WEC/WEF Authentication Using HTTPS¶

WEC authentication provides an alternative to Kerberos by using HTTPS respective SSL certificates. This method requires the TeskaLabs LogMan.io Collector to provide an HTTPS server on port tcp/5986. This authentication method operates without Microsoft Active Directory. This is mTLS / Mutual TLS authentication.

Terminology

WEC Server is TeskaLabs LogMan.io Collector
WEC Clients are Windows machines (workstations, notebooks, servers) that send events (logs) to TeskaLabs LogMan.io Collector

Steps¶

1) Obtain CA certificate

Warning

You need a certificate authority (CA) to implement this authentication method. You MAY use your existing CA if available, or you can use the open-source XCA tool. We are using XCA in examples below.

Obtain the CA certificate in PEM format and save it as ca_cert.pem on your computer.

Use of XCA to create Certificate Authority

Open XCA tool and create a new database, named lmio_wec_ca.xdb
Set the password to this database.
Navigate to "Certificates" > "New Certificate"
From "Template for the new certificate" select "[default] CA" and press "Apply all"
In "Subject" tab, fill "Common name" as "LogMan.io WEC CA"
Press "Generate a new key" button, select "RSA" and "4096 bit", press "Create"
Set the validity of the CA certificate to 10 years or more
Press "OK" to create a CA certificate
Select new CA certificate in the list of certificates and press "Export"
Export as "ca_cert.pem", Export format is "PEM (*.crt)", don't export the private key.

Recommended content of the CA certificate:

X509v3 Basic Constraints: CA:TRUE critical
X509v3 Subject Key Identifier: Present
X509v3 Key Usage: Certificate Sign, CRL Sign

2) Generate certificate for a collector

Run the following commands on the collector to generate a private key /conf/wec/collector_key.pem and a CSR /conf/wec/collector_csr.pem:

$ mkdir /conf/wec

$ openssl req -new \
    -newkey rsa:4096 -nodes -keyout /conf/wec/collector_key.pem \
    -out /conf/wec/collector_csr.pem -subj "/CN=<hostname or IP of the collector>"

$ cat /conf/wec/collector_csr.pem

Note

The private key of the collector is RSA 4096.

Use the CA from step 1 to approve the CSR and generate a new certificate for the collector.

Mandatory content of the collector certificate:

Common name (CN) must be a working hostname or IP address of the collector
X509 v3 Extended Key Usage: "TLS Web Server Authentication"

Recommended additional content of the collector certificate:

The validity of the collector certificate is one year
X509v3 Basic Constraints CA:FALSE critical
X509v3 Subject Key Identifier: Present
X509v3 Authority Key Identifier: Present
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Subject Alternative Name: DNS: <hostname or IP of the collector>

Store the certificate into the collector in PEM format into /conf/wec/collector_cert.pem

Danger

The common name (CN) must be resolvable within the Windows network via DNS. We recommend to use hostname over IP address.

Danger

You have to implement a certificate renewal process to prevent expiration of this certificate.

Use of XCA to approve CSR from a collector

Navigate to "Certificate signing request" in XCA.
Select "Paste PEM file" from a menu.
Paste the content of the /conf/wec/collector_csr.pem from above.
Press "Import" button and close the import dialog.
Find the CSR in the list and in the right-click menu select "Sign"
In "Signing", select "Use this Certificate for signing" and select your CA certificate.
In "Template for a new certificate" select "[default] TLS_server" and press "Apply all"
Select "OK" to generate a new certificate
Switch to "Certificates" tab
Find a newly created certificate (under the CA certificate)
Export this certificate as collector_cert.pem and store it into /conf/wec/collector_cert.pem on the collector

3) Store certificates into the collector

Paste the content of the ca_cert.pem from above, it is a text file:

$ cat > /conf/wec/ca_cert.pem

Obtain the thumbprint of the CA certificate using OpenSSL:

$ openssl x509 -in /conf/wec/ca_cert.pem -noout -fingerprint -sha1 | sed 's/://g' | tr 'A-F' 'a-f'

Hint

The thumprint of CA certificate is SHA-1 hash in hexadecimal representation (i.e. 99d529ce1e01845c40789b77000975a420c61f1a). You can also obtain it from XCA. Remove all eventual ":" separators.

4) Finish the collector configuration

Edit /conf/lmio-collector/lmio-collector.yaml of the collector and add following section:

input:WEC:WECInput:
   listen: 5986 ssl

   cert: /conf/wec/collector_cert.pem
   key:  /conf/wec/collector_key.pem
   cafile: /conf/wec/ca_cert.pem

   issuer_thumbprints: "<the thumbprint of the CA certificate, keep double quotes>"

   output: microsoft-windows-events-v1

output:CommLink:microsoft-windows-events-v1: {}

Restart or reboot the collector to apply the change in the configuration.

Hint

You can adjust output to reflect desired log target. This example uses the collector default output to the central log management over commlink (websocket).

5) Generate certificate for a Windows machine(s)

Create a certificate and a private key for each Windows machine. This certificate must be issued by a CA from a step 1. Store a new certificate and its private key in the .pfx file (PKCS#12), protected by a password.

Mandatory content of the Windows machine certificate:

X509 v3 Extended Key Usage: "TLS Web Client Authentication"

Recommended additional content of the collector certificate:

The validity of the certificate is one year
X509v3 Basic Constraints CA:FALSE critical
X509v3 Subject Key Identifier: Present
X509v3 Authority Key Identifier: Present
X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement

Use of XCA to produce a .pfx file

Navigate to "Certificates" tab
Press "New certificate"
In "Signing" select "Use this Certificate for signing" and select your CA certificate.
In "Template for a new certificate" select "[default] TLS_client" and press "Apply all"
In "Subject" tab, fill "commonName" with the name of the respective Windows machine
Select "Generate a new key"
Set "RSA" and 2048 bit, press "Create" to generate a new key
Press "OK" to generate a new certificate
Find the new certificate in the list of certificates and press "Export"
Select "Export format" to be "PKCS #12 chain (*.pfx)" and press "OK"
Set the password to the exported .pfx file.

6) Configure a Windows machine(s)

Import .pfx file with a certificate and a private key of the Windows machine:

Start by right-click on the .pfx file and select "Install PFX". This will open the Certificate Import Wizard.

Select "Local Machine" and press "Next".

Verify the name of the file to be imported and press "Next".

Insert the password that protects .pfx file and press "Next".

Let the system decide on the location of the certificate store. Press "Next".

Do the final review and press "Finish" to complete the import process.

Danger

Delete .pfx file securely after import is completed.

The imported certificate must be readable by NT_AUTHORITY\NetworkService user:

Press Win + R, type certlm.msc and press Enter.

Locate the Imported Certificate. Navigate to Certificates (Local Computer) > Personal > Certificates. Find the certificate you just imported.

Right-click the certificate and select All Tasks > Manage Private Keys. Press "Add ..." button in "Security" tab.

Type "NETWORK SERVICE" and press "OK" and then another "OK"

The value for WEF policy is following:

Server=https://<hostname or IP of the collector>:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=<Thumbprint of the CA certificate>

Continue to Global policy or Local policy setup.

7) Test the configuration

On the Windows machine run following command and verify the receival of the log in the TeskaLabs LogMan.io.

eventcreate /Id 500 /D "This is a test message for WEC" /T ERROR /L System

Troubleshooting¶

Trusted Hosts¶

The collector needs to be added to Trusted Hosts, so that WinRM allows WEC/WEF to communicate:

winrm set winrm/config/client '@{TrustedHosts="<hostname of IP of the collector>"}'