cyberpescadito
commented
2 years ago thanks for this report @andres-tw , this will be fixed in 4.1.19
Closed andres-tw closed 2 years ago
cyberpescadito
commented
2 years ago thanks for this report @andres-tw , this will be fixed in 4.1.19
To-om
commented
2 years ago @andres-tw create a configuration file input.conf containing:
search.trustStore.path=/etc/thehive/es.jks
search.trustStore.type=JKSThen add the parameter --input /path/to/input.conf to the migration tool.
andres-tw
commented
2 years ago @To-om Ah yes, sorry forgot to include the hive3 config. For all tests it's been configured as follows:
play.http.secret.key = "xxxx"
search {
index = "the_hive"
# NB! There is currently no way to disable hostname verification for TLS connections to Elastic
uri = "https://instance:9200"
nbreplicas = 1
nbshards = 10
user = "thehive"
password = "xxxxx"
# For SSL to work with ES, both trustStore and keyStore need to be defined
search.trustStore {
path = "/etc/thehive/es.jks"
type = "JKS"
password = "xxxx"
}
search.keyStore {
path = "/etc/thehive/es.jks"
type = "JKS"
password = "xxxx"
}
}
cluster {
name = "xxxxx"
}
auth {
provider = [local]
}
session {
warning = 5m
inactivity = 1h
}
# Max textual content length
play.http.parser.maxMemoryBuffer= 10M
# Max file size
play.http.parser.maxDiskBuffer = 1GTested now again, with only the trustStore configuration like in your example.
andres-tw
commented
2 years ago @To-om Anything else I can test or your working on it?
To-om
commented
2 years ago You can now configure http client by adding wsConfig section in search. You can find available settings in the documentation here and here. If you want to disable SSL certificate verification you can set:
search {
index = "the_hive"
uri = "https://instance:9200"
wsConfig.ssl.loose.acceptAnyCertificate = trueSo the new config option did not help. Fails with the same error message on both 4.19.1-1 and 5.0.2 docker images. Tried adding that config option both together with a truststore and without. I also tried configuring the trust store debugging, but that did not produce any extra logs to help me in debugging this further. Could it somehow be related to the fact that I'm trying to do the migration from a docker container?
To-om
commented
2 years ago There is a typo in the last commit. The wsConfig is not search in the correct section. You should adapt the configuration file and put it in search.trustStore like that:
search {
index = "the_hive"
uri = "https://instance:9200"
trustStore.wsConfig.ssl.loose.acceptAnyCertificate = trueThis will be fixed in the next release.
Request Type
Bug
Work Environment
Problem Description
Starting with version 4.1.17 when running the migration tool in a docker container initialisation of the migration fails with
PKIX path building failed. Exactly the same configs work for starting the migration in 4.1.16-1.Steps to Reproduce
docker pull thehiveproject/thehive4:4.1.17-1docker run -it --entrypoint /bin/bash -v "/opt/app/thehive/hive3.conf:/etc/thehive/hive3.conf:rw" -v "/opt/app/thehive/application.conf:/etc/thehive/application.conf:rw" -v "/opt/app/thehive/es.jks:/etc/thehive/es.jks:rw" --network host docker.tw.ee/tw-secops-thehive./bin/migrate -d --output /etc/thehive/application.conf --main-organisation ORG_NAME --input /etc/thehive/hive3.confPossible Solutions
Not a solution, but a workaround might be to enable
index.search.elasticsearch.ssl.allow-self-signed-certificatesfor migration connections somehow.Complementary information
Full stack trace: