What is this previously copied java keystore they speak of Graylog docs?

1. Describe your incident:

Attempting to learn how to set up cert of our graylog.

2. Describe your environment:

Context is the Graylog HTTPS documentation

4. How can the community help?

Please clarify :smiley:

The first would be to create a self-signed certificate, add that to the previously copied java keystore and use this keystore with your Graylog java options

In my experience so far, there is no previously copied java keystore so I don’t know where this is coming from and what it means. Graylog has java options? :sweat_smile:

@dscryber - Can you get the Doc Dudes to take a look at this for clarification?

2 Likes

Hey @log

Yeah the doc’s are kind of… yeah HAHA

Basically JAVA has a default keystore called "cacerts’.

Find your version of java.

root@ansible:/usr/local/bin# sudo update-alternatives --config java
There are 3 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status
------------------------------------------------------------
  0            /usr/lib/jvm/java-17-openjdk-amd64/bin/java      1711      auto mode
* 1            /usr/lib/jvm/java-11-openjdk-amd64/bin/java      1111      manual mode
  2            /usr/lib/jvm/java-17-openjdk-amd64/bin/java      1711      manual mode
  3            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      manual mode

Press <enter> to keep the current choice[*], or type selection number: 
There are 3 choices for the alternative java (providing /usr/bin/java).

Then find the full path.

root@ansible:/usr/local/bin#  locate cacerts
/etc/default/cacerts
/etc/ssl/certs/java/cacerts
/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts
/usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts
/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
/usr/share/elasticsearch/jdk/lib/security/cacerts

Now copy

root# cp /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts /etc/graylog/keystore.jks

when using a “NEW” keystore make sure graylog is configure like so

-Djavax.net.ssl.trustStore=/etc/graylog/keystore.jks.
-Djavax.net.ssl.trustStorePassword=secret or changeit

hope that helps

2 Likes

Will do. Thanks for the heads up, @tmacgbay

Thanks that moved me forward.

I set this in my /etc/sysconfig/graylog-server:


GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.trustStore=/etc/graylog/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit"

Now I have copied the keystore to /etc/graylog/keystore.jks and imported the X509 cert that I have issued with my CA.
So I print the keystore contents and there it is, I see it.

I have also set this in server conf:

http_enable_tls = true
http_tls_cert_file = /tmp/timberjack.pem

But I don’t like really know why I would tell it to do that since the key is in the keystore?

Restarted the gralog-server service.

/var/log/graylog-server/server.log

2023-02-02T17:29:04.416-05:00 ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: null
        at org.graylog2.configuration.HttpConfiguration.validateTlsConfig(HttpConfiguration.java:255) ~[graylog.jar:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
        at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
        at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:233) ~[graylog.jar:?]
        at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:102) ~[graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:477) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.doRun(CmdLineTool.java:282) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:260) [graylog.jar:?]
        at org.graylog2.bootstrap.Main.main(Main.java:45) [graylog.jar:?]

But my private key is a .key and its not X509… its an rsa key so I cant import that so how can I roll along further at this point?

Hey @log

Here are my note on using HTTPS.

mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/
openssl req -x509 -days 1095 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
openssl req -config openssl-graylog.cnf -out graylog.csr -new -newkey rsa:2048 -nodes -keyout graylog.key
openssl req -x509 -sha512 -nodes -days 1095 -newkey rsa:2048 -config openssl-graylog.cnf -keyout graylog.key -out graylog.crt
openssl req -config openssl-graylog.cnf -out graylog.csr -key graylog.key -new
openssl x509 -x509toreq -in graylog.crt -out graylog.csr -signkey graylog.key
openssl pkcs12 -export -in graylog.crt -inkey graylog.key -out keystore.pfx
openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

keytool -import -trustcacerts -file graylog.crt -alias graylog.domain.com -keystore graylog_keystore.jks -storepass secret

Check Certificates

keytool -list -v -keystore graylog_keystore.jks -alias graylog.domain.com

keytool -importkeystore -srckeystore graylog_keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/graylog/graylog-key.jks
keytool -importcert -keystore graylog.jks -storepass changeit (secret) -alias graylog.domain.com  -file cert.pem

Graylog configuration file

http_bind_address = graylog.domain.com:9000
http_publish_uri = https://graylog.domain.com:9000/
http_enable_cors = true
http_enable_tls = true
http_tls_cert_file = /etc/graylog/graylog-certificate.pem
http_tls_key_file = /etc/graylog/graylog-key.pem
http_tls_key_password = secret

Here was a good post to get started with, this help me understand what I needed to do.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.