Hello @fffhurst
What do you mean by server function? If you referring to TLS connection then yes.
In order to provide your full cluster with all required certificates, we’ll need to make all of the following keypairs and certificates. For each certificate you’ll need to gather the relevant hostnames, DNS aliases and IP addresses, because we want the certificates to work for all of these.
Do you have a cluster of servers?
If you don’t have a cluster of servers and only one node, you will need to create certificates for graylog then send them over to be singed by you’re MS AD CS. Once the certificates are signed make sure you put the correct ones in your keystore on Graylog. I’m not sure about your environment but you can also just create self-signed certs or use Let’s Encrypt . Its possible and easy just to use JAVA default keystore called “cacerts”. As for your INPUT’s using certificates, you will need two
graylog.pem && graylog-key.pem then those two would also be on your remote device. When you do that make sure there secure since these are certificate keys.
I believe the easiest way to accomplish this is to create your certificates on Graylog.
Here are a couple examples that I used not only for HTTPS but also for INPUT connections.
For example of what I did.
1.Create a file named openssl-graylog.cnf with the following content
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
# Details about the issuer of the certificate
[req_distinguished_name]
C = US
ST = some_state
L = some_city
O = domain
OU = admin
CN = graylog.enseva-labs.net
[v3_req]
keyUsage = keyEncipherment, dataEncipherment,nonRepudiation
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
IP.1 = 10.10.10.10
DNS.1 = graylog.domain-labs.net
2.I execute the following commands to create the certs for Graylog TLS.
mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/
openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
$openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
penssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
keytool -list -v -keystore keystore.jks -alias graylog.example.com
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks
keytool -importcert -keystore graylog.jks -storepass changeit (secret) -alias graylog.domain-labs.net -file cert.pem
Make sure Graylog is aware of the new keystore.
-Djavax.net.ssl.trustStore=/path/to/keystore.jks
-Djavax.net.ssl.trustStorePassword=secret
If you receive a error stating “no keystore found” or something similar to that. You can use the default JAVA store and place those certificates there. Make sure comment out the lines above so Graylog doesn’t get confused which keystore to use.
3.Default java key store with following commands. Java path may very on OS and version of JAVA.
keytool -import -trustcacerts -file cert.pem -alias graylog.domain-labs.net -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/security/cacerts
5.Copy certificates into Graylog directory , Since Graylog owns it this would make it easy for Graylog to access them when using TCP/TLS INPUT’s
cp cert.pem graylog-certificate.pem graylog-key.pem /etc/graylog/
6.Configure Graylog config file
http_publish_uri = https://graylog.domain-labs.net:9000/
http_enable_tls = true
http_tls_key_password = secret
## I used the directory where i create the certs and chown graylog:graylog -R.
http_tls_key_file = /etc/ssl/certs/graylog/graylog-key.pem
http_tls_cert_file = /etc/ssl/certs/graylog/graylog-certificate.pem
As for my INPUTs…
For elasticsearch, Its been awhile but something like this.
cp admin-key.pem admin.pem root-ca-key.pem root-ca.pem /etc/elasticsearch/
Elasticsearch YAML file.
opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/admin.pem
opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/admin-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/admin.pem
opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/admin-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/root-ca.pem
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- 'CN=elastic-stack.domain-labs.net,OU=admin,O=google,L=some_city,ST=some_state,C=us'
For MongoDb, I haven’t done it yet, but if you get it working I would like to know.
Hope that helps