Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add demo certificates installer #548

Closed
wants to merge 16 commits into from
Closed

Add demo certificates installer #548

wants to merge 16 commits into from

Conversation

QU3B1M
Copy link
Member

@QU3B1M QU3B1M commented Nov 12, 2024
edited
Loading

Description

Add install-demo-certificates.sh that generates and configure the demo certificates for the current wazuh-indexer installation.
It is being used at the post-install packaging step

Related Issues

Resolves #183

Check List

  • Functionality includes testing.
  • API changes companion pull request created, if applicable.
  • Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@QU3B1M QU3B1M requested a review from a team as a code owner November 12, 2024 18:58
@QU3B1M QU3B1M self-assigned this Nov 12, 2024
@QU3B1M QU3B1M mentioned this pull request Nov 12, 2024
Closed
@QU3B1M
Copy link
Member Author

QU3B1M commented Nov 13, 2024

The package correctly deploys the demo certificates when it is installed

  • installation 
    bash 01_download_and_install_package.sh -id 11804424623 -n wazuh-indexer_5.0.0-0_arm64_594f7b55-bd947b4-b41f2b0.deb
Fetching artifacts list...
Checking wazuh-indexer_5.0.0-0_arm64_594f7b55-bd947b4-b41f2b0.deb package is generated for workflow run 11804424623
Wazuh indexer artifact detected. Artifact ID: 2178407428
Downloading wazuh-indexer package from GitHub artifactory...
(It could take a couple of minutes)
Package downloaded successfully
Decompressing wazuh-indexer package...
Archive:  ./package.zip
  inflating: wazuh-indexer_5.0.0-0_arm64_594f7b55-bd947b4-b41f2b0.deb  
Package decompressed
Installing wazuh-indexer package...
Package installed successfully.
  • Certificates deployed 
    ls -ll /etc/wazuh-indexer/certs/
total 20
-r-------- 1 wazuh-indexer wazuh-indexer 1704 Nov 12 09:17 admin-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1119 Nov 12 09:17 admin.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1704 Nov 12 09:17 indexer-key.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1245 Nov 12 09:17 indexer.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1204 Nov 12 09:17 root-ca.pem
  • Cluster can be initialized with these certificates 
    /usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.17.1
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml 
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml 
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"]) due to: null
Done with success
    curl -k -u admin:admin https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "ErnMVT-NS5abL0Lw9vqWJA",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.17.1",
    "build_type" : "deb",
    "build_hash" : "594f7b5536897dc3935f71f433401e8d0429f930",
    "build_date" : "2024-11-12T19:44:59.743089103Z",
    "build_snapshot" : false,
    "lucene_version" : "9.11.1",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

@f-galland
Copy link
Member

Package installation works in .deb:

root@node-2:/vagrant/scripts# GITHUB_TOKEN=***** bash 01_download_and_install_package.sh -id 11806038378 -n wazuh-indexer_5.0.0-0_amd64_769ce7a7-bd947b4-b41f2b0.deb
Fetching artifacts list...
Checking wazuh-indexer_5.0.0-0_amd64_769ce7a7-bd947b4-b41f2b0.deb package is generated for workflow run 11806038378
Wazuh indexer artifact detected. Artifact ID: 2178870411
Downloading wazuh-indexer package from GitHub artifactory...
(It could take a couple of minutes)
Package downloaded successfully
Decompressing wazuh-indexer package...
Archive:  ./package.zip
  inflating: wazuh-indexer_5.0.0-0_amd64_769ce7a7-bd947b4-b41f2b0.deb  
Package decompressed
Installing wazuh-indexer package...
Package installed successfully.
root@node-2:/vagrant/scripts# ls /etc/wazuh-indexer/certs/
admin-key.pem  admin.pem  indexer-key.pem  indexer.pem  root-ca.pem

@f-galland
Copy link
Member

f-galland commented Nov 13, 2024
edited
Loading

Works on .rpm as well:

[root@node-1 scripts]# GITHUB_TOKEN=**** bash 01_download_and_install_package.sh -id 11819424324 -n wazuh-indexer_5.0.0-0_x86_64_5ae8cc66-bd947b4-b41f2b0.rpm
Fetching artifacts list...
Checking wazuh-indexer_5.0.0-0_x86_64_5ae8cc66-bd947b4-b41f2b0.rpm package is generated for workflow run 11819424324
Wazuh indexer artifact detected. Artifact ID: 2182430868
Downloading wazuh-indexer package from GitHub artifactory...
(It could take a couple of minutes)
Package downloaded successfully
Decompressing wazuh-indexer package...
Archive:  ./package.zip
  inflating: wazuh-indexer_5.0.0-0_x86_64_5ae8cc66-bd947b4-b41f2b0.rpm  
Package decompressed
Installing wazuh-indexer package...
Package installed successfully.
[root@node-1 scripts]# ls /etc/wazuh-indexer/certs/
admin-key.pem  admin.pem  indexer-key.pem  indexer.pem  root-ca.pem

f-galland
f-galland approved these changes Nov 13, 2024
View reviewed changes
Copy link
Member

@f-galland f-galland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

AlexRuiz7
AlexRuiz7 reviewed Nov 15, 2024
View reviewed changes
Copy link
Member

@AlexRuiz7 AlexRuiz7 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Have we tried to form up a cluster?

AlexRuiz7
AlexRuiz7 requested changes Nov 15, 2024
View reviewed changes
Copy link
Member

@AlexRuiz7 AlexRuiz7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A cluster cannot be formed using the current solution, so it's a partial solution.

I'd rather have the certificates pre-generated and hosted in our repository if that allows us to form up clusters without having to generate custom certificates.

