[Bug] Fail to connect to Cassandra using SSL

[prats84]

Request Type

BUG

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	n/a
TheHive version / git hash	4 RC1
Package Type	DEB
Browser type & version	n/a

Problem Description

Hello, need some help with Cassandra/CQL config fo thehive 4 . I want to implement SSL with CQL. When i try to connect to my cluster, i get the below error. The hostname I have specified is 2x.x.x.9:9142 in the config but when it finds other nodes it adds them with port 9042 instead of 9142.

Steps to Reproduce

1. Setup the Cassandra service with 6-8 nodes
2. Enable ssl

Complementary information

Error:

com.datastax.driver.core.exceptions.ConnectionException: [/2x.x.x.13:9042] Pool was closed during initialization
    at com.datastax.driver.core.HostConnectionPool$2.onSuccess(HostConnectionPool.java:173)
    at com.datastax.driver.core.HostConnectionPool$2.onSuccess(HostConnectionPool.java:158)
    at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1021)
    at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
    at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:1137)
    at com.google.common.util.concurrent.AbstractFuture.complete(AbstractFuture.java:957)
    at com.google.common.util.concurrent.AbstractFuture.set(AbstractFuture.java:726)
    at com.google.common.util.concurrent.CollectionFuture$CollectionFutureRunningState.handleAllCompleted(CollectionFuture.java:71)
    at com.google.common.util.concurrent.AggregateFuture$RunningState.processCompleted(AggregateFuture.java:261)
    at com.google.common.util.concurrent.AggregateFuture$RunningState.decrementCountAndMaybeComplete(AggregateFuture.java:248)
[info] c.d.d.c.ClockFactory - Using native clock to generate timestamps.
[info] c.d.d.c.p.DCAwareRoundRobinPolicy - Using provided data-center name 'data-1' for DCAwareRoundRobinPolicy
[info] c.d.d.c.Cluster - New Cassandra host /2x.xxx.xx.16:9042 added
[info] c.d.d.c.Cluster - New Cassandra host /2x.xxx.xx.13:9042 added
[info] c.d.d.c.Cluster - New Cassandra host /2x.xxx.xx.14:9042 added
[info] c.d.d.c.Cluster - New Cassandra host /2x.xxx.xx.9:9142 added

Snippet from application.conf:

db.janusgraph {
storage {
backend: cql
port: 9142
hostname: ["2x.xxx.xx.9"]
username: "cassandra"
password: "<REDACTED>"
cql {
  cluster-name: "cassandra-cluster"
  keyspace: thehive
  local-datacenter: data-1
  read-consistency-level: ONE
  write-consistency-level: ONE
  replication-factor: 1
  port: 9142
    ssl {
        enabled: true
        truststore {
            location:"/home/thehive/cassandra_truststore.jks"
            password: "<REDACTED>"
        }
}
}
}
}

[mcm]

I’m having this same issue. Can’t speak for @prats84 but in my case, the Cassandra cluster is Amazon MCS, unsure if that makes a difference.

Happy to provide anything that would be helpful for troubleshooting.

[prats84]

I have tried with both Amazon MCS and a separate 3-5 node cluster with SSL enabled on port 9142. The logs for above are for a separate cluster and if required I can add the logs for Amazon MCS as well

[jefflouisma]

I'm having a similar issue however i get blocked before even connecting to AWS Keyspace (MCS) which requires client authentication on TLS1.2.

I'm using RC3

db.janusgraph {

 storage {
    ## Cassandra configuration
    # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
    backend: cql
    port: 9142
    hostname: ["cassandra.us-west-2.amazonaws.com"]
    # Cassandra authentication (if configured)
    username: "[AWS KEYSPACE USERNAME]"
    password: "[AWS KEYSPACE PASSWORD]"
    cql {
      cluster-name: "Amazon Keyspace"
      keyspace: thehive
      ssl.client-authentication-enabled = "true"
      ssl.enabled = "true"
      ssl.truststore.location = "/opt/thp_data/files/thp_truststore"
      ssl.truststore.password = "password"
    }
  }

}

I can see the AWS root CA in the truststore using keytool and permissions are 777 for testing. I've also connected to the Keyspace instance using cqlsh . Let me know if you'd like me to file a separate bug.

