[BUG] Wazuh-indexer service warnings: Terminally Deprecated method has been called

[bradleybaasRB]

Describe the bug

Upon starting the service and checking systemctl status for wazuh-indexer using opensearch, I see the warning messages here:

root@wazuh:/etc/wazuh-indexer/opensearch-security# systemctl restart wazuh-indexer && systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-06-18 17:31:35 UTC; 10ms ago
       Docs: https://documentation.wazuh.com
   Main PID: 64882 (java)
      Tasks: 75 (limit: 16622)
     Memory: 3.0G
        CPU: 17.126s
     CGroup: /system.slice/wazuh-indexer.service
             └─64882 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.ne
gative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCode
DetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.alloca
tor.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms4462m -Xmx4462m -XX:+UseG1GC
 -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-6303272397374601508 -XX:+HeapDumpOnOutOfMemoryError -
XX:HeapDumpPath=/var/lib/wazuh-indexer -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log "-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-in
dexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m" -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true -Djava.security.policy=file:///etc/wazuh-ind
exer/opensearch-performance-analyzer/opensearch_security.policy --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED -Dclk.tck=100 -Djdk.attach.allowA
ttachSelf=true -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy -XX:MaxDir
ectMemorySize=2340421632 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm
 -Dopensearch.bundled_jdk=true -cp "/usr/share/wazuh-indexer/lib/*" org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --qui
et

Jun 18 17:31:28 wazuh systemd[1]: Starting Wazuh-indexer...
Jun 18 17:31:29 wazuh systemd-entrypoint[64882]: WARNING: A terminally deprecated method in java.lang.System has been called
Jun 18 17:31:29 wazuh systemd-entrypoint[64882]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/us
r/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jun 18 17:31:29 wazuh systemd-entrypoint[64882]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jun 18 17:31:29 wazuh systemd-entrypoint[64882]: WARNING: System::setSecurityManager will be removed in a future release
Jun 18 17:31:30 wazuh systemd-entrypoint[64882]: WARNING: A terminally deprecated method in java.lang.System has been called
Jun 18 17:31:30 wazuh systemd-entrypoint[64882]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/
share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Jun 18 17:31:30 wazuh systemd-entrypoint[64882]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Jun 18 17:31:30 wazuh systemd-entrypoint[64882]: WARNING: System::setSecurityManager will be removed in a future release
Jun 18 17:31:35 wazuh systemd[1]: Started Wazuh-indexer.

Possibly related logs in journalctl -xe show that the connection is refusing connections.

Jun 18 17:47:23 wazuh opensearch-dashboards[62438]: {"type":"log","@timestamp"
8,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}

Related component

Indexing

To Reproduce

1. Install Wazuh-indexer using the installation guide:
   https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html
2. Run systemctl status wazuh-indexer
3. Warning messages appear and suggest reporting to maintainers.
4. Try using the logging with filebeat test output also (may be a TLS issue though)

Expected behavior

Service should start with no warnings. Connections to wazuh opensearch-dashboards should be accepted instead of rejected.

Additional Details

Perhaps related to #10494, but I do not see the same message in my logs about the Log4j CVE.

Host/Environment (please complete the following information):
root@wazuh:/etc/wazuh-indexer/opensearch-security# hostnamectl
Static hostname: wazuh
Icon name: computer-vm
Chassis: vm
Machine ID: af7a1ecb9c2740868c7f59fcad273b69
Boot ID: 5f3099d0aad1466dba76b9cd840cf20f
Virtualization: kvm
Operating System: Ubuntu 22.04.4 LTS
Kernel: Linux 5.15.0-112-generic
Architecture: x86-64
Hardware Vendor: QEMU
Hardware Model: Standard PC i440FX + PIIX, 1996

Plugins
root@wazuh:/usr/share/wazuh-indexer/plugins# ll
total 148
drwxr-x--- 21 wazuh-indexer wazuh-indexer 4096 Jun 14 22:46 ./
drwxr-x--- 9 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 ../
drwxr-x--- 2 wazuh-indexer wazuh-indexer 12288 Jun 18 00:00 opensearch-alerting/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-anomaly-detection/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-asynchronous-search/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-cross-cluster-replication/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-custom-codecs/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-geospatial/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-index-management/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-job-scheduler/
drwxr-x--- 3 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-knn/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 20480 Jun 18 00:00 opensearch-ml/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-neural-search/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-notifications/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-notifications-core/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-observability/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 12288 Jun 18 00:00 opensearch-performance-analyzer/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-reports-scheduler/
drwxr-x--- 3 wazuh-indexer wazuh-indexer 20480 Jun 18 00:00 opensearch-security/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 4096 Jun 18 00:00 opensearch-security-analytics/
drwxr-x--- 2 wazuh-indexer wazuh-indexer 20480 Jun 18 00:00 opensearch-sql/

Screenshots
n/a

Additional context
It could be a TLS issue because of these posts (stackoverflow) (opensearch) describing connection issues and the guide to set up TLS. However, the java terminally deprecated method log item in systemctl status is displaying the warning apart from any connection attempts to it.

I was trying to upgrade Wazuh server to 4.8 from 4.7. I have redone the certificates, updated the apt repos and upgraded the packages, and I am planning to delete everything and do a fresh install after a few more steps if there is nothing else to do before that.

[msfroh]

OpenSearch makes pretty extensive use of the Java security manager. See #1687 for some discussion.

My takeaways from that issue are:

1. It's not great that the JDK devs have decided to deprecate the JSM without anything to replace it. (It does provide defense-in-depth advantages.)
2. While those warnings get emitted (with no way to suppress them) starting with JDK 17 (or 18? I think 17, though), they're just warning that eventually the JSM will be removed.
3. The JSM has not been removed in JDK21, which is the current long-term support version. So, while those warnings are annoying, they're just noise. If/when there's a LTS version that doesn't include security manager (hopefully a few years out), we'll need to figure out what that means for OpenSearch. (Do we abandon defense in depth? I hope not.)

[peternied]

[Triage - attendees 1 2 3 4 5]
@bradleybaasRB Thanks for creating this issue, due to OpenSearch's dependency on the security manage we cannot directly address this issue and are closing this out.

• If/when [RFC] Replace Java Security Manager (JSM) #1687 has been addressed it will resolve such errors