    Private Key
    		The default file for the private key is
    ssl/private.pem
    The location of the private key can be configured in the boot.properties
    -Dprivate.cert=$PATH_TO/myprivatekey.pem
    Private Key
    		The default file for the public key is
    ssl/public.key
    The location of the public key can be configured in the boot.properties
    -Dpublic.cert=$PATH_TO/mypublickey.key