search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] App issues on SHCluster #23

Closed Ugalder closed 3 years ago

Ugalder commented 3 years ago

Request Type

Bug deploying app on SHCLUSTER

Work Environment

Question Answer
OS version (server) CentOS 7
TheHive version / git hash 3.4.0-1

Problem Description

After I install de APP on my deploy master I set up the configuration and the app run smoothly after I send this app to the SH I notice two things:

First : When I tried to see the account profile on the Settings -> Configuration the screen says loading and it get there forever. image

Second: When the Deploy master send the App to all the SH on the cluster it send the app without the local directory where the passwords.conf and ta_thehive_cortex_account.conf I guess this is why it doesn't load the account info from the configuration tab.

image

Steps to Reproduce

  1. Install App TheHive/Cortex 2.1.0 on Deploy Master Splunk
  2. Set the configuration on deploy master
  3. Send the configured app to the SH on the SH cluster trough the deploy master
  4. Account stuck on loading
  5. No instance to show
  6. Panels without info

Possible Solutions

-I tried to send the local files to default and then resend to the SH via Deploy master and it doesn't work at all

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

-

LetMeR00t commented 3 years ago

Hi @Ugalder, I also work in an environment where I have a SHCluster. I've noticed that, at least in my case, you can't push the credentials like that. In fact, each instance have his own storage/passwords and it appears to not be synchronised/mutualised between SH.

The fact that you have a loading page forever may be because the local/passwords.conf file has been pushed (under default/passwords.conf on each SH) and the SH cannot decrypt the password because it is not this instance that encrypted it (but the deployer)

As a reminder, each time a configuration is pushed, the data under local/ is merged with default/ and all appear under default/*

Could you check in the browser (via CTRL+SHIFT+I) that the request associated with loading the list of accounts is in error 500 and provide the error code?

From memory, it is absolutely not necessary to deploy a local/passwords.conf like that but rather to deploy the app and then, on each instance, to configure the credentials

I had an article on the Internet mentioning the fact that it was necessary to delete passwords.conf type files due to decryption problems but I can't find it anymore...

remg427 commented 3 years ago

Hi Maybe you need to add a file under /default server.conf With a stanza [shclustering] Where you list files that have to be replicated You don't need to specify passwords.conf i think it is because access is via API call which occurs at SHC level not at node level -- Sent with K-9 Mail.

LetMeR00t commented 3 years ago

Hi, Could you check if this can be related to : https://community.splunk.com/t5/Deployment-Architecture/Getting-decryption-failed-errors-on-indexers/m-p/508697 ? The article is the link with "gnzlabs" but it seems not working anymore unfortunately ... I think that your issue is related to the "passwords.conf" that must be generated by the SH itself and not the deployer.

LetMeR00t commented 3 years ago

Hi @Ugalder, Could we have an update on this ? Thank you

Ugalder commented 3 years ago

Hi @LetMeR00t sorry for not giving feedback, but it actually works as you said, I send the app without configuration to all the SH on the cluster after I send the app I configure it in one of the SH and it works smoothly!!

Thank you @remg427 and @LetMeR00t