Add SSL/TLS configuration options for Wazuh API #8015
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Updated opensearch_dashboards.yml to include SSL settings: key, cert, use_ca, ca, ssl_protocol, and ssl_ciphers. - Enhanced api-table.js to display CA certificate usage status in the API settings table. - Added new constants for SSL/TLS settings in constants.ts and updated settings-adapter.ts to handle optional fields. - Modified manage-hosts.ts to incorporate SSL/TLS settings in the host management process.
1 task
6 tasks
- Added functionality to resolve relative certificate paths based on the OpenSearch Dashboards configuration directory. - Implemented a method to create HTTPS agents with optional certificate verification based on provided host configurations. - Updated the ServerAPIClient constructor to accept a configuration directory for improved certificate handling.
- Removed outdated comments regarding SSL certificate handling to improve clarity. - Ensured consistency in the code by maintaining relevant comments while eliminating unnecessary ones. - Updated the WazuhCorePlugin to streamline the configuration directory usage for the ServerAPIClient.
- Implement SSL client certificate authentication for Wazuh API hosts - Add support for CA certificate validation (use_ca configuration) - Configure HTTPS agent with client certificates and CA when provided - Enable certificate verification when CA is configured (rejectUnauthorized: true) - Resolve certificate paths (absolute or relative to config directory) - Add proper error handling for missing certificate files This allows the dashboard to connect to Wazuh API servers configured with custom SSL certificates as specified in the Wazuh API configuration. Related to: #8002
- Removed unnecessary comment regarding certificate settings to enhance code clarity. - Maintained relevant code structure while improving readability.
- Add INFO level logs in server-api-client.ts to show when SSL certificates are configured for API hosts - Log shows client certificates and CA verification status - Improve visibility of SSL certificate configuration without requiring debug mode
- Remove trailing whitespace to comply with prettier rules
- Add type checking for key, cert, and ca fields - Validate that certificate paths are non-empty strings - Prevent processing of undefined, null, or empty string values - Improves robustness when certificate configuration is missing or incomplete
…ndling - Removed redundant comments regarding SSL certificate configuration checks. - Enhanced code clarity by streamlining the documentation within the ServerAPIClient class.
…uh API connections - Documented the addition of SSL certificate support, enabling the dashboard to use client certificates and CA certificate validation for Wazuh Manager APIs with custom SSL configurations.
…ons table - Documented the addition of a new column in the API Connections table that indicates whether CA certificate verification is enabled for each API host, enhancing clarity on SSL certificate configurations.
Desvelao
reviewed
Jan 13, 2026
Desvelao
reviewed
Jan 13, 2026
Desvelao
reviewed
Jan 13, 2026
- Add SSL certificate configuration support (key, cert, ca) in opensearch_dashboards.yml - Implement dynamic use_ca calculation based on opensearch.ssl.verificationMode - Add certificate loading and HTTPS agent configuration in server-api-client.ts - Remove redundant SSL configuration fields (use_ca, ssl_protocol, ssl_ciphers) from config - Add logging for SSL certificate configuration and loading - Update manage-hosts.ts to calculate use_ca dynamically - Update constants.ts and settings-adapter.ts to remove deprecated fields - Update plugin.ts to pass initializerContext to ManageHosts Related to: #8015
- Rename use_ca to verify_ca in IAPIHostRegistry interface - Rename calculateUseCa() to calculateVerifyCa() method - Update all references from use_ca to verify_ca in server-api-client.ts - Improve SSL certificate logging (info level first time, debug afterwards) - Respect verify_ca value when loading CA certificates - Only load CA certificate if verify_ca is true The name 'verify_ca' is more descriptive and clearly indicates that it controls CA certificate verification. Related to: #8015
…tion - Refactor API connection logic to separate cluster_info from allow_run_as and verify_ca. - Update ApiTable component to reflect changes in data structure for SSL verification. - Simplify calculateVerifyCa method to focus solely on certificate paths. - Remove unused OpenSearch verification mode logic from ManageHosts class. - Enhance clarity in comments regarding SSL certificate verification. These changes improve the organization of API connection data and streamline the verification process for SSL certificates.
