Upgrading TheHive 3.2.1_1 to 3.4

By Adrian | September 12, 2019

Its upgrading time!

Its been a while since ive visited TheHive and version 3.4.0 has been released. The astute reader will noticed that when I originally stood up my instance of TheHive I opted for version 3.3.1 and yes, that will be getting an upgrade, but the reason for this post is that this is a test run for the instance upgrade at work and thats what were using, so thats what im testing about. The install is identical to the 3.3.1 guide I wrote.

So here we are pre-upgrade. There are the whole of 2 test cases.

pre-upgrade

Backup

The first step is to perform a backup of the Elasticsearch indices, which requires some additional configuration. Create a backup folder location with the following command:

mkdir /opt/backup

# For some reason the 'other' group needed xx7 permission to the folder and im sure theres a tighter way to control this
chmod 777 /opt/backup

Edit the /etc/elasticsearch/elasticsearch.yml file and include the following line:

path.repo: ["/opt/backup"]

Now you will need to restart the Elasticsearch service so this change is in effect:

sudo service elasticsearch restart

To perform the backup we need to get the index details, you do this by performing a web request to your Elasticsearch instance which may or may not be same box. Note the index in this case is the_hive_14. The number refers to the schema version.

curl 'localhost:9200/_cat/indices?v'

health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   the_hive_14 qf4EdQqgRDOTWVHKbpTo3A   5   1         39            0    110.2kb        110.2kb

To register a snapshot use this command.

curl -XPUT 'http://localhost:9200/_snapshot/the_hive_backup' -d '{
    "type": "fs",
    "settings": {
        "location": "/opt/backup",
        "compress": true
    }
}'

# Output if successful:
{"acknowledged":true}

# One potential error scenario - Check the permissions on /opt/backup in this case
{"error":{"root_cause":[{"type":"exception","reason":"failed to create blob container"}],"type":"exception","reason":"failed to create blob container","caused_by":{"type":"access_denied_exception","reason":"/opt/backup/tests-q0DQmMtDQo-zC2GZAcqHlQ"}},"status":500}

And finally we can create a backup by using this command (replace <INDEX> with the index identified earlier, in this case it will be the_hive_14):

curl -XPUT 'http://localhost:9200/_snapshot/the_hive_backup/snapshot_1?wait_for_completion=true&pretty' -d '{
  "indices": "<INDEX>"
}'

# Output
{
  "snapshot" : {
    "snapshot" : "snapshot_1",
    "uuid" : "wOHULukYTia5lUny7Yyyug",
    "version_id" : 5061699,
    "version" : "5.6.16",
    "indices" : [
      "the_hive_14"
    ],
    "state" : "SUCCESS",
    "start_time" : "2019-09-12T09:16:11.456Z",
    "start_time_in_millis" : 1568279771456,
    "end_time" : "2019-09-12T09:16:12.087Z",
    "end_time_in_millis" : 1568279772087,
    "duration_in_millis" : 631,
    "failures" : [ ],
    "shards" : {
      "total" : 5,
      "failed" : 0,
      "successful" : 5
    }
  }
}

Upgrade to 3.4.0

With the backup out of the way, we can go about upgrading TheHive to 3.4.0 now.

Stop thehive service

service thehive stop

Import the PGP key for the-hive (Optional but do it)

sudo wget https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY
gpg-import PGP-PUBLIC-KEY

# Output
gpg: /home/thehive/.gnupg/trustdb.gpg: trustdb created
gpg: key 3D99BB18562CBC1C: public key "TheHive Project (TheHive release key) <support@thehive-project.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Download and Verify TheHive

cd /opt

sudo wget http://dl.bintray.com/thehive-project/binary/thehive-3.4.0-1.zip
sudo wget http://dl.bintray.com/thehive-project/binary/thehive-3.4.0-1.zip.asc

# Verify the signature file against the download to ensure integrity, cause supply chain thats why
gpg --verify thehive-3.4.0-1.zip.asc thehive-3.4.0-1.zip

# Output
gpg: Signature made Thu 05 Sep 2019 12:45:58 PM UTC
gpg:                using RSA key 3D99BB18562CBC1C
gpg: Good signature from "TheHive Project (TheHive release key) <support@thehive-project.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0CD5 AC59 DE5C 5A8E 0EE1  3849 3D99 BB18 562C BC1C

Extract TheHive files

sudo unzip thehive-3.4.0-1.zip

After extracting, you should have the following: multiple-instances-before

Now we break the Symbolic link thehive and point it at our new 3.4.0 instance.

sudo rm thehive
sudo ln -s thehive-3.4.0-1 thehive

The new file listing should look like this: multiple-instances-after

Now we need to copy over the existing application.conf file and make a change to it. Pay particular attention to the port number change (from 9300 to 9200), and the line parameter changes from host = to uri =

sudo cp /opt/thehive-3.2.1-1/conf/application.conf /opt/thehive/conf/
sudo nano /opt/thehive/conf/application.conf

# Modify the line "host = ["127.0.0.1:9300"] to be the following:
uri = "http://127.0.0.1:9200"

Now restart thehive service and ensure there are no errors.

sudo service thehive start
sudo service thehive status

Post upgrade steps

Once the service has restarted and had a few moments to settle, Fire up your browser and navigate to TheHive url. You get the Database upgrade prompt. The upgrade could take some time depending on the number of cases you have. thehive-db-upgrade

Afterwards, you are prompted to create an admin login and password create-admin-account

And once you login again, you have a shiny upgraded version post-upgrade

To confirm the Elasticsearch side, you can run this command (Note there are now 2 indexes):

curl 'localhost:9200/_cat/indices?v'

health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   the_hive_15 wnFAuxgST3uGxhys8XdIdw   5   1         42            0       86kb           86kb
yellow open   the_hive_14 qf4EdQqgRDOTWVHKbpTo3A   5   1         39            0    110.2kb        110.2kb

Now there is an elasticsearch component to the upgrade, but I need to test that out before I write it up.

References: