sgadmin error
212 views
Skip to first unread message
Ohad Ben Porat
Jul 23, 2018, 8:20:09āÆAM7/23/18
to search...@googlegroups.com
Hey Guys,
I am trying to install search guard with the following setup:
elasticsearch: 6.3.0
searchguard: 6.3.0-22.3
OS: Ubuntu
Java:Ā openjdk version "1.8.0_171"
I have all the TLS files ready and after restarting elastic i get the following error: "Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin"
So, obviously, i tried to use the sgadmin but it throw the following:
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: Cannot authenticate null
Connected as CN=admin.example.com,OU=RnD,O=Example,DC=example
Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:
searchguard.authcz.admin_dn:
Ā - "CN=admin.example.com,OU=RnD,O=Example,DC=example"
My elasticsearch.yml include the following (and as you can see it include the exact same admin_dn they mention)
bootstrap.memory_lock: true
cluster.name: demo
discovery.ec2.any_group: true
discovery.ec2.endpoint: ec2.us-east-1.amazonaws.com
discovery.ec2.host_type: private_ip
discovery.ec2.tag.es_cluster: demo
discovery.zen.hosts_provider: ec2
discovery.zen.minimum_master_nodes: 2
http.port: 9200
network.bind_host: 0.0.0.0
network.publish_host: some_host_prefix.compute-1.amazonaws.com
node.data: false
node.master: true
searchguard.authcz.admin_dn: "CN=admin.example.com,OU=RnD,O=Example,DC=example"
searchguard.cert.oid: 1.2.3.4.5.5
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: esnode_http.pem
searchguard.ssl.http.pemkey_filepath: esnode_http.key
searchguard.ssl.http.pemkey_password: abc123
searchguard.ssl.http.pemtrustedcas_filepath: my-elasticsearch-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode.key
searchguard.ssl.transport.pemkey_password: abc123
searchguard.ssl.transport.pemtrustedcas_filepath: my-elasticsearch-ca.pem
searchguard.ssl.transport.resolve_hostname: false
transport.tcp.port: 9300
Any suggestion / leads where and what to look for?
Thanks.
Eszter CsĆ¼llƶg
Jul 23, 2018, 8:28:16āÆAM7/23/18
to search...@googlegroups.com
In the environmental variables you have to add JAVA_HOME with the path of your jdk or jre version. LikeĀ C:\Program Files\Java\jre1.8.0_181. After a restart it has to work! :)
2018-07-23 14:20 GMT+02:00 Ohad Ben Porat <oha...@gmail.com>:
Hey Guys,I am using elastic search 6.3 and trying to install search guardĀ 6.3.0-22.3
I have all the TLS files ready and after restarting elastic i get the following error: "Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin"So, obviously, i tried to use the sgadmin but it throw the following:
WARNING: JAVA_HOME not set, will use /usr/bin/javaSearch Guard Admin v6Will connect to localhost:9300 ... doneUnable to check whether cluster is sane: Cannot authenticate null
Connected as CN=admin.armis.com,OU=RnD,O=Armis,DC=armisERR: CN=admin.armis.com,OU=RnD,O=Armis,DC=armis is not an admin user
Seems you use a client certificate but this one is not registered as admin_dnMake sure elasticsearch.yml on all nodes contains:searchguard.authcz.admin_dn:
Ā - "CN=admin.armis.com,OU=RnD,O=Armis,DC=armis"
My elasticsearch.yml include the following (and as you can see it include the exact same admin_dn they mention)
bootstrap.memory_lock: truecluster.name: demodiscovery.ec2.any_group: truediscovery.ec2.endpoint: ec2.us-east-1.amazonaws.comdiscovery.ec2.host_type: private_ipdiscovery.ec2.tag.es_cluster: demodiscovery.zen.hosts_provider: ec2discovery.zen.minimum_master_nodes: 2http.port: 9200network.bind_host: 0.0.0.0network.publish_host: some_host_prefix.compute-1.amazonaws.comnode.data: falsenode.master: true
searchguard.authcz.admin_dn: "CN=admin.armis.com,OU=RnD,O=Armis,DC=armis"
searchguard.cert.oid: 1.2.3.4.5.5searchguard.ssl.http.enabled: falsesearchguard.ssl.http.pemcert_filepath: esnode_http.pemsearchguard.ssl.http.pemkey_filepath: esnode_http.key
searchguard.ssl.http.pemkey_password: bDSommE07MYxsearchguard.ssl.http.pemtrustedcas_filepath: armis-elasticsearch-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.transport.pemcert_filepath: esnode.pemsearchguard.ssl.transport.pemkey_filepath: esnode.key
searchguard.ssl.transport.pemkey_password: EK3tUOwbVug0searchguard.ssl.transport.pemtrustedcas_filepath: armis-elasticsearch-ca.pemsearchguard.ssl.transport.resolve_hostname: falsetransport.tcp.port: 9300
Any suggestion / leads where and what to look for?Thanks.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/183705e4-4473-4f47-9b08-c0c730d59726%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ohad Ben Porat
Jul 23, 2018, 8:53:46āÆAM7/23/18
to Search Guard Community Forum
The default java chosen when JAVA_HOME isn't configured is the correct java on my machine, but i tried your suggestion anyway - no different, still getting same error.
Thanks.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
Jochen Kressin
Jul 23, 2018, 3:49:44āÆPM7/23/18
to Search Guard Community Forum
TheĀ searchguard.authcz.admin_dn expects an array, not a single value. So instead of:
Try as outputted in the error message:
Ohad Ben Porat
Jul 24, 2018, 7:24:09āÆAM7/24/18
to Search Guard Community Forum
thanks, stupid mistake on my part.
Reply all
Reply to author
Forward
0 new messages