Skip to content

Cluster#

Quote

Akka is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala

-- https://akka.io/

Akka is used to make several nodes of TheHive work together and offer a smooth user experience.

A good cluster setup requires at least 3 nodes of THeHive applications. For each node, Akka must be configured like this:

## Akka server
akka {
  cluster.enable = on
  actor {
    provider = cluster
  }
  remote.artery {
    canonical {
      hostname = "<HOSTNAME OR IP_ADDRESS>"
      port = 2551
    }
  }
# seed node list contains at least one active node
  cluster.seed-nodes = [ "akka://[email protected]:2551", "akka://[email protected]:2551", "akka://[email protected]:2551" ]
}

with:

  • remote.artery.hostname containing the hostname or IP address of the node,
  • cluster.seed-nodes containing the list of akka nodes and beeing the same on all nodes

Configuration of a Cluster with 3 nodes

Akka configuration for Node 1:

akka {
    cluster.enable = on
    actor {
      provider = cluster
    }
    remote.artery {
      canonical {
          hostname = "10.1.2.1"
          port = 2551
      }
    }
    # seed node list contains at least one active node
    cluster.seed-nodes = [ "akka://[email protected]:2551", "akka://[email protected]:2551", "akka://[email protected]:2551" ]
}

Akka configuration for Node 2:

akka {
    cluster.enable = on
    actor {
    provider = cluster
    }
    remote.artery {
    canonical {
        hostname = "10.1.2.2"
        port = 2551
    }
    }
    # seed node list contains at least one active node
    cluster.seed-nodes = [ "akka://[email protected]:2551", "akka://[email protected]:2551", "akka://[email protected]:2551" ]
}

Akka configuration for Node 3:

akka {
    cluster.enable = on
    actor {
    provider = cluster
    }
    remote.artery {
    canonical {
        hostname = "10.1.2.3"
        port = 2551
    }
    }
    # seed node list contains at least one active node
    cluster.seed-nodes = [ "akka://[email protected]:2551", "akka://[email protected]:2551", "akka://[email protected]:2551" ]
}

SSL/TLS#

Akka supports SSL/TLS to encrypt communications between nodes. A typical configuration with SSL support :

## Akka server
akka {
  cluster.enable = on
  actor {
    provider = cluster
  }
  remote.artery {
    transport = tls-tcp
    canonical {
      hostname = "<HOSTNAME OR IP_ADDRESS>"
      port = 2551
    }

    ssl.config-ssl-engine {
      key-store = "<PATH TO KEYSTORE>"
      trust-store = "<PATH TO TRUSTSTORE>"

      key-store-password = "chamgeme"
      key-password = "chamgeme"
      trust-store-password = "chamgeme"

      protocol = "TLSv1.2"
    }
  }
# seed node list contains at least one active node
  cluster.seed-nodes = [ "akka://[email protected]:2551", "akka://[email protected]:2551", "akka://[email protected]:2551" ]
}

Note

Note that akka.remote.artery.transport has changed and akka.ssl.config-ssl-engine needs to be configured.

Reference: https://doc.akka.io/docs/akka/current/remoting-artery.html#remote-security

About Certificates

Use your own internal PKI, or keytool commands to generate your certificates.

Reference: https://lightbend.github.io/ssl-config/CertificateGeneration.html#using-keytool

Your server certificates should contain various KeyUsage and ExtendedkeyUsage extensions to make everything work properly:

  • KeyUsage extensions
    • nonRepudiation
    • dataEncipherment
    • digitalSignature
    • keyEncipherment
  • ExtendedkeyUsage extensions
    • serverAuth
    • clientAuth

Akka configuration with SSL for Node 1

## Akka server
akka {
  cluster.enable = on
  actor {
    provider = cluster
  }
  remote.artery {
    transport = tls-tcp
    canonical {
      hostname = "10.1.2.1"
      port = 2551
    }

    ssl.config-ssl-engine {
      key-store = "/etc/thehive/application.conf.d/certs/10.1.2.1.jks"
      trust-store = "/etc/thehive/application.conf.d/certs/internal_ca.jks"

      key-store-password = "chamgeme"
      key-password = "chamgeme"
      trust-store-password = "chamgeme"

      protocol = "TLSv1.2"
    }
  }
# seed node list contains at least one active node
  cluster.seed-nodes = [ "akka://[email protected]:2551", "akka://[email protected]:2551", "akka://[email protected]:2551" ]
}

Apply the same principle for the other nodes, and restart all services.


Last update: June 14, 2021 13:39:13