… support - Revised the description of SSL certificate support for Wazuh API connections to clarify the automatic calculation of the `verify_ca` value based on certificate paths. - Updated the "Use ca" column to "Verify CA" in the API Connections table, emphasizing the automatic determination of CA certificate verification status based on configuration.
…rification - Changed opensearch.ssl.verificationMode from 'none' to 'certificate' to enhance security by requiring SSL certificate validation for connections.
- Removed a comment that was no longer relevant regarding the use of CA certificates based on the `verify_ca` value.
- Added `verify_ca`, `ca`, `cert`, and `key` fields to mock registry data in ManageHosts tests. - Updated assertions to reflect the new structure of cluster_info and ensure proper handling of SSL certificate configurations.
…tests - Eliminated `ca`, `cert`, and `key` fields from the ManageHosts service and associated tests to streamline the data structure. - Updated mock registry data and assertions to reflect the removal of these fields, ensuring consistency in the handling of SSL certificate configurations.
- Removed `ca`, `cert`, and `key` fields from the ManageHosts service implementation to simplify the data structure. - Updated the ManageHosts tests to reflect these changes, ensuring consistency in the handling of SSL configurations.
Desvelao
reviewed
Jan 15, 2026
Comment on lines
+48
to
+58
| const fieldSetting = options[key] as TPluginSetting; | ||
| const fieldSchema = schemaMapper(fieldSetting); | ||
| if ( | ||
| optionalFields.includes(key) || | ||
| fieldSetting.defaultValue === '' || | ||
| fieldSetting.defaultValue === undefined | ||
| ) { | ||
| mappedSchema[key] = schema.maybe(fieldSchema); | ||
| } else { | ||
| mappedSchema[key] = fieldSchema; | ||
| } |
Contributor
Author
There was a problem hiding this comment.
It’s required because key/cert/ca are optional. We must accept hosts without TLS or with partial TLS config, and also allow empty/undefined defaults without failing schema validation.
Desvelao
reviewed
Jan 15, 2026
Comment on lines
212
to
234
| const registryData = updatedRegistry[id] || {}; | ||
| const { allow_run_as, verify_ca, ca, cert, key, ...cluster_info } = | ||
| registryData; | ||
| return { | ||
| ...host, | ||
| allow_run_as, | ||
| verify_ca, | ||
| cluster_info, | ||
| }; | ||
| }); | ||
| } | ||
|
|
||
| return hosts.map(host => { | ||
| const { id } = host; | ||
|
|
||
| return { ...host, cluster_info: registry[id] || {} }; | ||
| const registryData = registry[id] || {}; | ||
| const { allow_run_as, verify_ca, ca, cert, key, ...cluster_info } = | ||
| registryData; | ||
| return { | ||
| ...host, | ||
| allow_run_as, | ||
| verify_ca, | ||
| cluster_info, | ||
| }; |
Member
There was a problem hiding this comment.
suggestion: consider defining a function that enhances the host data instead of duplicating the code.
Desvelao
reviewed
Jan 15, 2026
Comment on lines
356
to
370
| (async () => { | ||
| try { | ||
| return [ | ||
| host.id, | ||
| await this.getRegistryDataByHost(host, { throwError: false }), | ||
| ]; | ||
| } catch (error) { | ||
| this.logger.warn( | ||
| `Failed to get registry data for host [${ | ||
| host.id | ||
| }] during startup: ${error.message || error}`, | ||
| ); | ||
| return [host.id, null]; | ||
| } | ||
| })(), |
Desvelao
reviewed
Jan 15, 2026
| headers: { | ||
| 'content-type': 'application/json', | ||
| Authorization: 'Bearer ' + token, | ||
| ...(token ? { Authorization: 'Bearer ' + token } : {}), |
Member
|
question: the verify CA in the UI is enabled despite the configuration points to non-existent files. Is this ok? 
|
Member
|
Test 
|
Member
Member
|
Add docs for the configuration. Note Update in this commit dc84ebb |
Member
|
🟡 In a meeting with @felipegonzalezmv , we saw in the first requests used by the api-compatibility-connection check it could not use the CA cert despite it is configured. Note Update: This was change in this commit e5e3817 |
…s and ServerAPIClient - Added resolveVerifyCa method in ManageHosts to determine the verify_ca value from the cache or host config. - Updated ServerAPIClient to utilize resolveVerifyCa for fetching verify_ca, improving clarity and consistency in SSL certificate verification logic. - Adjusted HTTPS agent configuration to enforce rejectUnauthorized based on verify_ca status, enhancing security for HTTPS connections.
