Set Up the Client-Side mTLS
The Check Point Management Server and the Illumio HAProxy server need to establish an mTLS connection. The following procedure describes how to configure this mTLS connection.
For more information about configuring TLS for Check Point Log Exporter, see Log Exporter TLS Configuration.
Email Illumio to obtain the root cert in the .pem format, such as ca.pem.
If you do not already have a private key, generate one and a certificate signing request using the following commands:
openssl genrsa -out log_exporter.key 2048 openssl req -new -key log_exporter-key -out log_exporter.csr
Send the
og_exporter.csrfile back to Illumio. Illumio signs the certificate file and returns the signed client certificate (log_exporter.crt) back to you. You then convert the certificate to the P12 format with the following command:openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12
Install the certificate with the appropriate permissions (in expert mode):
Run
cd $EXPORTERDIR/targets/<Name of Log Exporter Target>Run
mkdir -v certificatesto create a directory to store the certificates.Run
cd certificates.Transfer the
ca.pemandlog_exporter.p12certificate files to the new certificate directory.Run
chmod -v +r cap.emandchmod -v +r log_exporter.p12.Edit the
targetConfiguration.xmlfile to add the full path to the new certificates and the challenge phrase used to create the P12 certificate. Make sure that the file contains<security>tls</security>.<pem_ca_file>/opt/CPrt-R81.20/log_exporter/targets/LogServer/certificates/ca.pem</pem_ca_file> <p12_certificate_file>/opt/CPrt-R81.20/log_exporter/targets/LogServer/certificates/log_exporter.p12</p12_certificate_file> <client_certificate_challenge_phrase>$Encrypted$</client_certificate_challenge_phase>