Hello Nicolas,
Thank you very much for sharing detailed steps!
I felt like I replied yesterday, but somehow could not find that thread. Don’t understand what went wrong! Apologies if my post is duplicate..
Anyways, Need some more clarification on -
If I ran password tool on any indexer, will the changes get replicated to all nodes? After passwords get generated, we get this message - WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
There are 6 new passwords. admin
& kibanaserver
passwords are to be configured in the manager & dashboard respectively? What about the remaining user’s passwords i.e. kibanaro
, logstash
, readall
& snapshotrestore
?
After running the tool on any manager, it will generate password for two users - wazuh
& wazuh-wui
. This wazuh-wui
password is to be updated in dashboard’s waszuh.yml
? So this will be the only clear-text password.
Which one is the Dashboard GUI login password here? Is it the one which got generated on indexer for admin user which is to be updated on manager (filebeat)?
Is there any way where in I can bypass password generation tool and do everything manually? I will understand better with that approach.. I guess!
Is it possible to view already configured passwords?
Am I allowed to set my own password instead of the one generated by the script?
Regards,
swapnils
Thank you Nicolas! That helps a lot. :)
However, getting following error:
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u admin -p 123.Xyzab
Security Admin v7
ERR: Parsing failed. Reason: Missing argument for option: cacert
usage: securityadmin.sh [-arc] [-backup <folder>] [-cacert <file>] [-cd
<directory>] [-cert <file>] [-cn <clustername>] [-dci] [-dg] [-dra]
[-ec <cipers>] [-ep <protocols>] [-er <number of replicas>] [-era]
[-esa] [-f <file>] [-ff] [-h <host>] [-i <indexname>] [-icl] [-key
<file>] [-keypass <password>] [-ks <file>] [-ksalias <alias>]
[-kspass <password>] [-kst <type>] [-migrate <folder>] [-mo
<folder>] [-nhnv] [-noopenssl] [-nrhn] [-p <port>] [-prompt] [-r]
[-rev] [-rl] [-si] [-sniff] [-t <file-type>] [-ts <file>] [-tsalias
<alias>] [-tspass <password>] [-tst <type>] [-us <number of
replicas>] [-vc <version>] [-w]
...
...
...
25/11/2022 17:58:08 ERROR: The backup could not be created
Also tried with following command -
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -f file-name
cat file-name
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
indexer_username: 'admin'
indexer_password: 'pq@Abc1xy'
Getting same error as well. (Password is altered)
Followed this article.
Regards,
swapnils
Hello Nicolas,
Here is the truncated verbose output :
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -v -f adm-pwd
29/11/2022 15:10:03 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
mkdir: cannot create directory ‘/usr/share/wazuh-indexer/backup’: File exists
Security Admin v7
ERR: Parsing failed. Reason: Missing argument for option: cacert
usage: securityadmin.sh [-arc] [-backup <folder>] [-cacert <file>] [-cd
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 177: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
cp: cannot stat ‘/usr/share/wazuh-indexer/backup/*’: No such file or directory
Security Admin v7
ERR: Parsing failed. Reason: Missing argument for option: cacert
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 549: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
29/11/2022 15:10:05 INFO: The password for user admin is XXXXXXXX
29/11/2022 15:10:05 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
Does that mean password got changed?
cat adm-pwd
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
indexer_username: 'admin'
indexer_password: 'XXXXXXXXX'
Also checked the File -
grep ^plugins.security.ssl.transport.pemtrustedcas /etc/wazuh-indexer/opensearch.yml
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
Thank you!
swapnils
Hello Nicolas,
All the commands were run with the root user.
# ll /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh
-rwxr----- 1 wazuh-indexer wazuh-indexer 37937 Nov 11 19:00 /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh
# ll /etc/wazuh-indexer/certs/root-ca.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1184 Aug 26 12:53 /etc/wazuh-indexer/certs/root-ca.pem
# whoami
root
Following command also gives me same error -
# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -v -u admin -p XXXXXXXX
Security Admin v7
ERR: Parsing failed. Reason: Missing argument for option: cacert
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 177: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
30/11/2022 08:56:10 INFO: Generating password hash
cp: cannot stat ‘/usr/share/wazuh-indexer/backup/*’: No such file or directory
Security Admin v7
ERR: Parsing failed. Reason: Missing argument for option: cacert
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 549: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
30/11/2022 08:56:11 WARNING: Password changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
Do I need to give read permission to others? Or what else needs to be done?
Regards,
swapnils
Hello Nicolas/Team,
I updated password under filebeat
of all managers generated in earlier with the command /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -v -u admin -p XXXXXXXX
. Restarted filebeat
service and tried logging in to the dashboard GUI; but it took old password itself.
How to make it work? Please help!
Thanks,
swapnils
Hello Nicolas,
I figured out the issue. The certificate error was getting popped up because of the following entries -
[root@indexer1 ~]# grep "plugins.security.ssl.transport.pemtrustedcas_filepath: " /etc/wazuh-indexer/opensearch.yml
#plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca1.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca2.pem
I tweaked a little in password script as -grep "^plugins.security.ssl.transport.pemtrustedcas_filepath: " /etc/wazuh-indexer/opensearch.yml
This worked for me. This change can be considered to incorporated with in the Wazuh script available online. (to have exact match)
For remaining users/accounts, I shall work and let you know if assistance is needed.
Appreciate your help!
Regards,
swapnils