cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dan28
Level 7
Report Inappropriate Content
Message 1 of 5
‎12-04-2019 05:34 AM

SSL Scanner and private Key

Jump to solution

Hi everyone,

I'm currently playing with SSL Scanner and I have some questions.

For now I'm using an internal CA to provide certificate on the fly to the client.As I have not an HSM right now, I guess the certificate and private key will be stored in the mwg. Do you know where excactly on the mwg? Will they be accessible through SSH ? Our main concern right now is if someone could access the private key stored on the mwg and decrypt client's trafic.

Also I see on the audit logs when I export the private key, or when I trigger a connection tracing:

Timestamp  : 04/Dec/2019:14:30:47.876 +0100
User       : User1
Action     : EXPORT_PRIVATE_KEY
Source Type: USER
Source ID  : 10.10.10.10
Appliance  : MWG

 Do you know if I can configure a notification (email, snmp etc...) when an action is exectuted by an admin (private key export, connection tracing etc...). I'd like to monitor when some actions regarding the ssl scanner are done by admins.

 

Thanks for your help !

0 Kudos
Reply
1 Solution

Accepted Solutions
swilkens1
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎12-04-2019 06:29 AM

Re: SSL Scanner and private Key

Jump to solution

Hello!

There is no existing incident or configurable alert on the MWG to report an admin's use of these things (either exporting a key or running connection traces). Your only option would be to send the audit logs to syslog and have your syslog server monitor for those specific events to alert you.

Info on sending audit logs to syslog here: https://community.mcafee.com/docs/DOC-5206

 

For the location of a private key in the policy, they will be located in the configuration storage in /opt/mwg/storage.

For example, for SSL Scanner CAs in your current policy, the configurations are located here:

$(cat /opt/mwg/storage/active_configuration)/cfg/com.scur.engine.sslclientcontext.*.xml

These XML config files contain the certificates and RSA keys (for non-HSM keys) in PEM encoding.

- Steven

View solution in original post

0 Kudos
Reply
4 Replies
swilkens1
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎12-04-2019 06:29 AM

Re: SSL Scanner and private Key

Jump to solution

Hello!

There is no existing incident or configurable alert on the MWG to report an admin's use of these things (either exporting a key or running connection traces). Your only option would be to send the audit logs to syslog and have your syslog server monitor for those specific events to alert you.

Info on sending audit logs to syslog here: https://community.mcafee.com/docs/DOC-5206

 

For the location of a private key in the policy, they will be located in the configuration storage in /opt/mwg/storage.

For example, for SSL Scanner CAs in your current policy, the configurations are located here:

$(cat /opt/mwg/storage/active_configuration)/cfg/com.scur.engine.sslclientcontext.*.xml

These XML config files contain the certificates and RSA keys (for non-HSM keys) in PEM encoding.

- Steven

0 Kudos
Reply
Dan28
Level 7
Report Inappropriate Content
Message 3 of 5
‎12-09-2019 04:45 AM

Re: SSL Scanner and private Key

Jump to solution

Thanks for your help, I was able to find the menitonned configuration on the mwg.

I have one last question. Does the CA used for SSL scanner uses the same private key for each certificates it will deliver to the customer ?

Thanks for your help.

Regards.

0 Kudos
Reply
swilkens1
Employee
Employee
Report Inappropriate Content
Message 4 of 5
‎12-31-2019 07:30 AM

Re: SSL Scanner and private Key

Jump to solution

Hi @Dan28 ,

Sorry for the late reply. No, the MWG will use a uniquely generated keypair for each domain/certificate.

0 Kudos
Reply
Dan28
Level 7
Report Inappropriate Content
Message 5 of 5
‎01-02-2020 12:20 AM

Re: SSL Scanner and private Key

Jump to solution

Thank you. Do you know where those certificate and private key will be stored on the MWG ?

Is there some logs I can get when the mwg generate a new certificate for a domain ?

Thanks for your help, and Happy new year !

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC