SSL communication between TheHive and Splunk

[bil15]

Hey! I have a little difficulties during configuring SSL for my Splunk-TheHive communication using the app. My TheHive3 instance has SSL configured using nginx revesre-proxy. So, I have files like this: /etc/nginx/snippets/thehive-self-signed.conf which contains:

/etc/ssl/certs/thehive-selfsigned.crt
/etc/ssl/private/thehive-selfsigned.key

/etc/nginx/snippets/thehive-ssl-params.conf which contains:

...
ssl_dhparam /etc/ssl/certs/thehive-dhparam.pem;

/etc/nginx/sites-enabled/thehive.conf which contains:

server {
    listen 9100 ssl http2 default_server;
    listen [::]:9100 ssl http2 default_server;
    include snippets/thehive-self-signed.conf;
    include snippets/thehive-ssl-params.conf;
    ....
    location / {
                    add_header            Strict-Transport-Security "max-age=31536000; includeSubDomains";
                    proxy_pass              http://127.0.0.1:9000/;
                    proxy_http_version      1.1;
        }
}

I've tried to configure SSL communication by appending content of file /etc/ssl/certs/thehive-selfsigned.crt to "$APP_FOLDER$/bin/ta_thehive_cortex/aob_py3/certifi/cacert.pem" and "$APP_FOLDER$/bin/ta_thehive_cortex/aob_py2/certifi/cacert.pem" like this:

# TheHive cert
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Then I've restarted my Splunk and got error message while trying to list all alerts from TheHive in Splunk:

Any ideas on how to fix it? Am I doing something wrong?

[LetMeR00t]

Hi @bil15 Could you enable the DEBUG mode by setting DEBUG under Configuration/Logging ? Then start the search again (the one with the 46 error), open the search.log and copy/paste the output here (please remove any sensitive information if any) or send the file by mail to letmer00t@gmail.com Thank you

[bil15]