@f-galland
Copy link
Member

Hard coded certs were added as an option, enabled by the USE_DEMO_CERTS boolean flag:

root@node-2:/vagrant/scripts# USE_DEMO_CERTS="true" dpkg -i wazuh-indexer_5.0.0-0_amd64_8ff89d65-e3248bb-b41f2b0.deb 
Selecting previously unselected package wazuh-indexer.
(Reading database ... 76250 files and directories currently installed.)
Preparing to unpack wazuh-indexer_5.0.0-0_amd64_8ff89d65-e3248bb-b41f2b0.deb ...
Running Wazuh Indexer Pre-Installation Script
Unpacking wazuh-indexer (5.0.0-0) ...
Setting up wazuh-indexer (5.0.0-0) ...
Running Wazuh Indexer Post-Installation Script
No certificates detected in /etc/wazuh-indexer, installing demo certificates...
### If you are using a custom certificates path, ignore this message.
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service

root@node-2:/vagrant/scripts# systemctl daemon-reload && systemctl start wazuh-indexer

root@node-2:/vagrant/scripts# systemctl status wazuh-indexer
● wazuh-indexer.service - wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; disabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-11-20 10:47:45 UTC; 5s ago
       Docs: https://documentation.wazuh.com
   Main PID: 5701 (java)
      Tasks: 65 (limit: 4557)
     Memory: 1.3G
        CPU: 23.526s
     CGroup: /system.slice/wazuh-indexer.service
             └─5701 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch>

Nov 20 10:47:37 node-2 systemd-entrypoint[5701]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opense>
Nov 20 10:47:37 node-2 systemd-entrypoint[5701]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Nov 20 10:47:37 node-2 systemd-entrypoint[5701]: WARNING: System::setSecurityManager will be removed in a future release
Nov 20 10:47:37 node-2 systemd-entrypoint[5701]: Nov 20, 2024 10:47:37 AM sun.util.locale.provider.LocaleProviderAdapter <clinit>
Nov 20 10:47:37 node-2 systemd-entrypoint[5701]: WARNING: COMPAT locale provider will be removed in a future release
Nov 20 10:47:38 node-2 systemd-entrypoint[5701]: WARNING: A terminally deprecated method in java.lang.System has been called
Nov 20 10:47:38 node-2 systemd-entrypoint[5701]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensear>
Nov 20 10:47:38 node-2 systemd-entrypoint[5701]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Nov 20 10:47:38 node-2 systemd-entrypoint[5701]: WARNING: System::setSecurityManager will be removed in a future release
Nov 20 10:47:45 node-2 systemd[1]: Started wazuh-indexer.

root@node-2:/vagrant/scripts# curl --cacert /etc/wazuh-indexer/certs/root-ca.pem -u admin:admin https://localhost:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "80_cgZXaRt2tqsOq31ZCtg",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.17.1",
    "build_type" : "deb",
    "build_hash" : "8ff89d653ea6271fa31d5743618b77587c3ba510",
    "build_date" : "2024-11-20T10:20:12.060264055Z",
    "build_snapshot" : false,
    "lucene_version" : "9.11.1",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

root@node-2:/vagrant/scripts# curl --cacert /etc/wazuh-indexer/certs/root-ca.pem -u admin:admin https://wazuh.indexer:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "80_cgZXaRt2tqsOq31ZCtg",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.17.1",
    "build_type" : "deb",
    "build_hash" : "8ff89d653ea6271fa31d5743618b77587c3ba510",
    "build_date" : "2024-11-20T10:20:12.060264055Z",
    "build_snapshot" : false,
    "lucene_version" : "9.11.1",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

@f-galland
Copy link
Member

Works under rpm as well:

[root@alma9 ~]# USE_DEMO_CERTS="true" rpm -i ./wazuh-indexer_5.0.0-0_x86_64_8ff89d65-e3248bb-b41f2b0.rpm 
No certificates detected in /etc/wazuh-indexer, installing demo certificates...
### If you are using a custom certificates path, ignore this message.
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service

[root@alma9 ~]# systemctl daemon-reload

[root@alma9 ~]# systemctl start wazuh-indexer

[root@alma9 ~]# curl --cacert /etc/wazuh-indexer/certs/root-ca.pem -u admin:admin https://localhost:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "g-MZ0mwbR6OE2n5ifqtxvQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.17.1",
    "build_type" : "rpm",
    "build_hash" : "8ff89d653ea6271fa31d5743618b77587c3ba510",
    "build_date" : "2024-11-20T10:18:15.841796027Z",
    "build_snapshot" : false,
    "lucene_version" : "9.11.1",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}


[root@alma9 ~]# curl --cacert /etc/wazuh-indexer/certs/root-ca.pem -u admin:admin https://wazuh.indexer:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "g-MZ0mwbR6OE2n5ifqtxvQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.17.1",
    "build_type" : "rpm",
    "build_hash" : "8ff89d653ea6271fa31d5743618b77587c3ba510",
    "build_date" : "2024-11-20T10:18:15.841796027Z",
    "build_snapshot" : false,
    "lucene_version" : "9.11.1",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

@AlexRuiz7
Copy link
Member

Migrate to the new master branch.

@AlexRuiz7 AlexRuiz7 closed this Nov 21, 2024
@f-galland
Copy link
Member

Migrated to #566

@f-galland f-galland mentioned this pull request Nov 26, 2024
Merged
3 tasks
@AlexRuiz7 AlexRuiz7 deleted the ci/183-add-demo-certificates branch November 26, 2024 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexRuiz7 AlexRuiz7 AlexRuiz7 requested changes

@f-galland f-galland f-galland approved these changes

Assignees

@QU3B1M QU3B1M

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CI] Add demo certificates to the packages
3 participants
@QU3B1M @f-galland @AlexRuiz7