Closed ReadyElbow closed 2 years ago
Did you try to put the option use_ssl to true ?
Hi @richard-julien ,
No I did not as there is no mention of that option in the Public Docs for Redis: https://www.notion.so/Configuration-a568604c46d84f39a8beae141505572a
Is the option present for the likes of MinIO, RabbitMQ use_ssl also available to Redis then?
Hello @ReadyElbow,
Indeed yes. I've updated the documentation.
Kind regards, Samuel
Understood, cheers both.
I'll give this a second test now then and get back to you. Hopefully, this resolves the issue.
Fixed straight away when setting the Redis ssl option to true. Closed
Nice to hear!
Description
To implement greater security when connecting to dependencies, I have been trying to implement the Redis Role-based-access-control (RBAC) system and then supplying a set of user credentials to the OpenCTI Platform docker image.
When such authentication mechanisms are not implemented, OpenCTI connects to AWS Elasticache Redis with no issues and successfully boots up.
However, when implementing RBAC on AWS Elasticache Redis, AWS requires that encryption-in-transit is enabled. In this situation, OpenCTI Platform enters into a loop trying to authenticate to the Redis cluster with the new username and password that does work (tested locally from an EC2 instance).
I believe there could be an issue with the encryption-in-transit requirement and this is mentioned in Additional information.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
OpenCTI Platform can use RBAC authentication to connect to AWS Elasticache Redis.
Actual Output
OpenCTI Platform generates no logs when testing its connection to Redis. It seemingly halts and tries to authenticate repeatedly.
On the Redis side, it generates the following engine log:
{ "CacheClusterId": "redis-cluster-001", "CacheNodeId": "0001", "LogLevel": "NOTICE", "Role": "M", "Time": "05 Jun 2022 14:09:46.417 UTC", "Message": "Error accepting a client connection: connection is closed." }
Additional information
I wonder if this issue is occurring because of the requirement for encryption in transit.
In this stackoverflow post (https://stackoverflow.com/questions/61373368/error-accessing-aws-elasticache-redis-in-cluster-mode-tls-enabled-from-django) it discusses the same problem and refers to there being an issue with how the ssl configuration in the connection is setup (ssl_cert_reqs should be set to None, not false). Unsure if this is the case with OpenCTI Platform's implementation when connecting to Redis but something to look into.