Requirements of the Syslog protocol (TLS1.2/RFC5424)

System Administrator Guide for VSP 5000 Series

Version
90-09-2x
Audience
anonymous
Part Number
MK-98RD9009-16

The Syslog protocol (TLS1.2/RFC5424) requires the following:

  • Operation confirmed Syslog server which supports TLS1.2.
  • The server supports communications using the TLS security settings that are set in accordance with the procedure in Setting SSL/TLS communications using the Tool Panel.
  • Server certificate that has been set on the Syslog server

    The server certificate that meets the following requirements can be used:

    Certificate type Requirements
    Server certificate of Syslog server
    • If the public key of the certificate is RSA, the key length must be 2048 bits or more.
    • If the public key of the certificate is ECDSA, the public key parameter must be any of the following:
      • ECDSA_P256 (secp256r1)
      • ECDSA_P384 (secp384r1)
      • ECDSA_P521 (secp521r1)
    • The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
    • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
      • subjectAltName
      • CRLDistributionPoint
      • AuthorityInfoAccess
      • BasicConstraints
      • KeyUsage
      • SubjectKeyIdentifier

      The IP address of the Syslog server must be entered in subjectAltName or CommonName. Domain name cannot be specified.

    • When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and the server certificate that have been set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, the communications with the Syslog server fails.
    • When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and the server certificate that have been set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, the communications with the Syslog server fails.
    • Check the number of tiers of the certificate chain to be used. The maximum number supported is 20 tiers. Make sure to use a certificate in a certificate chain with no more than 20 tiers.
  • Root certificate of the Syslog server

    The root certificate that meets the following requirements can be uploaded to the SVP.

    Certificate type Requirements
    Certificate format
    • X509 DER format
    • X509 PEM format
    Root certificate
    • If the public key of the certificate to be uploaded to the SVP is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.

    • If the public key of the certificate to be uploaded to the SVP is ECDSA, the public key parameter must be any of the following:

      • ECDSA_P256 (secp256r1)
      • ECDSA_P384 (secp384r1)
      • ECDSA_P521 (secp521r1)
    • The signature hash algorithm of the certificate to be uploaded to the SVP must be SHA-256, SHA-384, or SHA-512
    .
  • Client certificate

    The client certificate that meets the following requirements can be uploaded to the SVP.

    Certificate type Requirements
    Certificate format PKCS#12 format
    TLS security settings The server supports communications using the TLS security settings that are set in Setting SSL/TLS communications using the Tool Panel.
    Client certificate
    • If the public key of the certificate to be uploaded to the SVP is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
    • If the public key of the certificate to be uploaded to the SVP is ECDSA, the public key parameter must be any of the following:
      • ECDSA_P256 (secp256r1)
      • ECDSA_P384 (secp384r1)
      • ECDSA_P521 (secp521r1)
    • The signature hash algorithm of the certificate to be uploaded to the SVP must be SHA-256, SHA-384, or SHA-512.
    • If an intermediate certificate exists, you must prepare a signed public key certificate in a certificate chain that contains the intermediate certificate.
    • The number of tiers of the certificate chain for the certificate to be uploaded must be 20 tiers or less including the root CA certificate.

Convert the client certificate signed by a CA (Certificate Authority) on the Syslog server to the PKCS#12 format. For more information, see Obtaining a client certificate for the Syslog protocol

If you do not know the password of the client certificate in the PKCS#12 format, contact the Syslog server administrator.
CAUTION:
  • The certificates have expiration dates. If a certificate expires, you will not be able to connect to the Syslog server. Make sure to update the certificate before the expiration date.
  • For more information about the certificate management, contact the Syslog server administrator.