Skip to main content
Skip table of contents

Appendix B-OmniVista Network Advisor With TLS for Syslog

The following provides the steps for creating the required certificates for Transport Layer Security (TLS) transport mapping for syslog. Host authentication is based on x509/certvalid using one public/private key pair used by all syslog clients, with one shared certificate.

Provide a RootCA or Create a networkadvisorCA Self-Signed Root Certificate Authority or CA

Create the key pair with Elliptic Curve Cryptography or ECC with the P-384 or secp384r1 curve defined by NIST.

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve -out networkadvisorCA.key

Self-sign the CA Certificates

$ openssl req -x509 -sha256 -days 365 RootCA -newkey rsa:2048 -keyout networkadvisorCA.key -out networkadvisorCA.pem

You can add the option -subj string as appropriate for your organization's country, state, location, name, and DNS domain. Notice that embedded spaced must escaped. If that optional parameter is left off, it will ask you to answer a series of questions.

Examine the Result

$ openssl x509 -text -noout -in networkadvisorCA.pem

Create a Host Key Pair and Certificate

Create the Client Key Pair

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve -out networkadvisor.key

 Create a CSR or Certificate Signing Request

$ openssl req -new -key networkadvisor.key -out client.csr

 Create the Client Certificate

$ openssl x509 -req -in client.csr -CA networkadvisorCA.pem -CAkey networkadvisorCA.key -CAcreateserial -days 365 -out networkadvisor.crt

Install the Root CA, Host Key Pair and Certificate

$ cp networkadvisorCA.pem /opt/Alcatel-Lucent_Enterprise/NetworkAdvisor/ovna-rsyslog/certs/

$ cp networkadvisor.crt /opt/Alcatel-Lucent_Enterprise/NetworkAdvisor/ovna-rsyslog/certs/

$ cp networkadvisor.key /opt/Alcatel-Lucent_Enterprise/NetworkAdvisor/ovna-rsyslog/certs/

Configure ale-ovna Service

$ ale-ovna configure -tlsSyslog

✅ - Ubuntu 22.04 is supported by OmniVista Network Advisor

Do you want to use syslog over TLS (y/n):

y

Please provide your certificates in /opt/Alcatel-Lucent_Enterprise/NetworkAdvisor/ovna-rsyslog/certs/ as follow:

networkadvisorCA.pem for CA certificate

networkadvisor.crt for syslog server certificate.

networkadvisor.key for syslog server key.

Enter "ok" when it's done or "ignore"

ok

Test the Certificates

$ echo "test ssl" | openssl s_client -connect <OVNA-IP-ADDR>:<OVNA-PORT> -key /opt/Alcatel-Lucent_Enterprise/NetworkAdvisor/ovna-rsyslog/certs/networkadvisor.key -cer

CONNECTED(00000003)

Can't use SSL_get_servername

depth=0 C = FR, ST = Britany, L = Brest, O = La 26

verify error:num=18:self-signed certificate

verify return:1

depth=0 C = FR, ST = Britany, L = Brest, O = La 26

verify return:1

---

Certificate chain

0 s:C = FR, ST = Britany, L = Brest, O = La 26

i:C = FR, ST = Britany, L = Brest, O = La 26

a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA256

v:NotBefore: Oct 20 13:05:23 2023 GMT; NotAfter: Oct 19 13:05:23 2024 GMT

----------

Server certificate

-----BEGIN CERTIFICATE-----

MIIBtjCCATwCFHjMF0cZlVJ9j4MbP++fFBPhhIhgMAoGCCqGSM49BAMCMD8xCzAJ

BgNVBAYTAkZSMRAwDgYDVQQIDAdCcml0YW55MQ4wDAYDVQQHDAVCcmVzdDEOMAwG

A1UECgwFTGEgMjYwHhcNMjMxMDIwMTMwNTIzWhcNMjQxMDE5MTMwNTIzWjA/MQsw

CQYDVQQGEwJGUjEQMA4GA1UECAwHQnJpdGFueTEOMAwGA1UEBwwFQnJlc3QxDjAM

BgNVBAoMBUxhIDI2MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEjn8DY0nDhxLrEBwf

A2gAMGUCMQCxmr87zh2kXVumOfPIGtGoEnlafYrHsdnJDnKZ+OjrBt1gW+Uoh+Hg

ntTQ5KcXLvACMAo1pCzLUF6x8uHx/Fk3IBWdxz/lKu5Gb18K4Xjt+jE2VeT98l6I

F2FcT1g3nLKxMw==

-----END CERTIFICATE-----

subject=C = FR, ST = Britany, L = Brest, O = La 26

issuer=C = FR, ST = Britany, L = Brest, O = La 26

---

Acceptable client certificate CA names

C = FR, ST = Britany, L = Brest, O = La 26

Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:

Shared Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+

Peer signing digest: SHA384

Peer signature type: ECDSA

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 990 bytes and written 983 bytes

Verification error: self-signed certificate

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 384 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 18 (self-signed certificate)

--------------

DONE 

kubectl exec -i na-rsyslog-<pod-uid> -- tail -f /var/log/syslog

Oct 20 13:15:40 na-rsyslog-<pod-uid> rsyslogd: [origin software="rsyslogd"

swVersion="8.2310.0" x-pid="7" x-info="https://www.rsyslog.com "] start

Oct 20 13:16:00 test ssl

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.