Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1794
Views
5
Helpful
2
Replies

Update Stealthwatch Management Console Identity Cert - Best Practice?

Neuromancer
Level 1
Level 1

‎12-22-2019 07:10 AM - edited ‎12-22-2019 07:28 AM

I have an SMC, Flow Collector, and Flow Sensor VMs deployed. They are all on version 7.0.

 

When I initially added the Flow Collector and Flow Sensor VMs to SMC I accepted the default self-signed SMC cert. I'm going to be replacing the SMC identity cert with one signed by a CA.  

 

In all the documentation I read on doing this it cautions "Your certificates are critical for your system’s security. Improperly modifying your certificates can stop Stealthwatch appliance communications and cause data loss."

 

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_0_Installation_and_Configuration_Guide_DV_5_0.pdf

 

Is there a best practice on how to do this without breaking my SMC, FC, and FS deployment? Do I have to remove the FC and FS from SMC, update the SMC identity cert, add the chain to the FC, FS then re-add the FC and FS? Or do I just add the chain to the FC and FS then update the SMC identity cert, then reboot the FC and FS without removing them from SMC?

 

Any help is appreciated as I don't want to permanently break my deployment.

Labels:
0 Helpful
2 Replies 2

brford
Cisco Employee
Cisco Employee

‎01-04-2020 09:03 AM

See page 133 of the document that you referenced titled "Changing Appliances After Configuration".  There is a great big note there that says:

 

The appliance identity certificate is replaced automatically as part of this procedure. If your appliance uses a custom certificate, please contact Cisco Stealth-watch Support to change these settings. Do not use the instructions shown here. Make sure you have a copy of the custom certificate and private key.

 

You should definitely initiate a call or contact with Cisco Stealthwatch  Support.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
0 Helpful

Neuromancer
Level 1
Level 1
In response to brford

‎01-04-2020 11:18 AM

I appreciate the reply. I was able to update the identity certs without breaking the system. Here's the procedure that worked for me in case anybody comes across this thread in the future:

 

1) Add the Root CA, intermediate CA, and new identity certs to the Trust Stores on the SMC, FC, and FSs.

2) Update the identity cert on the FC. Wait until it says it's going to reboot.

3) Update the identity cert on the SMC. The SMC will reboot as part of this process.

 

That's all there is to it. I rebooted all the devices a couple times to make sure they are all able to communicate and still process flows.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents