Documentation forSecurity Event Manager

Enable transport layer security (TLS) in the SEM reports application

The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between the SEM reports application and the SEM database.

  • By default, TLS is disabled on versions of SEM that have been upgraded from SEM version 6.0.1 or earlier.

  • The procedure to enable TLS differs depending on your SEM configuration (standalone or with a dedicated database appliance).

  • When enabling TLS, the SEM certificate for accessing the web or AIR console needs to be rebuilt. Machines used to access SEM web or AIR console must re-import their certificates.

This topic contains the following sections:

Enable TLS on a standalone SEM VM or appliance

Use these steps if the SEM database is located on the same VM or appliance as the SEM Manager. This is the most common arrangement.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.

  1. At the cmc::manager> prompt, type exportcert.

  2. Follow the prompts to export the SEM Manager CA certificate.

    An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success.

  3. At the cmc::manager> prompt, enter enabletls.
  4. At the cmc::manager> prompt, enter restart.

Configure the Reports application to use TLS

  1. Start the SEM reports application. See Open the SEM reports application for steps.

  2. From the Configure drop-down list, select Managers > Credentials and Certificates.

  3. Click the green button.

  4. Enter the Manager IP or hostname.

  5. Fill in the credentials of the user created previously in the SEM web console.

  6. Select the Use TLS connection option.

    You can also ping the address you specified by clicking Test Connection. This option does not perform credentials validation or TLS availability check.

  7. To add a new Manager, click the green button again.

  8. Click the Certificates tab.

  9. Click Import Certificate.

  10. Browse and Open SEM certificate (the network share folder specified during the certificate export).

  11. Use the certificate from the Database Appliance in case you have SEM configured with a dedicated database.

  12. Close the Manager Configuration window.

    If SEM changed its host name, importing the SEM CA certificate again is not required.

Import a self-signed certificate into the SEM Manager

Use the importcert command in the CMC to import a signed certificate by any CA into the manager.

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
  2. At the prompt, enter manager.

  3. At the cmc::manager> prompt, type importcert.

  4. Choose the network share path.

  5. When prompted, confirm the share name.

  6. When prompted for a file name, enter the full name of the certificate, including the CER extension.

  7. When completed, the following message appears:

    Certificate successfully imported.