Documentation forSecurity Event Manager

Enable transport layer security (TLS) in the SEM reports application

The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between the SEM reports application and the SEM database.

  • By default, TLS is disabled on versions of SEM that have been upgraded from SEM version 6.0.1 or earlier.

  • The procedure to enable TLS differs depending on your SEM configuration (standalone or with a dedicated database appliance).

  • When enabling TLS, the SEM certificate for accessing the web or AIR console needs to be rebuilt. Machines used to access SEM web or AIR console must re-import their certificates.

Enable TLS on a standalone SEM VM or appliance

Use these steps if the SEM database is located on the same VM or appliance as the SEM Manager. This is the most common arrangement.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.

    Steps 2 – 6 below are required to upgrade older versions of SEM. If you have SEM version 6.0.1 or later, go to step 7. The default hostname is swi-sem.

  1. At the cmc> prompt, type appliance.

  2. At the cmc::appliance> prompt, type hostname.

  3. Enter the name of the SEM Manager at the Please enter the new hostname prompt.

    Enter the currently-used hostname if you do not want the SEM Manager name to change.

  4. At the cmc::appliance> prompt, type exit.

  5. At the cmc> prompt, type manager.

  6. At the cmc::manager> prompt, type exportcert.

  7. Follow the prompts to export the SEM Manager CA certificate.

    An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success.

  8. At the cmc::manager> prompt, enter enabletls.
  9. At the cmc::manager> prompt, enter restart.

Set up a dedicated SEM user for accessing reports

A user account with the Reports role is required to access SEM from the SEM reports application.

  • If a suitable user with the Reports role already exists, go to Configure the Reports application to use TLS.
  • An Active Directory user can be a Reports user if SEM is set up to authenticate to Active Directory. See Add SEM users and specify the Reports role in the SEM Groups field.
  • Otherwise, complete the following steps to create a user with the Reports role on the SEM Console.

  1. Open the SEM legacy Flash console. See Log in to the SEM web console for steps.

  2. On the SEM menu bar, navigate to Build > Users.

  3. To create a new SEM user, click .

  4. Complete the fields as required.

  5. From the SEM Role drop-down list, select Reports.

    The Administrator and Auditor roles can also query SEM using the SEM reports application.

  6. Save the new user.

Configure the Reports application to use TLS

  1. Start the SEM reports application. See Open the SEM reports application for steps.

  2. From the Configure drop-down list, select Managers > Credentials and Certificates.

  3. Click the green button.

  4. Enter the Manager IP or hostname.

  5. Fill in the credentials of the user created previously in the SEM web console.

  6. Select the Use TLS connection option.

    You can also ping the address you specified by clicking Test Connection. This option does not perform credentials validation or TLS availability check.

  7. To add a new Manager, click the green button again.

  8. Click the Certificates tab.

  9. Click Import Certificate.

  10. Browse and Open SEM certificate (the network share folder specified during the certificate export).

  11. Use the certificate from the Database Appliance in case you have SEM configured with a dedicated database.

  12. Close the Manager Configuration window.

    If SEM changed its host name, importing the SEM CA certificate again is not required.

Import a self-signed certificate into the SEM Manager

Use the importcert command in the CMC to import a signed certificate by any CA into the manager.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
  2. At the prompt, enter manager.

  3. At the cmc::manager> prompt, type importcert.

  4. Choose the network share path.

  5. When prompted, confirm the share name.

  6. When prompted for a file name, enter the full name of the certificate, including the CER extension.

  7. When completed, the following message appears:

    Certificate successfully imported.