Ok I've been battling this for a while with no success - Any suggestions of where to go next would be very welcome!
We've decided to use basic authentication sent over https. I have imported our root CA certificate, and using a java tool called "SSLPoke" I can get a successful connection from the ES server, to the ZenOSS server using the options -Djavax.net.ssl.keyStore={/path/to/keystore.jks} -Djavax.net.ssl.keyStorePassword={keystore password}
So that seems to suggest that the keystore and certificate configuration is ok.
Our elasticsearch.yml file contains the following section which was added when Shield was configured:
shield.ssl.keystore.path: /path/to/keystore.jks
shield.ssl.keystore.password: **********
shield.transport.ssl: true
shield.http.ssl: true
shield.ssl.ciphers: [ "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ]
shield.ssl.protocol: TLS
hostname_verification: false
And the following section added for Watcher:
watcher.shield.encrypt_sensitive_data: true
watcher.http.ssl.keystore.path: /path/to/keystore.jks
watcher.http.ssl.keystore.password: ********
And these lines added for troubleshooting
watcher.http.ssl.truststore.path: /path/to/keystore.jks
watcher.http.ssl.truststore.password: ********
shield.http.ssl.truststore.path: /path/to/keystore.jks
shield.http.ssl.truststore.password: ********
I am still getting the following error when a watch executes:
{
"id": "zenoss_webhook",
"type": "webhook",
"status": "failure",
"reason": "SSLHandshakeException[sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; nested: ValidatorException[PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; nested: SunCertPathBuilderException[unable to find valid certification path to requested target]; "
}
The action section of the watch looks like this:
"actions" : {
"zenoss_webhook" : {
"throttle_period" : "2m",
"webhook" : {
"scheme" : "https",
"host" : "zenoss-server.our.domain",
"port" : 443,
"method" : "post",
"path" : "/zport/dmd/evconsole_router",
"params" : { },
"headers" : {
"Content-Type" : "application/json"
},
"auth" : {
"basic" : {
"username" : "zenoss user name here",
"password" : "::es_encrypted::*********"
}
},
"body" : "{"action":"EventsRouter","method":"add_event","data": [{"summary":"{{ctx.payload.hits.hits.0._source.message}}","device":"{{ctx.payload.hits.hits.0._source.host}}","component":"","severity":"Critical","evclasskey":"","evclass":"/App"}],"type":"rpc","tid":1}"
}
}
}
We do have a platinum license so I think it may be time to raise a support ticket unless anyone can spot anything I've missed.