Closed Enaraque closed 2 months ago
@Enaraque, I was able to reproduce the issue by following the steps in our documentation. I will do some troubleshooting and get back to you as I make progress.
Full error log below:
[2024-07-29T14:27:53,444][ERROR][c.a.d.a.h.s.HTTPSamlAuthenticator] [node-1] Error creating HTTPSamlAuthenticator. SAML authentication will not work
java.lang.IllegalArgumentException: Illegal base64 character 2b
at java.base/java.util.Base64$Decoder.decode0(Base64.java:852) ~[?:?]
at java.base/java.util.Base64$Decoder.decode(Base64.java:570) ~[?:?]
at java.base/java.util.Base64$Decoder.decode(Base64.java:593) ~[?:?]
at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.createJwkFromSettings(AuthTokenProcessorHandler.java:245) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:390) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:128) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:52) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.action.support.nodes.TransportNodesAction.nodeOperation(TransportNodesAction.java:200) [opensearch-2.13.0.jar:2.13.0]
at org.opensearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:328) [opensearch-2.13.0.jar:2.13.0]
at org.opensearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:324) [opensearch-2.13.0.jar:2.13.0]
at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceivedDecorate(SecuritySSLRequestHandler.java:206) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.transport.SecurityRequestHandler.messageReceivedDecorate(SecurityRequestHandler.java:211) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:105) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.security.OpenSearchSecurityPlugin$6$1.messageReceived(OpenSearchSecurityPlugin.java:828) [opensearch-security-2.13.0.0.jar:2.13.0.0]
at org.opensearch.indexmanagement.rollup.interceptor.RollupInterceptor$interceptHandler$1.messageReceived(RollupInterceptor.kt:114) [opensearch-index-management-2.13.0.0.jar:2.13.0.0]
at org.opensearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:43) [opensearch-performance-analyzer-2.13.0.0.jar:2.13.0.0]
at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) [opensearch-2.13.0.jar:2.13.0]
at org.opensearch.transport.TransportService$7.doRun(TransportService.java:1059) [opensearch-2.13.0.jar:2.13.0]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:913) [opensearch-2.13.0.jar:2.13.0]
at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) [opensearch-2.13.0.jar:2.13.0]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
... 28 more
Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException: Illegal base64 character 2b
at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:154) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
... 28 more
Caused by: java.lang.IllegalArgumentException: Illegal base64 character 2b
at java.base/java.util.Base64$Decoder.decode0(Base64.java:852) ~[?:?]
at java.base/java.util.Base64$Decoder.decode(Base64.java:570) ~[?:?]
at java.base/java.util.Base64$Decoder.decode(Base64.java:593) ~[?:?]
at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.createJwkFromSettings(AuthTokenProcessorHandler.java:245) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.<init>(AuthTokenProcessorHandler.java:113) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:148) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) ~[opensearch-security-2.13.0.0.jar:2.13.0.0]
... 28 more
The exchange_key
line in my config.yml
:
exchange_key: 'MIIDqDCCApCgAwIBAgIGAZD+2TSaMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0xNjk2NzIwNDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0yNDA3MjkxNDE1MDZaFw0zNDA3MjkxNDE2MDVaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0xNjk2NzIwNDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBGKQJoWAE2hFLJ71a0pKIaeR/QrgkkhMmLktKUQ31BpTAMvxO/ZT14GtPHdFic5b8Wsf7hsgDo99mqKAsfTOCNr3yz1OOpjReqyLXG1X6Vnw5w+Isktgd5b1MQv4wQDGT+YArUwGMCBpaQKPkfG1T8dVxExE4sIMAW4oyCM8VmfYTmEaR3LX5Qv3O2/iUUfwtANHkp3vtdoVebCIevDFli+Ih9oJOkQwolI/hVH1UiA5ajN8zu26rlPqEcq2eHXknxpPe8h/otGsrTMF2sdnyZok/4pllfmZ2KeWK7QxhI25QWN2tTtdsnMhfFGxJ5+aiGuWs4MzG0ty+/TJRKvuUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAV9Y62RTP2xctJ2S6rSIMStukFgx9q0ULEk5gXvnTVwBSQIY1d0u7ss0v3rKu1u3HTUBucvj7GI1O3ZDHasitvT355d7YQTeCpgpeJuXSAbe5juWVsp70gSPJmEGs87WvdvpjT8otSpxXIxeDkhZGj6nrtt2tj75qS1SRn+nrNSPdODP/nV38c+cw5RR6CXR5kHkDjT/EVYQt0aM5uVdD5f4YyhN4ir4lsi+Vjfk5KBL+8G3CVZda9BY0ljfzn2DzH7uOXJR4r6zLuWd4AwLF8a87CEkY/FdBmFEWDI6erJ12aG2STbSMh1aoJNFvIVqd2T/ahhklGBaBD1LGbpHEOA=='
I've tried using the above key with all possible scalar types without success. It might not be possible to work this bug around.
This issue seems to be caused by the use of the following line of the opensearch security
plugin:
I was able to reproduce the issue while setting this up in opensearch 2.13. I'm bringing up a 2.15 environment to test whether this has been fixed. We may need to report this as an issue to opensearch.
By @gdiazlo suggestion, I tried using a 64 characters long random string as an exchange_key
, making sure it didn't include any non-alphabetical characters.
Doing so I could login to the dashboard using my okta
account.
I'm leaving a copy of my config.yml
for reference:
This has been solved and will be addressed in the documentation.
Description
While testing the single sign-on with Okta and Azure when I have to modificate the
/etc/wazuh-indexer/opensearch-security/config.yml
file and include the certificate generated from Okta or Azure in theexchange_key:
field, the{‘statusCode’:500, ‘error’: ‘Internal Server Error’, ‘message’: ‘Internal Error’}
error appear when trying to access to the dashboard.Checking the logs of
/var/log/wazuh-indexer/wazuh-cluster.log
shows that there is the following error:We have attempted to create a new certificate and encountered the same issue as above.
If we leave the exchange_key option empty o with a dummy string (like exchange_key: "hello" instead of a correct certificate) in the
/etc/wazuh-indexer/opensearch-security/config.yml
file and re-enter the dashboard, we can log in successfully, but we receive a permissions error once inside the dashboard (due to the wrong certificate, i guess).