Closed awmol closed 1 week ago
Hi @awmol could you please provide the /etc/wazuh-indexer/opensearch-security/config.yml
file obfuscating all sensitive information?
It would also be useful to know if you have any backup of the mentioned file to compare both of them.
I don't want to steal this issue, but I am having this issue, and on the Wazuh Indexer, during reboot:
`[2024-09-11T10:37:40,728][ERROR][c.a.d.a.h.s.HTTPSamlAuthenticator] [wazuh-index] Error creating HTTPSamlAuthenticator. SAML authentication will not work
java.lang.IllegalArgumentException: Illegal base64 character 20
at java.base/java.util.Base64$Decoder.decode0(Base64.java:852) ~[?:?]
at java.base/java.util.Base64$Decoder.decode(Base64.java:570) ~[?:?]
at java.base/java.util.Base64$Decoder.decode(Base64.java:593) ~[?:?]
at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.createJwkFromSettings(AuthTokenProcessorHandler.java:245) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.
[2024-09-11T10:37:40,736][WARN ][o.o.s.s.ReflectionHelper ] [wazuh-index] Unable to enable 'com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator' due to java.lang.reflect.InvocationTargetException
[2024-09-11T10:37:40,739][ERROR][o.o.s.s.DynamicConfigModelV7] [wazuh-index] Unable to initialize auth domain saml_auth_domain=AuthcDomain [http_enabled=true, order=1, http_authenticator=HttpAuthenticator [challenge=true, type=saml, config={idp={configuration details, authentication_backend=AuthcBackend [type=noop, config={}], description=null] due to OpenSearchException[java.lang.reflect.InvocationTargetException]; nested: InvocationTargetException; nested: RuntimeException[java.lang.IllegalArgumentException: Illegal base64 character 20]; nested: IllegalArgumentException[Illegal base64 character 20];
org.opensearch.OpenSearchException: java.lang.reflect.InvocationTargetException
at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:73) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.securityconf.DynamicConfigModelV7.lambda$newInstance$1(DynamicConfigModelV7.java:426) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319) ~[?:?]
at org.opensearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:424) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:323) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.securityconf.DynamicConfigModelV7.
Key point being: Unable to enable 'com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator' due to java.lang.reflect.InvocationTargetException
Oh yeah, I should add, this comes from the "wazuh-cluster.log" file, which lives on the Wazuh Indexer node.
config.yml.txt config.yml.original.txt
Had to change file type to txt, obfuscated fqdns and key even though they are not really sensitive, not sure what you mean with a backup, like the original config.yml before I edited? That should just be the out-of-the-box config.yml i guess, i'v uploaded that one as well. I did not get an option to overwrite config.yml when upgrading the indexer to 4.9.0-2 and there is no config.yml.dpkg-dist.
I'm also noticing similar errors as zeeddD1abl0 but "Illegal base64 character 2f" instead of "character 20" errors in the indexer logfiles. I have validated the x509 certificate string and it is valid base64 so something else is going on..
2f in ascii is forward slash 20 in ascii is space
I just noticed that in https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/google.html for 4.9 it says:
Generate a 64-character long random key using the following command. openssl rand -hex 32 The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
But in 4.8 it says to use the x509 certificate from the metadata file. By generating a random key instead everything works fine again. Not sure what that exchange_key is actually used for.
After upgrade from 4.8.2 to 4.9.0-2 on Debian 12 Google SAML integration stops working with "internal server error" and "Failed to get saml header"
Steps to reproduce the behavior:
Wazuh dashboard logs show:
2024-09-10T11:05:18.878159+02:00 wazuhdash01 opensearch-dashboards[2079]: {"type":"log","@timestamp":"2024-09-10T09:05:18Z","tags":["error","plugins","securityDashboards"],"pid":2079,"message":"Failed to get saml header: Authentication Exception :: {\"path\":\"/_plugins/_security/authinfo\",\"query\":{},\"statusCode\":401,\"response\":\"Authentication finally failed\"}"}
2024-09-10T11:05:18.881592+02:00 wazuhdash01 opensearch-dashboards[2079]: {"type":"error","@timestamp":"2024-09-10T09:05:18Z","tags":[],"pid":2079,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:127:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:83:19)\n at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:79:17)\n at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:175:34)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at handler (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:140:50)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://wazuhdash.domain.com/auth/saml/login?nextUrl=%2F&redirectHash=false","message":"Internal Server Error"}
Tried to redo everyting at https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/google.html again but makes no difference.
There were not issues at all with the SAML integration when using Wazuh 4.8.2
Expected behavior Expected redirect to SAML IDP to get a ticket to POST at ACS url but never gets that far.
OpenSearch Version Using Wazuh 4.9.0-2 indexers
Dashboards Version 4.9.0-2
Plugins Out of the box
Host/Environment (please complete the following information):