Manage LES
Manage Access to Credentials
Credential management is available for the users that have the Log Exposure Administrator vRA custom user role. The tenant manager can assign this role either directly to users or via Custom Groups that have this role. Managing the user roles is possible using the vRA Portal, which can be opened from the top right corner of the ESC Portal.
Users who have the role will see a Certificates menu on the top of the ESC Portal, where onboarding and credential management can be done. Access to the service is controlled using TLS certificates.
Onboarding/Offboarding
Upon first opening the Certificates menu on the top of the ESC Portal, the onboarding to the service is done automatically.
Currently there is no self-service offboarding process defined. If this is required, please contact the ESC support.
Certificate Creation
The certificates issued by the service are valid for 1 year and are signed by the Log Exposure Certificate Authority (CA), which in turn is signed by the Swisscom Datacenter CA.
New certificates can be created on the Certificates menu on the top of the ESC Portal by providing the following information:
Field | Mandatory | Description |
---|---|---|
Description | No | Free text description of the certificate |
Yes | The email to notify before certificate expiration | |
CSR | Yes | The user's certificate signing request |
Consumer Group | Yes | The Kafka consumer group |
The email is used by the service for certificate expiration notifications (see the Certificate Renewal section). Hence, it is recommended that this is a team mailbox or the email of a distribution list.
Certificate Signing Request
The user must provide a certificate signing request (CSR) with the following constraints:
- Subject: must only contain the common name (
CN
) in the format:logs-<tenant>-<your_free_text>
. E.g.logs-orion-123-my-new-certificate
where:<tenant>
is your tenant name. E.g.orion-123
<your_free_text>
is a free-text matching the following regular expression:[a-z0-9-]*[a-z0-9]
. E.g.my-new-certificate
- Key Usage: if any is provided, the list must include TLS Web Client Authentication (
clientAuth
)
The examples below show how you can create a simple CSR using the openssl
command:
# if you already have a private key saved in the private_key.pem file
openssl req -new -key private_key.pem -out csr.pem -subj "/CN=logs-orion-123-my-user-certificate"
# if you don't have a private key and you want to generate one in the private_key.pem
openssl req -newkey rsa:3072 -keyout private_key.pem -out csr.pem -subj "/CN=logs-orion-123-my-user-certificate"
While the ESC Portal will directly accept the plain text CSR, the API requires it Base64-encoded. To obtain this, run:
openssl base64 -A -in csr.pem
Consumer Group
This field allows you to control the Kafka consumer topology.
- Using different consumer groups, the consumers would consume the same Kafka topic in parallel, each one receiving all the events.
- Having a shared consumer group shared between multiple certificates, the corresponding consumers will compete for the same events in a topic and each event will reach only one of the consumers.
Certificate Renewal
Starting 90 days before the expiration date (1 year after creation), an email notification will be sent weekly to the email address used during certificate creation.
An existing certificate cannot be renewed, instead a new one has to be created by following the instructions in the Certificate Creation section.
To stop the weekly expiration notification, delete the expiring certificate in portal. If you can't see your existing certificate, please contact us to have this certificate removed and the notification stoped.
Service Monitoring
Health Events
The service produces health events as specified by the Health Exposure Service event schema with a frequency of 1 hour.