Taken from EI-24037: BLS.exe is using the PBKDF2 function to encrypt the password, this is based on the PKCS #5 algorithm and is based64 at the end.
Additional articles that may help:
Applying Custom Signed Forcepoint DLP Endpoint Server Certificates (18188)
(Removed) Revert Custom Infrastructure Certificate to Default Forcepoint Self-Signed Certificate or Self-Signed w/ no Authority (12234)
If there is a need to revert the Infrastructure certificates to the original self-signed versions using a previous EIPBackup or by generating new certificates, see the following article:
Reverting Custom Signed Forcepoint Management Infrastructure Certificates to Self-Signed Certificates
For creating or importing a new certificate on a V-Series appliance see the link below.
The signed certificate and the HTTPD-SERVER.KEY generated earlier must be moved to \Websense\EIP Infra\apache\conf\keystore\httpd and the existing HTTPD-SERVER.CER and HTTPD-SERVER.KEY
*****************************************
Removed 7.8 - 8.0 outdated steps:
From step 10:
Version 7.8 to 8.0.0:
..\..\..\bin\openssl req -new -out httpd-server.csr -key httpd-server.key -sha256 -extensions v3_req -subj /CN=%COMPUTERNAME%.%USERDNSDOMAIN%
After step 17:
For version 7.8 to 8.0.0:
- Using a registry editor browse to the EIP Infra's registry hive.
- 64 bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Websense\EIP Infra
- 32 bit: HKEY_LOCAL_MACHINE\SOFTWARE\Websense\EIP Infra
- Modify the key APASSPHRASE and enter the password used for the HTTPD-SERVER.KEY.
- If you created a blank passphrase, type NULL for the APASSPHRASE.
- Close the registry editor.
- Start the "Websense TRITON Web Server" service.
- Open a web browser and verify the TRITON Manager is using your certificate.
*****************************************
Cases which followed this article for 7.8 and 8.0 resulted in the Infrastructure and Data Security Web Server services not being able to start after certificate installation. Error 1067: The process terminated unexpectedly.
As a supplement to the article, the following steps are done afterwards. (Note that these instructions contain a potential security breach, which the customer should be made aware of before proceeding.)
- Remove the password from the server private key (httpd-server.key):
openssl rsa -in httpd-server.key -out httpd-server.key.raw
copy httpd-server.key httpd-server.withpass
ren httpd-server.key httpd-server.key.bck
ren httpd-server.key.raw httpd-server.key
- Comment out SSLPassPhraseDialog in HTTPD's ssl configuration file (C:\Program Files (x86)\Websense\Web Security\apache\conf\extra\httpd-ssl.conf)
- Restart EIP's Web Server
Reference article 7999.
The issue is the result of difficulties reading a key with a password. Since removing the password from the key removes that extra security layer on the file it is recommended for customers on these versions to either use the original TRITON certificate or upgrade to 8.0.1 or later when possible. There are links in the sections above to updated instructions for version 8.0.1.
CHANGELOG:
Reviewed by Daniel Santiago 10/22/2015 - added note to step 5 on how to correctly use the -config switch for the openssl executable and showcased the commands by using the "code" button on the editor to avoid confusion as the previous edit used bullet points and when copy pasting if you werent carefull it could make it into the command itself
Reviewed by Daniel Santiago 11/26/2015 - Added Notes and Warnings for backing up registry and confirmed no internal information on public portion of KB
Reviewed by Gokulnath rangadurai 03/11/2016- redo or revoke KB article.Customers can be suggested to follow the article http://www.websense.com/support/article/kbarticle/creating-stronger-certificates
and create triton certificates. details mentioned in this KB article to be included in http://www.websense.com/support/article/kbarticle/creating-stronger-certificates
and create triton certificates to avoid confusion.This artcile can be replaced with use of KB:000005987
Reviewed by Daniel Santiago 02/03/2017 - Reviewed article and corrected details on cert creation/installation and applicable version info.
Note to previous reviewer, this article is for making Certificate Requests having them signed THEN installing the cert therefore revoking this article only HURTS the customer.
Edited by Colin Gordon 11/16/2017 - In my experience when trying to create the key with -nodes, openssl does not recognize this switch, as least when using openssl on Triton or an appliance. I have removed the special instruction for 7.8.4 and 8.0.0 from this step of the article and instead added an instruction for 7.8.4 and 8.0.0 to create a decrypted key from the encrypted key before installing the cert and key. I also modified the line in the installation instructions to specify that 7.8.4 and 8.0.0 will set the APASSPHRASE key to NULL since they will be using an unsecure key.
Edited by Sangeeth Narayanan 02/06/2020 - Added an example for how to add FQDN and FSM on the "openssl.cnf" file as well as a sample screen capture of a command output.
6/5/2020 - Added additional versions and internal article references. Clarified the language in some areas. Added a much needed recommendation to take an EIPBackup as well.
12/9/2020 - Fixed formatting for the about recommendation.
1/19/21 bkutsch - added internal info found in EI-24037 regarding BLS.exe documentation
2/22/2021 - Removed older products and versions. Updated title to use Forcepoint naming
5/5/2021 - bkutsch added additional info regarding Subject Alternative Names as requested in FB 008731
5/17/2021 - nnaziri - made following changes:
- Removed section "If you do know the password, set the password for the corresponding key you are reverting to. If you created an unencrypted key, review step 19."
- Rephrased to give clearer instructions in step 23 about password string match
- Added backup registry location in step HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Websense\EIP Infra in step 15
- Removed “For version 8.0.1 to 8.5:” as this is no longer relevant
- Added formatting and spacing to make it easily and clearly readable
LH - Rewrote Step 8 as the config option does not actually exist. Made it so setting the environmental variable is required.
Originally:
- From a Command Prompt, navigate to the \Websense\EIP Infra\apache\conf\websense\ssl directory and set the openssl executable to use the EIP Infra's configuration file.
Note The openssl executable provided in the apache\bin folder is not actually installed to the operating system. It defaults to /usr/local/ssl/ (which does not exist in Windows) for its openssl.cnf path if the -config parameter is not used.
(Option 1) As a workaround, type in the full path to the location of the openssl.cnf file after the -config parameter:
..\..\..\bin\openssl.exe -config "C:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf"
(Option 2) Changed OpenSSL environmental variable command prompt setting to use setx.
Originally: set OPENSSL_CONF="C:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf"
https://phoenixnap.com/kb/windows-set-environment-variable
