Skip to content

Third Parties

Jump to bottom Edit New page
robotad edited this page Jul 15, 2016 · 29 revisions

Soltra

Please see the following information on certificates and signing requests before proceeding: https://forums.soltra.com/index.php?/topic/43-securing-soltra-edge-with-ssl/

Note: Only the information regarding CSR's (not the information regarding Two-Way SSL) will be necessary for this guide.

Assumptions:

  • You have an approved Certificate and Key pair, as directed by FLAREadmin
  • You have already established and configured an installation of the Soltra Edge interface

Continue following the instructions below to configure the connection to the FLARE server using these certificates.

I: Adding the FLARE server 'site'
  1. Log-in to the Soltra Edge GUI using your log-in credentials.
  2. Navigate to Admin > Sites.
  3. Click 'add', and fill out the appropriate information. 'Login' should be left blank, as you will be using Two-Way SSL to connect to FLAREsuite.The FLARE discovery URL endpoint should look something like .../flare/taxii11/discovery. Finish by pressing 'Add Site'.

Continue following the instructions below to enable SSL

II: Configuring SSL for the FLARE site
  1. Select the FLARE server site from the list of sites.
  2. Navigate to the 'Connection' tab.
  3. Towards the bottom of the UI, there will be a row for 'Two-Way'. Press the '+ Upload...' button.
  4. Copy and paste the .crt and .key files contents into their respective text input boxes (access contents using openssl x509 -in file.crt and openssl rsa -in file.key).
  5. Press 'Enable Two-Way'
  6. Navigate to 'Admin' > 'System'.
  7. Add 'FLAREgateway' (or the appropriate hostname of the gateway that you are connecting to, and that is configured for the TAXII services. E.g. FLAREgateway:8443/flare/taxii/poll). This line might look something like localhost,127.0.0.1,FLAREgateway.
  8. Ensure that the /etc/hosts file on the Soltra VM is configured to resolve to whichever host you're trying to connect to.

At this point, the connection to FLARE should be complete, and a Discovery Request should successfully send, and a list of collections will automatically populate.

III: Configuring feeds
  1. Click the site that has been created for FLARE.
  2. For a feed that you wish to poll data from, press the '+' to the right of that feed.
  3. Choose an option from the given options. Periodic will occur every x number of minutes. Wall-Clock will similarly poll every x number of minutes. Manual will require a user to press the poll request button when they would like to poll.
  4. Once the feed has been configured, click on it.
  5. Click the 'Options' tab. Copy the subscription ID given by the FLAREsuite administrator, and paste into the Subscription ID field. Finish by pressing 'Update'.
  6. The feed should now be configured for polling, and any subsequent poll requests should return a 'Success', and log the number of content blocks received.

Polling manually will initially poll from the 'Sync Start' timestamp, to the current time's timestamp. Polling will advance to the current time, grabbing all content that occurred within that segment. Each subsequent poll will use the last time a manual poll was submitted as its beginning timestamp, and the current time as its ending timestamp.

Note: If a Soltra Edge client polls a feed that contains any duplicate STIX Observable IDs, it will return an error and be unsuccessful. Ensure that no duplicates exist for the feed that you are polling. This is typically left to O&M or systems administrators of the FLAREsuite environment.

Additional functionality

For additional functionality, please consult the appropriate Soltra Edge documentation that matches the version you are using.

Add a custom footer
Add a custom sidebar
Clone this wiki locally