search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.43k stars 623 forks source link

[Bug] Start Failure : Configuring index [search] with remote SSL ElasticSearch cluster #1996

Closed chberti closed 3 years ago

chberti commented 3 years ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) CentOS
OS version (client) 7.6
Virtualized Env. True
Dedicated RAM 4 GB
vCPU 4
TheHive version / git hash 4.1.2
Package Type RPM
Database Cassandra
Index type Elasticsearch
Attachments storage Local
Browser type & version x

Problem Description

Hi there,

I'm currently trying to migrate from a local elasticsearch instance (for indexing) to a real cluster which is secured (HTTPS enabled etc).

I followed the following use case which is the same as mine : http://docs.thehive-project.org/thehive/installation-and-configuration/configuration/database/ , panel Cluster With Cassandra and ElasticSearch

My configuration looks like the following :

Index configuration

index {
  search {
    backend : elasticsearch
    hostname : ["node01:9200","node02:9200","node03:9200"]
    index-name : thehive
    elasticsearch {
      http {
        auth {
          type: basic
          basic {
            username: my_superuser
            password: "my_superuserpassword"
          }
        }
      }
      ssl {
        enable: true
        disable-hostname-verification: "true"
        allow-self-signed-certificates: "true"
        truststore {
          location: /my/truststore.jks
          password: "my_truststore_password"
        }
      }
    }
  }
}

Steps to Reproduce

  1. TheHive running on 4.1.2 with local cassandra database and local elasticsearch node (full-node) properly.
  2. Shutting down local Elasticsearch node
  3. Adding a remote Elasticsearch secured cluster (which works perfectly fine) in place of localhost
  4. TheHive fails to start instantiate ElasticSearchIndex and will retry

Complementary information

[info] o.j.d.Backend [|] Configuring index [search] [warn] o.j.d.e.r.RestElasticSearchClient [6] Unable to determine Elasticsearch server version. Default to SEVEN org.apache.http.ConnectionClosedException: Connection is closed . [insert stacktrace here] at org.janusgraph.diskstorage.es.ElasticSearchIndex.<init>(ElasticSearchIndex.java:32)

From TheHive instance, curl "https://node01/_cluster/health" -k -u mysuperuser works fine, I can do anything I want trom TheHive server to any ElasticSearch node via curl commands.

chberti commented 3 years ago

Found it !

  1. The Use Case "Cluster with Cassandra & Elasticsearch" contains a mistake : http://docs.thehive-project.org/thehive/installation-and-configuration/configuration/database/ It's ssl.enabled instead of ssl.enable

  2. My truststore was messed up (recreated it properly with keytool)

Have a nice week-end.

Charles BERTI