Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Management API CA file field to opensearch.yml #171

Open
Tracked by #180
f-galland opened this issue Dec 6, 2024 · 2 comments · May be fixed by #179
Open
Tracked by #180

Add Management API CA file field to opensearch.yml #171

f-galland opened this issue Dec 6, 2024 · 2 comments · May be fixed by #179
Assignees
@mcasas993
Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue

Comments

@f-galland
Copy link
Member

Description

In order for the command-manager plugin to connect to the Wazuh Server's management API using self-signed certificates, a CAcert needs to be loaded into the plugin's trust chain.
We need to expose this as a setting in the configuration file.
@wazuhci wazuhci moved this to In progress in Release 5.0.0 Dec 6, 2024
@wazuhci wazuhci moved this from In progress to Backlog in Release 5.0.0 Dec 6, 2024
@f-galland f-galland self-assigned this Dec 6, 2024
@f-galland
Copy link
Member Author

A sample of a class reading a config file from a plugin:
https://github.com/opensearch-project/reporting/blob/2.18.0.0/src/main/kotlin/org/opensearch/reportsscheduler/settings/PluginSettings.kt

A sample class loading a custom trust chain:
https://github.com/apache/httpcomponents-client/blob/master/httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java

@mcasas993 mcasas993 assigned mcasas993 and unassigned f-galland Dec 9, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 5.0.0 Dec 9, 2024
@mcasas993 mcasas993 linked a pull request Dec 10, 2024 that will close this issue
Open
@mcasas993 mcasas993 linked a pull request Dec 10, 2024 that will close this issue
Connect to the Wazuh Server's management API using self-signed certificates #179
Open
@AlexRuiz7 AlexRuiz7 added level/task Task issue type/enhancement Enhancement issue mvp Minimum Viable Product labels Dec 10, 2024
This was referenced Dec 10, 2024
Open
Open
@mcasas993
Copy link
Member

Relevant discovery in the process:

How to put configuration attributes in opensearch.yml.

The process is simple and similar to putting configurations in keystore. Depending on the type of attribute, if it is a secure configuration or not, it will automatically be saved in the keystore or in the opensearch.yml file.

Example of declaration of secure setting:

 public static final Setting<SecureString> M_API_AUTH_USERNAME =
            SecureSetting.secureString("m_api.auth.username", null);

Example of declaration of not secure setting:

public static final Setting<String> WAZUH_INDEXER_CA_CERT_PATH =
        Setting.simpleString("ssl.http.pemtrustedcas_filepath", Setting.Property.NodeScope);

Validate configuration values.

We do not yet validate the contents of the attributes in the settings, but we will probably want to do so in the future. We can see a good example of how to create and validate settings here.

Access to files with AccessController.doPrivileged

To use the AccesController we have to configure a policy file inside plugins/command-manager/src/main/plugin-metadata/

Inside this file, if we want to manage the access to a file we cannot put a “*”, we have to put a concrete directory or an absolute path to a file.

Example.
grant { permission java.io.FilePermission "/home/user/Documents/wazuh-certificates/root-ca.pem", "read";}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mcasas993 mcasas993

Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue
Projects
Release 5.0.0
Status: In progress
Milestone
No milestone
3 participants
@AlexRuiz7 @mcasas993 @f-galland