Wazuh SOAR communication API call error (cert issue)

372 views
Skip to first unread message

HA

unread,
Mar 28, 2023, 5:29:16 AM3/28/23
to Wazuh mailing list
Hello,

I need to configure Wazuh to make API call, to my SOAR solution (N8N) when the Alert module is triggered (Threshold over specific value).
On wazuh I can see the following error message:
Error: Failed running action: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The cert's SOAR solution is not trusted (self signed).
How can I add the certificate on Wazuh to avoid this error ?

In general, how to add cert and cert CA to Wazuh ?

Regards,

HA

Miguel Keane

unread,
Mar 28, 2023, 9:06:52 AM3/28/23
to Wazuh mailing list
Hi HA, 

in regards to your question, you could try the following steps: 

  1. Generate your certificates, you can use your own CA file. Here is the documentation on the topic: https://documentation.wazuh.com/current/user-manual/certificates.html
       Make sure to follow the steps carefully and use the following command: bash wazuh-certs-tool.sh -A /path/to/root-ca.pem /path/to/root-ca.key
  2. Replace the certificates where appropriate. You can go to our Installation guide and check all folders necessary to change. 
        Wazuh Serverhttps://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#deploying-certificates
        Wazuh Indexer: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#deploying-certificates
        Wazuh Dashboard: https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#deploying-certificates
  3. Now, for the Wazuh API, you can securely change the certificates using the following guide: https://documentation.wazuh.com/current/user-manual/api/securing-api.html#recommended-changes-to-secure-the-wazuh-api
       Basically, you would need to add the certificated here: /var/ossec/api/configuration/ssl/server.key  & /var/ossec/api/configuration/ssl/server.crt  and restart the Wazuh Manager. 
If these steps do not work, you can attempt to use the following instructions: 

  1. Export the CA certificate.
  2. Copy the certificate to the Wazuh manager.
  3. Add the certificate to the Java truststore used by Wazuh by running the following command: keytool -import -alias -file <certificate_file> -keystore <truststore_file> -storepass <truststore_password>
  4. Restart the Wazuh manager.

Let me know if you manage to solve your issue. 

Best regards, 
Miguel Keane

HA

unread,
Mar 30, 2023, 2:34:16 AM3/30/23
to Wazuh mailing list
Hi,

First, thanks for your help.
I don't want to replace wazuh cert in my case. When wazuh performs the API call (using HTTPS) to the SOAR (N8), the soar presents it selfsigned certificate which is not trusted by Wazuh, so the communication fails...

Regards,

HA

Paul Werther

unread,
Oct 11, 2024, 5:27:43 AM10/11/24
to Wazuh | Mailing List
Hey,

found the solution: The problem is, that the wazuh-indexer uses a custom java keystore (/usr/share/wazuh-indexer/jdk/lib/security/cacerts) in order to verify the ssl certificates. You can easily import you own CA certificate with:

 
cd /usr/share/wazuh-indexer/jdk/lib/security/cacerts
keytool -importcert -file /path/to/ca/ca.cer -alias YOURCA -keystore cacerts

Cheers.
Reply all
Reply to author
Forward
0 new messages