Description
Error with Single Sign-On on TheHive with X.509 Certificates
Request Type
Bug /
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | SLES 12 SP2 |
| OS version (client) | Windows 7 |
| TheHive version / git hash | 3.0.9 |
| Package Type | Binary |
| Browser type & version | Chrome 66, IE11 |
Problem Description
I configure thehive as described in the documentation etwhen I try to logon by ssl I have the logon screen and in the log there are errors about certificate/pki:
[warn] application - /applis/xagcla/pur/xagcla02/par/application.conf: 50: auth.type is deprecated, use auth.provider instead
[error] s.TheHiveAuthSrv - Authentication module pki not found
[info] play.api.Play - Application started (Prod)
[info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9000
[info] p.c.s.AkkaHttpServer - Listening for HTTPS on /0.0.0.0:9443
[warn] application - /applis/xagcla/pur/xagcla02/par/application.conf: 5: play.crypto.secret is deprecated, use play.http.secret.key instead
[warn] application - /applis/xagcla/pur/xagcla02/par/application.conf: 5: play.crypto.secret is deprecated, use play.http.secret.key instead
[error] o.e.c.Authenticated - Authentication failure:
session: AuthenticationError User session not found
pki: AuthenticationError Certificate doesn't contain user information
key: AuthenticationError Authentication header not found
basic: AuthenticationError Authentication header not found
init: AuthenticationError Use of initial user is forbidden because users exist in database
[info] o.e.ErrorHandler - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:220)
at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:304)
at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
Steps to Reproduce
Config in application.conf:
https.port: 9443
play.server.https.keyStore {
path: "/applis/yyyyy.jks"
type: "JKS"
password: "xxxxxxx"
}
play.server.https.trustStore {
path: "/applis/yyyyy.jks"
type: "JKS"
password: "xxxxxxx"
}
auth.method.pki = true # enable PKI authentication method
auth.pki.certificateField = uid
auth {
# "type" parameter contains the authentication provider(s). It can be multi-valued, which is useful
# for migration.
# The available auth types are:
# - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No
# configuration are required.
# - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in
# the "ad" section below.
# - ldap : use LDAP to authenticate users. The associated configuration shall be done in the
# "ldap" section below.
type = [pki,local]