search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.32k stars 932 forks source link

AWS Redis RBAC encryption-in-transit connection issue #2140

Closed ReadyElbow closed 2 years ago

ReadyElbow commented 2 years ago

Description

To implement greater security when connecting to dependencies, I have been trying to implement the Redis Role-based-access-control (RBAC) system and then supplying a set of user credentials to the OpenCTI Platform docker image.

When such authentication mechanisms are not implemented, OpenCTI connects to AWS Elasticache Redis with no issues and successfully boots up.

However, when implementing RBAC on AWS Elasticache Redis, AWS requires that encryption-in-transit is enabled. In this situation, OpenCTI Platform enters into a loop trying to authenticate to the Redis cluster with the new username and password that does work (tested locally from an EC2 instance).

I believe there could be an issue with the encryption-in-transit requirement and this is mentioned in Additional information.

Environment

  1. OS: Linux (Ubuntu/ Amazon Linux 2 (running on AWS ECS Fargate)
  2. OpenCTI version: Latest
  3. OpenCTI client: Backend
  4. Other environment details: Running in AWS

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create an AWS Elasticache Redis instance that has encryption in transit enabled, RBAC authentication
  2. Set the username and password environment variables
  3. Create the Docker container

Expected Output

OpenCTI Platform can use RBAC authentication to connect to AWS Elasticache Redis.

Actual Output

OpenCTI Platform generates no logs when testing its connection to Redis. It seemingly halts and tries to authenticate repeatedly.

On the Redis side, it generates the following engine log: { "CacheClusterId": "redis-cluster-001", "CacheNodeId": "0001", "LogLevel": "NOTICE", "Role": "M", "Time": "05 Jun 2022 14:09:46.417 UTC", "Message": "Error accepting a client connection: connection is closed." }

Additional information

I wonder if this issue is occurring because of the requirement for encryption in transit.

In this stackoverflow post (https://stackoverflow.com/questions/61373368/error-accessing-aws-elasticache-redis-in-cluster-mode-tls-enabled-from-django) it discusses the same problem and refers to there being an issue with how the ssl configuration in the connection is setup (ssl_cert_reqs should be set to None, not false). Unsure if this is the case with OpenCTI Platform's implementation when connecting to Redis but something to look into.

richard-julien commented 2 years ago

Did you try to put the option use_ssl to true ?

ReadyElbow commented 2 years ago

Hi @richard-julien ,

No I did not as there is no mention of that option in the Public Docs for Redis: https://www.notion.so/Configuration-a568604c46d84f39a8beae141505572a

Is the option present for the likes of MinIO, RabbitMQ use_ssl also available to Redis then?

SamuelHassine commented 2 years ago

Hello @ReadyElbow,

Indeed yes. I've updated the documentation.

Kind regards, Samuel

ReadyElbow commented 2 years ago

Understood, cheers both.

I'll give this a second test now then and get back to you. Hopefully, this resolves the issue.

ReadyElbow commented 2 years ago

Fixed straight away when setting the Redis ssl option to true. Closed

SamuelHassine commented 2 years ago

Nice to hear!