Below is an export of the log

Caused by: java.lang.IllegalArgumentException: Could not instantiate implementation: org.janusgraph.diskstorage.cql.CQLStoreManager
    at org.janusgraph.util.system.ConfigurationUtil.instantiate(ConfigurationUtil.java:64)
    at org.janusgraph.diskstorage.Backend.getImplementationClass(Backend.java:440)
    at org.janusgraph.diskstorage.Backend.getStorageManager(Backend.java:411)
    at org.janusgraph.graphdb.configuration.builder.GraphDatabaseConfigurationBuilder.build(GraphDatabaseConfigurationBuilder.java:50)
    at org.janusgraph.core.JanusGraphFactory.open(JanusGraphFactory.java:161)
    at org.janusgraph.core.JanusGraphFactory.open(JanusGraphFactory.java:132)
    at org.janusgraph.core.JanusGraphFactory.open(JanusGraphFactory.java:112)
    at org.thp.scalligraph.janus.JanusDatabase$.openDatabase(JanusDatabase.scala:48)
    at org.thp.scalligraph.janus.JanusDatabase.<init>(JanusDatabase.scala:69)
    at org.thp.scalligraph.janus.JanusDatabase$$FastClassByGuice$$113881e3.newInstance(<generated>)
    at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
    at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168)
    at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)
    at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62)
    at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42)
    at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
    at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168)
    at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)
    at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42)
    at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
    at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1050)
    ... 20 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException: null
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.janusgraph.util.system.ConfigurationUtil.instantiate(ConfigurationUtil.java:58)
    ... 51 common frames omitted
Caused by: java.lang.IllegalArgumentException: Invalid configuration value for [root.storage.cql.ssl.keystore.location]: 
    at com.google.common.base.Preconditions.checkArgument(Preconditions.java:164)
    at org.janusgraph.diskstorage.configuration.ConfigOption.verify(ConfigOption.java:240)
    at org.janusgraph.diskstorage.configuration.ConfigOption.get(ConfigOption.java:232)
    at org.janusgraph.diskstorage.configuration.BasicConfiguration.get(BasicConfiguration.java:69)
    at org.janusgraph.diskstorage.configuration.Configuration.get(Configuration.java:35)
    at org.janusgraph.diskstorage.cql.CQLStoreManager.initializeCluster(CQLStoreManager.java:268)
    at org.janusgraph.diskstorage.cql.CQLStoreManager.<init>(CQLStoreManager.java:181)
    ... 56 common frames omitted

[rogierm]

janusgraph does not seem to support Amazon Keyspaces MCS: https://stackoverflow.com/questions/62220244/run-janusgraph-with-aws-keyspace-storage-backend https://stackoverflow.com/questions/61298977/janusgraph-access-amazon-managed-cassandra-from-ec2

I assume that until that is possible, MCS it not supported by Janusgraph and therefor not possible to use with The Hive4.

Not sure why the driver fails back to port 9042 after setting up the connection over TLS on port 9142. I experienced the same issue when testing with Amazon Keyspaces.

[marcoordonez0703]

Hello everyone. I working on setting up the same configuration with The Hive4 and AWS Keyspaces and came across this issue. Was this ever fixed? I am trying to determine if it is worth my time going down this same path when you cannot still reliably connect TH4 with Keyspaces securely via TLS. Thanks in advance!

[spencerprovost]

Running into the same issues, I would also love to use AWS Keyspaces!!

[To-om]

When Cassandra is in cluster, the default port (9042) cannot be changed. This is a limitation of the current version of Janusagraph (https://lists.lfaidata.foundation/g/janusgraph-users/topic/83600047).

[tl-Bruno-Braga]

@To-om is there any update on this. I have seen several posts about connecting TheHive to keyspaces. Is this possible? Thanks in advance