Requirements of the Syslog transfer protocol (TLS/RFC5424)

System Administrator Guide for Virtual Storage Platform E Series

Version
93-07-0x
Audience
anonymous
Part Number
MK-97HM85028-18

The Syslog transfer protocol (TLS/RFC5424) requires the following:

  • Syslog server that supports TLS (TLS 1.2 or later)
  • Syslog server certificate
    • Do not use any items other than the following items (that are specified in RFC5280) for the extended profile fields in the X.509 certificate:
      • BasicConstraints
      • KeyUsage
      • SubjectKeyIdentifier
      • SubjectAltName
    • The number of tiers of the certificate chain must be 5 tiers or fewer.
  • Client certificates

    The following table lists and describes the certificates that can be uploaded to the SVP.

    Note:
    • Consult the Syslog server administrator for details about these certificates and appropriately manage the certificates.
    • Be careful about the expiration date of certificates. If a certificate is expired, you will not be able to connect to the Syslog server.
    • Ask the Syslog server administrator for the root certificate of the Syslog server. Also, convert the client certificate signed by the Certificate Authority (CA) of the Syslog server to PKCS#12 format.
    • Contact the Syslog server administrator for the password set for the PKCS#12-format client certificate.
    Certificate type Format Requirements
    Syslog server root certificate X.509 Any items other than the following items (that are specified in RFC5280) must not be used for the extended profile fields in the X.509 certificate:
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
    Client certificate PKCS#12
    • If an intermediate certificate exists, you must prepare a signed public key certificate in a certificate chain that contains the intermediate certificate.
    • The number of tiers of the certificate chain for the certificate to be uploaded must be 5 tiers or fewer including the root CA certificate.
    • The public key of the certificate to be uploaded must be RSA.
    • The IP addresses or host names of GUM(CTL1) and GUM(CTL2) must be set for Common Name and Subject Alternative Name in the client certificate.

    If an intermediate certificate is provided by a certificate authority, set the intermediate certificate on the Syslog server.