Configuring the TSS on the network

The following sections explain how to configure your TSS on the network.

Getting a static IP address

Your auditing service provider must be able to connect to your UDP port. This means that your TSS must have a static IP address. Request the following information from your IS department:

  • An IP address

  • A subnet mask

  • A gateway

  • DNS servers and, if available, an SMTP server.

If you want e-mail alerts, you need an SMTP server with which your TSS can communicate.

Configuring the firewall

Check with your IS department about firewalls. Configure them now to allow your TSS to receive communications from your auditing service provider.

Adding a TLS certificate

A TLS certificate is required in order to securely communicate with the web user interface. This is stored within a Java keystore (JKS).

The default test TLS certificate must be replaced before TSS deployment. This is located in %NFAST_HOME%\dse200\UserFiles\KeyStore\tomcat.keystore.
Due to the sensitivity of its files, ensure that the %NFAST_HOME%\dse200\UserFiles directory has suitable access permissions e.g. that it is readable only by members of the local Administrators built-in group (SID S-1-5-32-544).

The following steps provide an example on how to replace the default test TLS certificate:

The official Apache Tomcat documentation provides information on how to install a certificate and configure SSL/TLS.
Refer to the official keytool documentation for further information on keytool (e.g. how to manage the keystore and display data).
  1. Create a local self-signed certificate as follows:

    keytool.exe -genkeypair -alias tomcat -keyalg EC -keystore tomcat.keystore
  2. Create the certificate signing request (certreq.csr):

    keytool.exe -certreq -alias tomcat -file certreq.csr -keystore tomcat.keystore
  3. Once the certificate request has been signed by a CA, import the CA certificate chain (ca.cer):

    keytool.exe -import -alias root -keystore tomcat.keystore  -trustcacerts -file ca.cer

    Confirm that you trust this certificate.

  4. Import the signed certificate (tomcat.cer):

    keytool.exe -import -alias tomcat -keystore tomcat.keystore -file tomcat.cer
  5. Make sure %NFAST_HOME%\dse200\UserFiles\certificate-config.xml is updated to reflect the location of the keystore and the associated keystore and key passwords:

    certificateKeystoreFile=<path and filename of keystore>
    certificateKeystorePassword=<keystore password>
    certificateKeyPassword=<key password>
  6. Restart the DSE200 service.