Discussion:
[graylog2] SSL JVM
CTuser
2017-02-15 08:14:03 UTC
Permalink
Hi,

I created self-signed certificate and currently the connection via https is
not secure because I didn't do the JVM step.

Please explain what should I do in the following step:

" In order for the JVM to pick up the new trust store, it has to be started
with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks. If
you’ve been using another password to encrypt the JVM trust store than the
default changeit, you additionally have to set the JVM parameter
-Djavax.net.ssl.trustStorePassword=secret.

Most start and init scripts for Graylog provide a JAVA_OPTS variable which
can be used to pass the javax.net.ssl.trustStore and (optionally)
javax.net.ssl.trustStorePassword system properties. "


Graylog version: 2.1.2

OS: CentOS 7


Thanks.
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/652a3449-08c1-4508-8024-3a7897df84d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jochen Schalanda
2017-02-15 09:10:48 UTC
Permalink
Hi,

the necessary steps are described in the documentation at
http://docs.graylog.org/en/2.2/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store
.

Cheers,
Jochen
Post by CTuser
Hi,
I created self-signed certificate and currently the connection via https
is not secure because I didn't do the JVM step.
" In order for the JVM to pick up the new trust store, it has to be
started with the JVM parameter
-Djavax.net.ssl.trustStore=/path/to/cacerts.jks. If you’ve been using
another password to encrypt the JVM trust store than the default changeit,
you additionally have to set the JVM parameter
-Djavax.net.ssl.trustStorePassword=secret.
Most start and init scripts for Graylog provide a JAVA_OPTS variable
which can be used to pass the javax.net.ssl.trustStore and (optionally)
javax.net.ssl.trustStorePassword system properties. "
Graylog version: 2.1.2
OS: CentOS 7
Thanks.
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/12caa576-733e-4e7e-9931-daa2f4355505%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
CTuser
2017-02-15 10:15:01 UTC
Permalink
Hi Jochen,

I already followed the "Adding a self-signed certificate to the JVM trust
store" section.
I also verified that the self-signed certificate has been added
successfully to the key store.
I don't know how to cause the JVM to pick up the new trust store.
According to the guide it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks
//it tells me nothing

Please assist.
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/134f44ba-f9b2-465d-b9b3-d3b85b28a114%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jochen Schalanda
2017-02-15 10:34:07 UTC
Permalink
Hi,

please refer
to http://docs.graylog.org/en/2.2/pages/configuration/file_location.html
for the specific location of the file for the JVM settings.

Cheers,
Jochen
Post by CTuser
Hi Jochen,
I already followed the "Adding a self-signed certificate to the JVM trust
store" section.
I also verified that the self-signed certificate has been added
successfully to the key store.
I don't know how to cause the JVM to pick up the new trust store.
According to the guide it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks
//it tells me nothing
Please assist.
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/bb2aacc6-0642-4594-beaa-86d6b06d8251%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
CTuser
2017-02-15 12:03:45 UTC
Permalink
Hi Jochen,

here is the output of the JVM settings (/etc/sysconfig/graylog-server):
--------------------------------------------------------
# Path to the java executable.
JAVA=/usr/bin/java

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server
-XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled
-XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC
-XX:-OmitStackTraceInFastThrow"


# Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
GRAYLOG_SERVER_ARGS=""

# Program that will be used to wrap the graylog-server command. Useful to
# support programs like authbind.
GRAYLOG_COMMAND_WRAPPER=""

--------------------------------------------------------

Where should I locate the following line?
-Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1f31592e-a372-471c-a2bc-865ded67b534%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jochen Schalanda
2017-02-15 14:18:05 UTC
Permalink
Hi,

you can add JVM settings to the GRAYLOG_SERVER_JAVA_OPTS variable.

Cheers,
Jochen
Post by CTuser
Hi Jochen,
--------------------------------------------------------
# Path to the java executable.
JAVA=/usr/bin/java
# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server
-XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled
-XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC
-XX:-OmitStackTraceInFastThrow"
# Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
GRAYLOG_SERVER_ARGS=""
# Program that will be used to wrap the graylog-server command. Useful to
# support programs like authbind.
GRAYLOG_COMMAND_WRAPPER=""
--------------------------------------------------------
Where should I locate the following line?
-Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/574daddc-48d4-4516-8467-e46ca825c539%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
CTuser
2017-02-15 16:04:02 UTC
Permalink
Hi Jochen,

I've written it as follows:

GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server
-XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled
-XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC
-XX:-OmitStackTraceInFastThrow
-Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks"

I restarted the machine and it doesn't work.
I still see the "connection is not secure" message.
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e344e6c4-1771-4c1f-b605-339fd1ec6423%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jochen Schalanda
2017-02-15 16:23:38 UTC
Permalink
Hi,

as long as you don't add your self-signed certificate to the trusted
certificates of your web browsers as well, that "insecure" notification
will remain.

Please consult the documentation of your web browser for this.

Cheers,
Jochen
Post by CTuser
Hi Jochen,
GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server
-XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled
-XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC
-XX:-OmitStackTraceInFastThrow
-Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks"
I restarted the machine and it doesn't work.
I still see the "connection is not secure" message.
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1b79b825-a539-4d6b-9b1c-9e87df8abdff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Continue reading on narkive:
Loading...