Thanks for the quick reply there. The /etc/sysconfig/graylog-server is for additional java OPTS, such as changing the java heap size for the graylog nodes, or providing a non-default java truststore, etc.
I actually do have a java truststore which has the defaults in it, alongside the CA that signed the certificate graylog is using, and I also added the certificate of the ldap connection, but that didn’t help.
# Path to JVM trust store with graylog cert
I can’t find any mention of which java security file it loads by default. Below is the command that Graylog runs with:
graylog 800273 1.1 16.9 5457540 1344408 ? Sl Feb14 11:38 /usr/bin/java -Xms1536m -Xmx1536m -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -Dlog4j2.formatMsgNoLookups=true -Djavax.net.ssl.trustStore=/etc/pki/java/graylog/graylog.jks -Djava.security.policy -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np
I’ve set up TLS encryption on graylog, it’s API, and the web UI:
http_enable_tls = true
http_tls_cert_file = /etc/pki/tls/certs/graylog/graylog.crt
http_tls_key_file = /etc/pki/tls/certs/graylog/graylog.key
rest_enable_tls = true
rest_tls_cert_file = /etc/pki/tls/certs/graylog/graylog.crt
rest_tls_key_file = /etc/pki/tls/certs/graylog/graylog.key
web_enable_tls = true
web_tls_cert_file = /etc/pki/tls/certs/graylog/graylog.crt
web_tls_key_file = /etc/pki/tls/certs/graylog/graylog.key
I’ve also added the CA that signed said cert to the java trusted keystore. This was done before so it’s not an issue with that. Everything that Graylog uses is in a specific directory owned by the graylog user and group to ensure it can be read.
On the Windows side, there’s a certificate on the host, port 636 which “openssl s_client” reports to be a 1024bit long certificate, but my colleague says it’s 2048 so we’re unsure on what’s happening here.
Since this is an internal Graylog used for monitoring Windows DNS debug logs instead of going through the trouble of spending a bunch of time troubleshooting the cause we’d rather just modify the java security file to accept keys 1024bit or more, I just can’t find which one it actually uses.
These are the only ones “find / -name java.security” can find.