Now that we have a working installation of Graylog (Part One), it is time to make some configuration changes to improve security by enabling SSL/TLS.
The first step is to generate a suitable certificate/key pair. This post will assume you have access to a CA in order to obtain the required signed certificates.
We will use OpenSSL on the Graylog server to create our private key and our certificate signing request or CSR.
First step is to create a request template, fire up your favourite text editor and create a file similar to below.
Note that you will need to change the values in the [req_distinguished_name] and [alt_names] sections to suit your own requirements.
Save the file as graylog.cnf
Create the private key, entering a secure password when prompted
openssl genrsa -aes128 -out graylog.key 4096
and create the CSR using the private key and the template.
openssl req -sha256 -key graylog.key -new -out graylog.csr -config graylog.cnf
Submit the graylog.csr file to your preferred CA ensuring you receive the certificate as a Base64 encoded PEM file.
Graylog needs the private key in PKCS8 format so we need to do a quick conversion.
openssl pkcs8 -in graylog.key -topk8 -out graylogPKCS8.key -passout pass:<Your private key password>
Now we need to create a new directory to house our PKCS8 private key and certificate.
sudo mkdir /etc/graylog/ssl
Copy the certificate and graylogPKCS8.key into this newly created folder.
To assist in securing these files we will change some permissions on the folder
sudo chgrp graylog /etc/graylog/ssl
sudo chmod 755 /etc/graylog/ssl
Now we will set the permissions on the files, first promoting ourselves to the root user
chmod 644 <Certificate file name>
chgrp graylog graylogPKCS8.key
chmod 640 graylogPKCS8.key
OK, now if we used an internal CA to sign our certificate we will need to make sure that our Graylog server trusts the CA. If you used a public CA you shouldn’t have to do this section.
Create a new directory for your root certificate in /usr/local/share/ca-certificates/
sudo mkdir /usr/local/share/ca-certificates/MyCA
sudo chmod 755 /usr/local/share/ca-certificates/MyCA
Copy the root certificate of your internal CA to this new folder in PEM format and then set appropriate permissions
sudo chmod 644 /usr/local/share/ca-certificates/MyCA/MyCARoot.cer
Now run the following to add the cert to your servers root CA list.
We also need to add the CA certificate to our Java keystore with the following command:
sudo keytool -keystore /etc/ssl/certs/java/cacerts -importcert -alias MyCA -file /usr/local/share/ca-certificates/MyCA/MyCARoot.cer
Alright, now that all our certificates are in place it is time to update our Graylog configuration file.
Using your preferred text editor, open the file /etc/graylog/server/server.conf
Look for the following lines and update:
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/ssl/<Certificate Name>
rest_tls_key_file = /etc/graylog/ssl/graylogPKCS8.key
rest_tls_key_password = <Password we used to create our private key>
web_enable_tls = true
web_tls_cert_file = /etc/graylog/ssl/<Certificate Name>
web_tls_key_file = /etc/graylog/ssl/graylogPKCS8.key
web_tls_key_password = <Password we used to create our private key>
The last change we need to make is to configure some SSL options for the JVM that runs the web server process to ensure it only accepts secure encryption algorithms.
Create a file in /etc/graylog/server called security.options and enter the following lines
jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1, 3DES_EDE_CBC, EC keySize < 160, RSA keySize < 2048, DH keySize < 2048, DSA keySize < 2048, DHE keySize < 2048, ECDH keySize < 2048, ECDHE keySize < 2048
jdk.certpath.disabledAlgorithms=MD2, MD4, MD5, EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048
Now edit the file /etc/default/graylog-server.
Look for the GRAYLOG_SERVER_JAVA_OPTS section and add in the following options
It should look something like this:
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -Djdk.tls.ephemeralDHKeySize=2048 -Djava.security.properties=/etc/graylog/server/security.options -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"
Save and exit.
Now we are ready to restart Graylog with our new settings.
sudo systemctl restart graylog-server.service
After a short while we should be able to access our newly TLS secured Graylog server at https://<FQDN of Graylog Server>:9000
Check the system and graylog log files to assist in troubleshooting any startup issues.
sudo tail --f /var/log/syslog
sudo tail --f /var/log/graylog-server/server.log
In the next post in this series, we will configure Active Directory as an external authentication source.