@LetMeR00t

2021-03-30 13:41:45,820 DEBUG   common:26 - [S2] Logging mode set to DEBUG
2021-03-30 13:41:45,844 DEBUG   common:33 - [S5] KVStore, getting {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': False, 'host': '<host_ip>', 'id': '<instance_id>', 'organisation': '-', 'port': 9100, 'protocol': 'https', 'proxies': '{}', 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>'}
2021-03-30 13:41:45,844 DEBUG   common:48 - [S10] KVStore, adding key "<instance_id>" {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': False, 'host': '<host_ip>', 'id': '<instance_id>', 'organisation': '-', 'port': 9100, 'protocol': 'https', 'proxies': '{}', 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>'}
2021-03-30 13:41:45,844 DEBUG   common:33 - [S5] KVStore, getting {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': False, 'host': '<host_ip>', 'id': '<instance_id>', 'organisation': '-', 'port': 9100, 'protocol': 'https', 'proxies': '{}', 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>'}
2021-03-30 13:41:45,844 DEBUG   common:48 - [S10] KVStore, adding key "<instance-id>" {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': False, 'host': '<host_ip>', 'id': '<instance_id>', 'organisation': '-', 'port': 9100, 'protocol': 'https', 'proxies': '{}', 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>'}
2021-03-30 13:41:48,121 DEBUG   common:58 - [S15] Getting these additional parameters: {'cortex_max_jobs': '100', 'cortex_sort_jobs': '-createdAt', 'disabled': False, 'eai:acl': None, 'eai:appName': 'TA-thehive-cortex', 'eai:userName': 'nobody', 'thehive_max_alerts': '100', 'thehive_max_cases': '100', 'thehive_sort_alerts': '-date', 'thehive_sort_cases': '-startDate'}
2021-03-30 13:41:49,780 DEBUG   common:68 - [S20] Getting these usernames from account: {'<instance_id>': {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': False, 'host': '<host_ip>', 'id': '<instance_id>', 'organisation': '-', 'port': 9100, 'protocol': 'https', 'proxies': '{}', 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>', 'username': 'splunk_uds'}, '<instance_id>': {{'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': False, 'host': '<host_ip>', 'id': '<instance_id>', 'organisation': '-', 'port': 9100, 'protocol': 'https', 'proxies': '{}', 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>', 'username': 'splunk_uds'}}
2021-03-30 13:41:49,791 DEBUG   common:78 - [S25] Getting these passwords from storage passwords: {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': False, 'host': '<host_ip>', 'id': '<instance_id>', 'organisation': '-', 'port': 9100, 'protocol': 'https', 'proxies': '{}', 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>', 'username': 'splunk_uds', 'password': '<API_key>'}, '<instance_id>': {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': True, 'host': '<host_ip>', 'organisation': None, 'port': 9100, 'protocol': 'https', 'proxies': {}, 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>', 'username': 'splunk_uds', 'password': '<API_key>'}}
2021-03-30 13:41:49,791 DEBUG   thehive:32 - [TH6] Settings recovered
2021-03-30 13:41:49,791 DEBUG   common:119 - [S45] Getting this parameter : thehive_max_cases=100
2021-03-30 13:41:49,791 DEBUG   common:125 - [S50] Getting this parameter: thehive_sort_cases=-startDate
2021-03-30 13:41:49,791 DEBUG   common:131 - [S51] Getting this parameter: thehive_max_alerts=100
2021-03-30 13:41:49,791 DEBUG   common:137 - [S52] Getting this parameter: thehive_sort_alerts=-date
2021-03-30 13:41:49,791 DEBUG   common:103 - [S35] This instance ID (<instance_id>) returns: {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': True, 'host': '<host_ip>', 'organisation': None, 'port': 9100, 'protocol': 'https', 'proxies': {}, 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>', 'username': 'splunk_uds', 'password': '<API_key>'}
2021-03-30 13:41:49,791 DEBUG   common:89 - [S30] This instance ID (<instance_id>) returns: {'account_name': 'thehive3', 'authentication_type': 'api_key', 'cert': True, 'host': '<host_ip>', 'organisation': None, 'port': 9100, 'protocol': 'https', 'proxies': {}, 'type': 'TheHive3', '_user': 'nobody', '_key': '<key>', 'username': 'splunk_uds', 'password': '<API_key>'}
2021-03-30 13:41:49,792 DEBUG   common:111 - [S40] this instance id (<instance_id>) returns: authentication_type=api_key
2021-03-30 13:41:49,792 DEBUG   common:111 - [S40] this instance id (<instance_id>) returns: proxies={}
2021-03-30 13:41:49,792 DEBUG   common:111 - [S40] this instance id (<instance_id>) returns: cert=True
2021-03-30 13:41:49,792 DEBUG   common:111 - [S40] this instance id (<instance_id>) returns: organisation=None
2021-03-30 13:41:49,792 DEBUG   common:111 - [S40] this instance id (<instance_id>) returns: type=TheHive3
2021-03-30 13:41:49,792 DEBUG   thehive:55 - [TH16] TheHive instance will be initialized with an API Key (not a password)
2021-03-30 13:41:49,792 DEBUG   thehive:80 - [TH26] TheHive version is 3.x
2021-03-30 13:41:49,792 DEBUG   thehive:110 - [TH35] TheHive instance is initialized
2021-03-30 13:41:49,813 ERROR   thehive:124 - [TH46-GENERIC-ERROR] THE_HIVE_CONNECTION_ERROR - Error: Error: HTTPSConnectionPool(host='<host_ip>', port=9100): Max retries exceeded with url: /api/case/_search?range=all (Caused by SSLError(SSLCertVerificationError("hostname '<host_ip>' doesn't match 'TheHive'")))

something like this I've changed all sensitive data with <...>

[LetMeR00t]

Hum Are you using the IP on the instances list as host ? Please use the hostname indicated in your certificate as the host and not the IP Do you understand what I mean ? Cause you have an error saying that your IP doesn’t match the hostname (so you should set the hostname directly and not the IP)

[bil15]

yes, I understood I'll try and tell some results then

[bil15]

@LetMeR00t got it! I've added a hostname to my nginx reverse-proxy and put it as hostname in the app. Thanks a lot!

[bil15]

@LetMeR00t I have few more questions about the app usage how could I reach you? these questions aren't worth separate issues :)

[LetMeR00t]

Hi You can send an email to letmer00t@gmail.com Thank you