Skip to content

WEC and HTTPS certificate authentication

WEC authentication is the alternative to Kerberos, using HTTPS certificates expects WEC server (TeskaLabs LogMan.io Collector) to provide HTTPS server on port tcp/5986. This authentication can be operated without Active Directory.

WEC Collector configuration

Following options are used to setup HTTPS certificate authentication in LogMan.io Collector:

input:WEC:WECInput:
   listen: 5986 ssl
   output: ...

   cert: /mypath/cert.pem
   key:  /mypath/key.pem
   cafile: /mypath/ca.pem

The WEC collector listens on tcp/5986 using HTTPS protocol.

TLS/SSL Certificate requirements:

  • The WEF certificate (client) MUST have the X509 v3 Extended Key Usage: TLS Web Client Authentication.
  • The WEC certificate (server) MUST have the X509 v3 Extended Key Usage: TLS Web Server Authentication.

Tip

You MAY use certificates provided by your CA, if applicable. Make sure that certificates are compliant with above criteria.

Tip

You can use XCA tool to generate CA, WEC server and WEF client certificates.

The URL for WEF is: 

https://lmio-collector.domain.int:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=<Thumbprint of the issuing CA certificate>

The certificate must be read by NT_AUTHORITY\NetworkService user, which can be specified in the Certificate Manager / Security setting.