OpenSearch securityadmin tool deprecation might be affecting SSO integration

[wputnam-bonx]

Wazuh version	Component	Install type	Install method	Platform
4.7.4-1	wazuh-dashboard	Wazuh All-in-One Deployment	AMI (AWS Marketplace)	Linux 4.14.336-257.568.amzn2.x86_64 x86_64

I'm trying to get Google SSO working with my Wazuh instance according to the official guide.
When trying to run the securityadmin tool script, this becomes my output:

[wazuh-user@wazuh-server ~]$ export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && sudo bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
which: no java in (/sbin:/bin:/usr/sbin:/usr/bin)
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use
[wazuh-user@wazuh-server ~]$

and that's it. No other command output, which I thought might be due to the fact that OpenSearch is really trying to deprecate that script. Even stripping all the arguments returns the same exact output.

Continuing with the rest of the guide as-is and restarting both wazuh-indexer and wazuh-dashboard returns a 500 error in my browser whenever I try to access the website. I've already checked my settings in Google Admin, and all variables were changed properly according to the guide. My output from sudo systemctl -l status wazuh-dashboard after attempting to access from a browser (with cleared cookies) returns this:

[wazuh-user@wazuh-server ~]$ sudo systemctl -l status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2024-05-09 09:35:03 UTC; 23min ago
 Main PID: 4443 (node)
   CGroup: /system.slice/wazuh-dashboard.service
           └─4443 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: at Object.internals.handler (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:46:20)
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: at exports.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:31:20)
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: {"type":"log","@timestamp":"2024-05-09T09:35:36Z","tags":["error","plugins","securityDashboards"],"pid":4443,"message":"Failed to get saml header: Error: Error: failed parsing SAML config"}
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: {"type":"error","@timestamp":"2024-05-09T09:35:36Z","tags":[],"pid":4443,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:143:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:97:19)\n    at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:92:17)\n    at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:164:34)\n    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n    at handler (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:124:50)\n    at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://<REDACTED DOMAIN NAME>/auth/saml/login?nextUrl=%2F&redirectHash=false","message":"Internal Server Error"}
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: {"type":"response","@timestamp":"2024-05-09T09:35:36Z","tags":[],"pid":4443,"method":"get","statusCode":500,"req":{"url":"/auth/saml/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"<REDACTED DOMAIN NAME>","sec-fetch-site":"same-origin","accept-encoding":"gzip, deflate, br","connection":"keep-alive","sec-fetch-mode":"navigate","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15","referer":"https://<REDACTED DOMAIN NAME>/auth/saml/captureUrlFragment?nextUrl=%2F","sec-fetch-dest":"document","accept-language":"en-US,en;q=0.9"},"remoteAddress":"<REDACTED IP ADDRESS>","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15","referer":"https://<REDACTED DOMAIN NAME>/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":500,"responseTime":62,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 500 62ms - 9.0B"}
May 09 09:35:36 wazuh-server opensearch-dashboards[4443]: {"type":"response","@timestamp":"2024-05-09T09:35:36Z","tags":[],"pid":4443,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"<REDACTED DOMAIN NAME>","sec-fetch-site":"same-origin","accept-encoding":"gzip, deflate, br","connection":"keep-alive","sec-fetch-mode":"no-cors","accept":"*/*","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15","referer":"https://<REDACTED DOMAIN NAME>/auth/saml/login?nextUrl=%2F&redirectHash=false","sec-fetch-dest":"image","accept-language":"en-US,en;q=0.9"},"remoteAddress":"<REDACTED IP ADDRESS>","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15","referer":"https://<REDACTED DOMAIN NAME>/auth/saml/login?nextUrl=%2F&redirectHash=false"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /favicon.ico 401 2ms - 9.0B"}
May 09 09:56:57 wazuh-server opensearch-dashboards[4443]: {"type":"response","@timestamp":"2024-05-09T09:56:57Z","tags":[],"pid":4443,"method":"get","statusCode":401,"req":{"url":"/ws/v4/","method":"get","headers":{"host":"api.gateio.ws:443","user-agent":"Go-http-client/1.1","connection":"Upgrade","sec-websocket-key":"BcUrxCda9moelrt3mMBJ+Q==","sec-websocket-version":"13","upgrade":"websocket"},"remoteAddress":"94.102.56.8","userAgent":"Go-http-client/1.1"},"res":{"statusCode":401,"responseTime":6,"contentLength":9},"message":"GET /ws/v4/ 401 6ms - 9.0B"}
[wazuh-user@wazuh-server ~]$ 

Would appreciate the assistance if anyone can offer it.

[wputnam-bonx]

I did some more digging and was able to solve my immediate issue.

The JAVA_HOME path was properly being set, but it was not being passed to the BIN_PATH variable in the securityadmin script. Hardcoding this value in after the last if/else statement caused the script to work.
After the service restart, I was able to access Wazuh through the Google SSO.

Not sure if this is a Wazuh issue or an OpenSearch issue, but I hope that this discovery helps someone else out using the AMI-based deployment.