PKCS8 Fix Attempt #1

2025-12-29 04:13:13 +01:00 · 2018-10-09 10:32:08 -04:00
parent 774b0a91ba
commit 0be926715d
6 changed files with 49 additions and 7 deletions
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -844,7 +844,7 @@ output.logstash:
  ssl.certificate: "/usr/share/filebeat/filebeat.crt"

  # Client Certificate Key
-  ssl.key: "/usr/share/filebeat/filebeat.key"
+  ssl.key: "/usr/share/filebeat/filebeat.p8"

  # Optional passphrase for decrypting the Certificate Key.
  #ssl.key_passphrase: ''
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -60,5 +60,5 @@ so-filebeat:
      - /nsm/bro/spool/manager:/nsm/bro/spool:ro
      - /opt/so/log/suricata:/suricata:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
-      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+      - /opt/so/conf/filebeat/etc/pki/filebeat.p8:/usr/share/filebeat/filebeat.p8:ro
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -212,6 +212,33 @@ enable_standard_beats_5044_{{ip}}:

 {% endfor %}

+# Allow Analysts
+{% for ip in pillar.get('analyst')  %}
+
+enable_standard_analyst_80_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 80
+    - position: 1
+    - save: True
+
+enable_standard_analyst_443_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 443
+    - position: 1
+    - save: True
+
+{% endfor %}
+
 # Rules for storage nodes connecting to master


--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -9,7 +9,7 @@ input {
    ssl => true
    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
    ssl_certificate => "/usr/share/logstash/filebeat.crt"
-    ssl_key => "/usr/share/logstash/filebeat.key"
+    ssl_key => "/usr/share/logstash/filebeat.p8"
    tags => [ "beat" ]
  }
-}
+}
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -131,5 +131,5 @@ so-logstash:
      - /opt/so/log/logstash:/var/log/logstash:rw
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
-      - /etc/pki/filebeat.key:/usr/share/logstash/filebeat.key:ro
+      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.p8:ro
      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -31,6 +31,13 @@ m2cryptopkgs:
        bits: 4096
        backup: True

+# Convert the key to pkcs#8 so logstash will work correctly.
+filebeatpkcs:
+  cmd.run:
+    - name: /usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8
+    - onchanges:
+      - file: /etc/pki/filebeat.key
+
 # Create Symlinks to the keys so I can distribute it to all the things
 filebeatdir:
  file.directory:
@@ -39,8 +46,8 @@ filebeatdir:

 fbkeylink:
  file.symlink:
-    - name: /opt/so/saltstack/salt/filebeat/files/filebeat.key
-    - target: /etc/pki/filebeat.key
+    - name: /opt/so/saltstack/salt/filebeat/files/filebeat.p8
+    - target: /etc/pki/filebeat.p8

 fbcrtlink:
  file.symlink:
@@ -83,4 +90,12 @@ fbcertdir:
        bits: 4096
        backup: True

+# Convert the key to pkcs#8 so logstash will work correctly.
+filebeatpkcs:
+  cmd.run:
+    - name: /usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8
+    - onchanges:
+      - file: /opt/so/conf/filebeat/etc/pki/filebeat.p8
+
+
 {% endif %}