KB Article | Forcepoint Support

Notes & Warnings

Important This article applies to Forcepoint Web, Data and Email security versions up to version 8.2.

For versions 8.3 and higher:

Problem Description

The Forcepoint Browser based graphical User Interfaces secure communications using a SHA-1 certificate as the signature hash algorithm and 1024-bit RSA encryption. A warning message is displayed by browsers for the following GUI's:
  • TRITON Unified Security Center (Provides access to Web Security, Data Security, and Email Security management consoles.)
  • Appliance Manager
  • Content Gateway Manager
  • SSL Manager process
My organization requires a stronger hash function or stronger encryption higher than 1024 bit key. How can I create and install a certificate meeting my requirements?
 

Resolution

Some organizations require a stronger hash function to satisfy a FIPS 140-2 mandate. Other organizations simply want a stronger default (SHA) algorithm which can be deployed as guided below.
   
Summary for creating and installing a certificate with a stronger hash function:

In the Triton server
  1. Update directory files
  2. Generate a new certificate
  3. Install new certificate
Important V-Series appliance based customers may require assistance from Forcepoint Technical Support for applying the certificates.
 
Note The following procedure uses SHA-256 and RSA 2048 bit as an example only. Refer to your company’s security requirements to ensure these setting satisfy your needs.
This article can be followed to both change the hash algorithm and the encryption key length of the Forcepoint User Interfaces only.

If you are looking to improve the hash algorithm for the dynamic certs that are generated during SSL decryption, see Dynamic Certs with a SHA-2 Algorithm rather than SHA-1.

Important The procedure explained in this article updates the certificates required for Web based UI functioning. In case of deviation in procedure while certificate is being created, the Graphical user interface will be unavailable and some services will fail to start. To recover from such situation, backup contents of following folders in the Triton server before proceeding further:
  • C:\Program Files (x86)\Websense\EIP Infra\apache\conf\keystore\httpd\
  • C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\
 

UPDATE THE DIRECTORY FILES

Before creating the new certificate, edit the following two files located in the C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\automation\ directory:
  • s1_newreq.bat
  • s3_server_crt.bat 
 
s1_newreq.bat
  1. Right click the s1_newreq.bat file and select Edit. Notepad should open to display the following file content:
    • "C:\Program Files (x86)\Websense\Web Security\apache\bin\openssl.exe" req -new > "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\output\new.cert.csr" -keyout "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\output\cakey.pem" -config "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\openssl.cnf" -passin pass:spring_forward -passout pass:spring_forward < "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\openssl.txt"
  2. Insert “-sha256” so it appears as follows:
    • ...apache\bin\openssl.exe" req -sha256 -new > "C:\Program Files (x86)\...
  3. Insert “-newkey rsa:2048” so it appears as follows:
    • ...output\new.cert.csr" -newkey rsa:2048 -keyout "C:\Program Files (x86)\...
       
 
s3_server_crt.bat
  1. Right click s3_server_crt.bat and select Edit. Notepad should open to display the following file content:
    • "C:\Program Files (x86)\Websense\Web Security\apache\bin\openssl.exe" x509 -in "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\output\new.cert.csr" -out "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\output\server.crt" -req -signkey "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\output\server.key" -days 1095
  2. Insert -sha256 and -extfile ..\opensslv3.txt between x509 and -in so it appears as follows:
    • ...bin\openssl.exe" x509 -sha256 -extfile "C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\opensslv3.txt" -in "C:\Program...
 
Next, create/edit the two files (openssl.txt and opensslv3.txt) located in C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\ directory: 
note that the filenames are case sensitive.

opensslv3.txt 
  1. Create a new ( or edit existing ) file called opensslv3.txt and include the following contents. At the end of the contents, a hard carriage entry should exist:
basicConstraints = CA:FALSE
nsComment = "Triton Certificate"
subjectKeyIdentifier=hash
subjectAltName = @alt_names
[alt_names]
DNS.1   =  <IPv4 Address>
DNS.2   =  <FQDN >
IP.1    =  <IPv4 Address>
  1. Create a new ( or edit existing ) file called openssl.txt and include the following contents. At the end of the contents, a hard carriage entry should exist:
US
CA
SanDiego
Websense
Websense
<IPv4 Address>
<FQDN>
spring_forward
.

 
  • IPv4 Address= Address of the triton server or the Appliance dom for which the certificate is being generated.
  • FQDN= Fully qualified domain name of triton or the appliance dom for which the certificate is being generated.
     

GENERATE A NEW CERTIFICATE

After updating the directory files (from section one above), generate the new certificate.
From the C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\automation\ directory, run the following scripts (with administrator privilege) in the order presented:
  1. s1_newreq.bat
  2. s2_server_key.bat
  3. s3_server_crt.bat
  4. s4_server_p12.bat (appliance only)
The scripts would generate following output files located in the C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\output\ directory.
  • cakey.pem
  • new.cert.csr
  • server.crt
  • server.key
  • manager.p12
 

INSTALL THE NEW CERTIFICATE

Note  Backup the contents of folders C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl ,C:\Program Files (x86)\Websense\EIP Infra\apache\conf\keystore\httpd\

  
Websense "TRITON - Web Security" (Tomcat)
  1. Stop Websense TRITON Web Security service. Select Start > Administrative Tools > Services. Right-click Websense TRITON Web Security and click Stop.
  2. Copy the new server.crt file (from the generated output directory) to the C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\ssl.crt\ directory.
  3. Copy the new server.key file (from the generated output directory) to the C:\Program Files (x86)\Websense\Web Security\apache\conf\ssl\ssl.key\ directory.
  4. From Windows Services console, start Websense TRITON Web Security.
 
Websense "TRITON - Web Server" (Apache)
  1. Stop Websense TRITON Web Server service. Select Start > Administrative Tools > Services. Right-click Websense TRITON Web Server and click Stop.
  2. Copy the new server.crt file (from the generated output directory) to the C:\Program Files (x86)\Websense\EIP Infra\apache\conf\keystore\httpd\ directory. Then, rename the server.crt file to httpd-server.cer.
  3. Copy the new server.key file (from the generated output directory) to the C:\Program Files (x86)\Websense\EIP Infra\apache\conf\keystore\httpd\ directory. Then, rename the server.key file to httpd-server.key.
    (NOTE: From 8.1 version, the file extension should be renamed as httpd-server.key.pk8 & also please ensure hide extension for known file types is disabled on Folder Options)
  4. Navigate to the C:\Program Files (x86)\Websense\EIP Infra\apache\conf\ directory and open the extra\httpd-ssl.conf file.
  5. Comment out the following line. Add a "#" sign to the "SSLCertificateChainFile conf/keystore/httpd/httpd-ca.cer" line so it appears as follows:
    • #SSLCertificateChainFile conf/keystore/httpd/httpd-ca.cer
  6. From Windows Services console, start the Websense TRITON Web Server service.
 
V-Series Appliance Manager
 
Note  If you are V-Series appliance-based customer, you will require assistance from Forcepoint Technical Support to accomplish this step.
 
Content Gateway Manager
  1. Backup the /opt/WCG/config/server.pem file.
  2. Copy the server.key and server.crt files to the /opt/WCG/config directory.
  3. Combine server.key and server.crt into a single file. From the command prompt, type:
    • cat server.key > server.pem
      cat server.crt >> server.pem
  4. Restart Content Gateway. From the SSH session prompt, type:
    • /opt/WCG/WCGAdmin restart
 
 

Article Feedback



Thank you for the feedback and comments.