[graylog2] Re: SSL JVM
Hi, as long as you don't add your self-signed certificate to the trusted certificates of your web browsers as well, that "insecure" notification will remain. Please consult the documentation of your web browser for this. Cheers, Jochen On Wednesday, 15 February 2017 17:04:02 UTC+1, CTuser wrote: > > Hi Jochen, > > I've written it as follows: > > GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server > -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled > -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC > -XX:-OmitStackTraceInFastThrow > -Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks" > > I restarted the machine and it doesn't work. > I still see the "connection is not secure" message. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1b79b825-a539-4d6b-9b1c-9e87df8abdff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: SSL JVM
Hi Jochen, I've written it as follows: GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks" I restarted the machine and it doesn't work. I still see the "connection is not secure" message. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e344e6c4-1771-4c1f-b605-339fd1ec6423%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: SSL JVM
Hi, you can add JVM settings to the GRAYLOG_SERVER_JAVA_OPTS variable. Cheers, Jochen On Wednesday, 15 February 2017 13:03:45 UTC+1, CTuser wrote: > > Hi Jochen, > > here is the output of the JVM settings (/etc/sysconfig/graylog-server): > > # Path to the java executable. > JAVA=/usr/bin/java > > # Default Java options for heap and garbage collection. > GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server > -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled > -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC > -XX:-OmitStackTraceInFastThrow" > > > # Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode) > GRAYLOG_SERVER_ARGS="" > > # Program that will be used to wrap the graylog-server command. Useful to > # support programs like authbind. > GRAYLOG_COMMAND_WRAPPER="" > > > > Where should I locate the following line? > -Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/574daddc-48d4-4516-8467-e46ca825c539%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: SSL JVM
Hi Jochen, here is the output of the JVM settings (/etc/sysconfig/graylog-server): # Path to the java executable. JAVA=/usr/bin/java # Default Java options for heap and garbage collection. GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow" # Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode) GRAYLOG_SERVER_ARGS="" # Program that will be used to wrap the graylog-server command. Useful to # support programs like authbind. GRAYLOG_COMMAND_WRAPPER="" Where should I locate the following line? -Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1f31592e-a372-471c-a2bc-865ded67b534%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: SSL JVM
Hi, please refer to http://docs.graylog.org/en/2.2/pages/configuration/file_location.html for the specific location of the file for the JVM settings. Cheers, Jochen On Wednesday, 15 February 2017 11:15:01 UTC+1, CTuser wrote: > > Hi Jochen, > > I already followed the "Adding a self-signed certificate to the JVM trust > store" section. > I also verified that the self-signed certificate has been added > successfully to the key store. > I don't know how to cause the JVM to pick up the new trust store. > According to the guide it has to be started with the JVM parameter > -Djavax.net.ssl.trustStore=/path/to/cacerts.jks > //it tells me nothing > > Please assist. > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/bb2aacc6-0642-4594-beaa-86d6b06d8251%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: SSL JVM
Hi Jochen, I already followed the "Adding a self-signed certificate to the JVM trust store" section. I also verified that the self-signed certificate has been added successfully to the key store. I don't know how to cause the JVM to pick up the new trust store. According to the guide it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks //it tells me nothing Please assist. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/134f44ba-f9b2-465d-b9b3-d3b85b28a114%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: SSL JVM
Hi, the necessary steps are described in the documentation at http://docs.graylog.org/en/2.2/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store . Cheers, Jochen On Wednesday, 15 February 2017 09:14:03 UTC+1, CTuser wrote: > > Hi, > > I created self-signed certificate and currently the connection via https > is not secure because I didn't do the JVM step. > > Please explain what should I do in the following step: > > " In order for the JVM to pick up the new trust store, it has to be > started with the JVM parameter > -Djavax.net.ssl.trustStore=/path/to/cacerts.jks. If you’ve been using > another password to encrypt the JVM trust store than the default changeit, > you additionally have to set the JVM parameter > -Djavax.net.ssl.trustStorePassword=secret. > > Most start and init scripts for Graylog provide a JAVA_OPTS variable > which can be used to pass the javax.net.ssl.trustStore and (optionally) > javax.net.ssl.trustStorePassword system properties. " > > > Graylog version: 2.1.2 > > OS: CentOS 7 > > > Thanks. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/12caa576-733e-4e7e-9931-daa2f4355505%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
