Error with Single Sign-On on TheHive with X.509 Certificates

[EricPE69]

Error with Single Sign-On on TheHive with X.509 Certificates

Request Type

Bug /

Work Environment

Question	Answer
OS version (server)	SLES 12 SP2
OS version (client)	Windows 7
TheHive version / git hash	3.0.9
Package Type	Binary
Browser type & version	Chrome 66, IE11

Problem Description

I configure thehive as described in the documentation etwhen I try to logon by ssl I have the logon screen and in the log there are errors about certificate/pki:
[warn] application - /applis/xagcla/pur/xagcla02/par/application.conf: 50: auth.type is deprecated, use auth.provider instead
[error] s.TheHiveAuthSrv - Authentication module pki not found
[info] play.api.Play - Application started (Prod)
[info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9000
[info] p.c.s.AkkaHttpServer - Listening for HTTPS on /0.0.0.0:9443
[warn] application - /applis/xagcla/pur/xagcla02/par/application.conf: 5: play.crypto.secret is deprecated, use play.http.secret.key instead
[warn] application - /applis/xagcla/pur/xagcla02/par/application.conf: 5: play.crypto.secret is deprecated, use play.http.secret.key instead
[error] o.e.c.Authenticated - Authentication failure:
session: AuthenticationError User session not found
pki: AuthenticationError Certificate doesn't contain user information
key: AuthenticationError Authentication header not found
basic: AuthenticationError Authentication header not found
init: AuthenticationError Use of initial user is forbidden because users exist in database
[info] o.e.ErrorHandler - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:220)
at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:304)
at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)

Steps to Reproduce

Config in application.conf:
https.port: 9443
play.server.https.keyStore {
path: "/applis/yyyyy.jks"
type: "JKS"
password: "xxxxxxx"
}
play.server.https.trustStore {
path: "/applis/yyyyy.jks"
type: "JKS"
password: "xxxxxxx"
}

auth.method.pki = true # enable PKI authentication method
auth.pki.certificateField = uid
auth {
# "type" parameter contains the authentication provider(s). It can be multi-valued, which is useful
# for migration.
# The available auth types are:
# - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No
# configuration are required.
# - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in
# the "ad" section below.
# - ldap : use LDAP to authenticate users. The associated configuration shall be done in the
# "ldap" section below.
type = [pki,local]

[To-om]

According to the log messages, your browser doesn't user client certificate to connect to TheHive.
Are you sure that the certificate authority of the certificate installed in your browser is in the truststore (/applis/yyyyy.jks) ?

[EricPE69]

I think so.
In the jks I have all the qualification CA of my society and I have a certificat which corresponds. they are not new.
the ca (with keytool):
Entry type: trustedCertEntry
Owner: EMAILADDRESS=aaaaa, CN=CA pppppp Qualification, OU=0002 13000548100010, O=pppppp, C=FR
Issuer: CN="RCA pppppp Qualification ", OU=0002 13000548100010, O=pppppp , C=FR
Serial number: 123
Valid from: Thu Oct 09 18:16:51 CEST 2014 until: Wed Oct 09 18:16:51 CEST 2024

the certificate: issued by:
CN = CA pppppp Qualification
OU = 0002 13000548100010

How can I put debug flags

[To-om]

If you run the command openssl s_client -connect <THE_HIVE_IP_ADDRESS>:9443 you should see a section Acceptable client certificate CA names.
If client certificate is not requested, you will see No client certificate CA names sent

[EricPE69]

It's what happening:

subject=/C=FR/O=ddddddd/OU=0002 13000548100010/CN=sl00z2
issuer=/C=FR/O=ddddddd/OU=0002 13000548100010/CN=AC ddddddd Qualification Applications/emailAddress=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 2210 bytes and written 419 bytes

I use the same jks for:

• the certificate server and its private key
• the certificates of 12 different CAs
  Can that raise a problem?

[To-om]

I confirm the bug. I'm trying to find a solution.

[billmurrin]

I also noticed when testing that when visiting the site I am never prompted for the client side certificate.

The docs also do not mention what auth.type should be in the configuration in order to use PKI, is it still local?

[To-om]

@billmurrin
auth.method defines how TheHive checks if an user is authenticated (using session cookie, API key, pki, ...).
auth.provider (previously was auth.type) defines how TheHive validates user credentials (local, ldap, ad, ...).

[To-om]

The issue has been fixed by the commit TheHive-Project/elastic4play@5471549, which will be included in the next release.

[EricPE69]

Thank you, Do you know when the next release will be publish ? De : To-om [mailto:[email protected]] Envoyé : lundi 11 juin 2018 10:47 À : TheHive-Project/TheHive Cc : FAURE Eric (DGA SYSTEMES D INFORMATION); Author Objet : Re: [TheHive-Project/TheHive] Error with Single Sign-On on TheHive with X.509 Certificates (#600) The issue has been fixed by the commit TheHive-Project/elastic4play@5471549<TheHive-Project/elastic4play@5471549>, which will be included in the next release. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#600 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AmGxTjD22EtPNYSQDq3jnL-op1ZTY738ks5t7i6LgaJpZM4Ua3ly>.