Using TransportClient with Search guard

46 views
Skip to first unread message

Sameer Pokarna

unread,
May 15, 2018, 1:46:07 AM5/15/18
to Search Guard Community Forum
Hi,

I have managed to get the node-to-node encryption between ElasticSearch nodes using the standard instructions given in the documentation.
Is it possible to use same certificates to get a TransportClient to connect to ElasticSearch? I continue to get an error about "unknown_certificate". Does anyone have a good pointer to a set of instructions to get TransportClient to work?


Thanks and regards,
Sameer

======

* Search Guard 6.2.2-22
* Elasticsearch version 6.2.2
* JVM version and operating system version - RHEL 7.4
* Search Guard configuration


Fabien Wernli

unread,
May 15, 2018, 7:20:30 AM5/15/18
to Search Guard Community Forum
You could look at the code I wrote implementing the SG client mode in elasticsearch destination for syslog-ng:

https://github.com/balabit/syslog-ng/pull/1223/files

Sameer Pokarna

unread,
May 16, 2018, 11:28:20 PM5/16/18
to search...@googlegroups.com
Thanks Fabien for your pointer, I will look at ESTransportSearchGuardClient in this project and let you know.

Thanks and regards,
Sameer


On Tue, May 15, 2018 at 4:50 PM, Fabien Wernli <swis...@gmail.com> wrote:
You could look at the code I wrote implementing the SG client mode in elasticsearch destination for syslog-ng:

https://github.com/balabit/syslog-ng/pull/1223/files

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d80c9c2a-6a6b-4105-b7da-2d7d87e00a8a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Sameer Pokarna

unread,
May 17, 2018, 3:11:18 AM5/17/18
to search...@googlegroups.com
Hi Fabien,

Looks like these are the options you are using to access ElasticSearch enabled using SG. Does this work with PEM formats as well, or only PKCS12?
Also, have you tried with native protocol, or with HTTP only? Is HTTP authentication required for TransportClient to work with SG, or can I have certificate based encryption only? If possible, I would like to avoid using authentication for now.

java_keystore_filepath("")
  java_keystore_password("")
  java_truststore_filepath("")
  java_truststore_password("")
  java_ssl_insecure("false")
  http_auth_type("none")
  http_auth_type_basic_username("")
  http_auth_type_basic_password("")


Thanks and regards,
Sameer


On Tue, May 15, 2018 at 4:50 PM, Fabien Wernli <swis...@gmail.com> wrote:
You could look at the code I wrote implementing the SG client mode in elasticsearch destination for syslog-ng:

https://github.com/balabit/syslog-ng/pull/1223/files

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.

Fabien Wernli

unread,
May 24, 2018, 6:43:12 AM5/24/18
to Search Guard Community Forum
I think you're misunderstanding the transport mode.
ES used to offer 3 different communication means for a client to communicate with a cluster.
These are node, transport and http.

The first two are more or less the same, and mean that your client will be part of the cluster to some extent. They are both deprecated, as far as clients are
concerned. I'd strongly advise you to use HTTP!


Sameer Pokarna

unread,
May 24, 2018, 10:25:34 AM5/24/18
to search...@googlegroups.com
For now, I have to try out with Transport, since changing that in my current project is not an option. Eventually, we will move, but not for now.

Regards,
Sameer



--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.

Fabien Wernli

unread,
May 24, 2018, 11:16:09 AM5/24/18
to Search Guard Community Forum
I think java 8 supports pem format to answer your earlier question.
Reply all
Reply to author
Forward
0 new messages