…erverAPIClient - Introduced a cache for HTTPS agents in ServerAPIClient to optimize SSL certificate handling. - Added methods to resolve configuration paths and build signatures for HTTPS agents based on certificate files.
- Introduced a new function, enhanceHostWithRegistry, to encapsulate the logic for enriching host data with registry information.
- Replaced Promise.allSettled with Promise.all for improved performance in fetching registry data for hosts. - Simplified the logic for handling registry data retrieval, enhancing code clarity and efficiency.
…ration documentation
Contributor
|
Contributor
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR implements SSL certificate support for Wazuh API connections in the dashboard. Previously, even though the Wazuh API could be configured in
/var/ossec/api/configuration/api.yamlto use custom certificates, the Wazuh dashboard did not make use of them. This implementation allows the dashboard to connect to Wazuh API servers using SSL client certificates and CA certificate validation, matching the configuration in the Wazuh server API.The implementation includes:
This allows the dashboard to securely connect to Wazuh API servers configured with custom SSL certificates as specified in the Wazuh API configuration file.
Issues Resolved
#8002
Evidence
The API table now correctly displays a checkmark icon (✓) with a tooltip indicating "The Wazuh API is configured to use CA certificate" when
key, cert ,caare setting.Api table
Configuration Example:
The configuration in
opensearch_dashboards.ymlshould match the certificate setup on the Wazuh Manager:Important Notes:
dashboard-client.crt) must be signed by the same rootCA used by the Wazuh Managermanager-rootCA.pem) must be the same one configured in the Wazuh Manager'sapi.yamluse_ca: true, certificate verification is enabled (rejectUnauthorized: true)urlfield (e.g.,wazuh.manager.local) in its Subject Alternative Names (SAN). If the hostname is not included, certificate verification will fail with "Hostname/IP does not match certificate's altnames"UI Display:
verify_ca: true(all certificates configured) → Shows ✓ icon with tooltip "CA certificate verification is enabled."verify_ca: false(partial certificate configuration) → Shows "-" with tooltip "CA certificate verification is disabled. Either certificate paths are not configured."verify_ca: null(no certificates configured) → Shows "-" with tooltip "CA certificate verification status is unknown."Test
Prerequisites:
opensearch_dashboards.ymlconfiguration fileNote
Deploy dev environment with a real manager
./dev.sh up --server-local 5.0.0Test Steps:
Generate certificates on the Wazuh Manager:
Follow the step-by-step guide from the Wazuh documentation to generate certificates on the manager:
req.conf), ensure you include all DNS names and hostnames that will be used to connect to the manager. For example, if connecting viawazuh.manager.local, add it to the Subject Alternative Names:/var/ossec/api/configuration/api.yaml:Generate client certificate for the Dashboard:
Copy the rootCA and rootCA key from the manager to the dashboard (e.g.,
/home/node/kbn/certs/manager-rootCA.pemand/home/node/kbn/certs/manager-rootCA-key.pem)Generate a client certificate for the dashboard using the same rootCA:
Configure API host in
opensearch_dashboards.yml:opensearch_dashboards.ymlwazuh_core.hostssectioncafield inapi.yamlpoints to the same rootCA file (rootCA.pem) that was used to sign both the server certificate and will be used to sign the dashboard client certificateRestart Dashboard And Manager :
Verify connection:
Expected Results:
Expected Logs
When the dashboard starts and SSL certificates are configured for a host, you should see an info log indicating the SSL configuration:
This log appears when the HTTPS agent is created for each configured host. It confirms that:
use_ca: true)Successful API connection:
When the API connection check succeeds, you should see in the healthcheck logs:
This indicates that the SSL connection was established successfully using the configured certificates and the API is responding correctly.
When certificate files are not found, you'll see warnings:
If there's an error reading certificates:
Check List
yarn test:jest