Registration service with host verification

Using verification with an SSL key certificate ensures that the connection between the right Wazuh agent and the right Wazuh manager is established.

Creating a Certificate of Authority (CA)

Registration service with SSL certification requires the creation of a Certificate of Authority used to sign certificates for the Wazuh manager and the Wazuh agents. The hosts will receive a copy of this CA in order to verify the remote certificate.

To generate the certificate execute the following command:

# openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Manager"

Warning

The newly created rootCA.key file is the private key of the CA. It is needed to sign other certificates and it is critical to keep it secure. Never copy this file to other hosts.

Available options to verify the hosts

There are two options to register the Wazuh agent using host verification. Please note, that both, the Wazuh agent verification as well as the Wazuh manager verification can be used in the registration process:

To verify the Wazuh manager using SSL, create an SSL certificate and sign it using the Certificate of Authority (CA) created in the previous section. This will allow the Wazuh agents to ensure that they are connected to the correct Wazuh manager during the registration service.

Creating and signing a certificate on the Wazuh manager

Follow these steps in the Wazuh manager's host:

  1. Create the configuration file req.conf, replacing <manager_IP> with the hostname or the IP address of the Wazuh server where the Wazuh agents are going to be registered. The configuration file could be as follows:

    [req]
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    prompt = no
    [req_distinguished_name]
    C = US
    CN = <manager_IP>
    [req_ext]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = wazuh
    DNS.2 = wazuh.com
    

    Note

    The subjectAltName extension is optional but necessary to allow the registration of Wazuh agents with a SAN certificate. In this case, the Wazuh server DNS are wazuh and wazuh.com.

  2. Issue and sign the certificate for the Wazuh manager:

    # openssl req -new -nodes -newkey rsa:4096 -keyout sslmanager.key -out sslmanager.csr -config req.conf
    # openssl x509 -req -days 365 -in sslmanager.csr -CA rootCA.pem -CAkey rootCA.key -out sslmanager.cert -CAcreateserial -extfile req.conf -extensions req_ext
    

    Note

    The -extfile and -extensions options are required to copy the subject and the extensions from sslmanager.csr to sslmanager.cert. This allows the registration of the Wazuh agents with a SAN certificate.

  3. Copy the certificate and the key to the /var/ossec/etc folder:

    # cp sslmanager.cert sslmanager.key /var/ossec/etc
    
  4. Restart the Wazuh manager:

# systemctl restart wazuh-manager

The Wazuh agent registration using CA and enabling the communication with the Wazuh manager

Copy the CA file (.pem) to the Wazuh agent's host. In this example, the CA file is rootCA.pem.

Choose the tab corresponding to the wazuh agent's host operating system:

Open a terminal in the Linux/Unix Wazuh agent's host as a root user.

  1. Copy the CA (.pem file) previously created on the Wazuh manager to the /var/ossec/etc folder:

    # cp rootCA.pem /var/ossec/etc
    
  2. To register the Wazuh agent, run the agent-auth utility providing the Wazuh manager’s IP address and location of the CA:

    # /var/ossec/bin/agent-auth -m <manager_IP> -v /var/ossec/etc/rootCA.pem
    

    If the new Wazuh agent’s name is not provided, it is set automatically using hostname. To specify the Wazuh agent's name add -A <agent_name> to the command above.

    Note

    Note that this method must include the -v option that indicates the location of the CA. If this option is not included, a warning message will be displayed and the connection will be established without verifying the Wazuh manager.

  3. To enable the communication with the Wazuh manager, edit the Wazuh agent's configuration file placed at /var/ossec/etc/ossec.conf.

    In the <client><server> section, MANAGER_IP has to be replaced with the Wazuh server's IP address or the DNS name:

    <client>
      <server>
        <address>MANAGER_IP</address>
        ...
      </server>
    </client>
    
  4. Restart the Wazuh agent:

# systemctl restart wazuh-agent

The Wazuh agent registration can be adjusted by using different agent-auth options.