2

This is my first time working with Java Key Store and I am having a bit of difficulty. I have ServerA sending logs to ServerB. I am able to establish an unsecure http communication that traffics the logs. However, when incorporating JKS to establish a secure communication using https nothing seems to be received by ServerB. How can two servers communicate securely using JKS?

Below is how I am currently setting all of this up:

Creating a keystore in ServerA:

In ServerA generate Self-Signed Certificate in Keystore 

keytool -genkey \
        -alias jkstest \
        -keyalg RSA \
        -validity 365 \
        -keystore /apps/logstash/jkstest.jks
        -keysize 2048

In ServerA extract certificate

keytool -export \
        -rfc -alias jkstest \
        -keystore /apps/logstash/jkstest.jks \
        -file /apps/logstash/jkstest.crt 
        -storepass somepass

From ServerA copy key store to ServerB 

scp /apps/logstash/jkstest.jks username@serverb.com:/apps/logstash/jkstest.jks

I am using logstash to send logs from ServerA to ServerB. It is a pretty straight forward application to download and install. The crucial/imporant part is in the configuration where the JKS is used:

ServerA config.conf

input {
        file {
                path => "/var/log/apache2/error.log"
                start_position => beginning
        }
}
output {
        stdout { codec => rubydebug { metadata => true } }
        http {
                http_method => "post"
                codec => "json_lines"
                url => "https://serverb.com:5000/"
                ssl_certificate_validation => true
                cacert => "/apps/logstash/jkstest.crt"
        }
}

ServerB config.conf

input {
  http {
        port => 5000
        codec => json
        ssl => true
        keystore => "/apps/logstash/jkstest.jks"
        keystore_password => "hardt0gu355"
  }
}
output {
        stdout { codec => rubydebug { metadata => true } }
}

To start sending and receiving logs:

ServerA start logstash

bin/logstash agent -f config.conf -l logstash.log

ServerB start logstash

bin/logstash agent -f config.conf -l logstash.log
MaryCoding
  • 624
  • 1
  • 9
  • 31
  • 1
    try with `ssl_certificate_validation => false` since it's a self-signed certificate it probably can't be fully validated. – Redlab Jan 24 '17 at 16:08
  • It's been a long time since I did one of these, but since you are using a self-signed cert, you wont be able to import it as a 'trusted cert-chain', and chaining it to one of the pre-packaged trusted cert authorities . So, for the other server to trust, it probably has to be manually imported as a trusted cert on both ends? – djangofan Jan 31 '17 at 18:05
  • @djangofan I am not sure if I did something similar to that but still nothing gets received in the other server. Can you test on your end to see if the way you did it still works? – MaryCoding Jan 31 '17 at 19:05
  • Maybe this provides another hint. I cant really add more to this: http://stackoverflow.com/questions/23227849/client-server-ssl-communication-self-signed-certificate – djangofan Feb 01 '17 at 01:57

2 Answers2

1

Not 100% sure but, on server A you should configure a truststore with your generated certificate as trusted certificate.

Not a cacert (unless you also have certificate authority certitificate, but yours seems self signed )

Redlab
  • 3,110
  • 19
  • 17
  • Good point. I created a `truststore` on `serverA`. Using the certificate that i created in `SeverB` from its own `keystore`. However, no luck. Ran this on `serverA` to create trustore `keytool -importcert -file serverB.cer -alias mycert -keystore truststore.jks`. Are you able to replicate or get it to communicate over ssl? – MaryCoding Jan 24 '17 at 16:59
  • I had it working with beats ( e.g. FileBeat ) to LogStash with following https://www.elastic.co/guide/en/beats/filebeat/5.0/configuring-ssl-logstash.html – Redlab Jan 24 '17 at 17:03
  • Filebeat is the preferred solution. However, I am trying to get this to work from logstash to logstash instance. – MaryCoding Jan 24 '17 at 18:22
0

You have two approaches in you case:

Then you have ssl_certificate_validation=true you should provide truststore in both sides - ServerA and ServerB. In your setup you provide only cacert on ServerA and keystore on ServerB. But you should to have a keystore and trustore defined on both servers.

So you can do the following thing

1) Use same keystore on both servers and use same truststore on both servers too. This very insecure approach.

2) You have to generate independent server and client keystore and then exchange their public key (certs) see example http://ruchirawageesha.blogspot.com/2010/07/how-to-create-clientserver-keystores.html in this case you can use cacert instead of truststore.

or you can generate independent CA and generate signed certificates(https://jamielinux.com/docs/openssl-certificate-authority/introduction.html). This is much better approach, but maybe it will a little overhead in your case.

Evgeny Kiselev
  • 216
  • 1
  • 8
  • I followed the 2nd option but still didnt work. The [output plugin](https://www.elastic.co/guide/en/logstash/2.2/plugins-outputs-http.html) has two flags `keystore` and `truststore`. I tested with both and nothing. – MaryCoding Feb 02 '17 at 14:51