Is there any way to use single pem file for elastic search instead of keystore and trustore files.
30 views
Skip to first unread message
Udit Verma
Oct 31, 2017, 2:52:04 AM10/31/17
to Search Guard Community Forum
* Search Guard and Elasticsearch version: 5.5.2
here is what I tried in my elasticsearch.yml
```
path:
logs: /tmp
conf: /usr/share/elasticsearch/config
cluster.name: ${CLUSTER_NAME}
node:
name: ${NODE_NAME}
master: ${NODE_MASTER}
data: ${NODE_DATA}
ingest: ${NODE_INGEST}
discovery.zen:
minimum_master_nodes: ${MINIMUM_MASTER_NODES}
ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}
http:
enabled: ${HTTP_ENABLE}
compression: true
cors:
enabled: ${HTTP_CORS_ENABLE}
allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}
searchguard:
ssl.transport:
enabled: true
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
ssl.http:
enabled: ${HTTP_SSL}
# clientauth_mode: REQUIRE
clientauth_mode: OPTIONAL
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
authcz.admin_dn:
- "CN=elastic ,OU=devops, C=COM"
```
kibana.yml
```
here is what I tried in my elasticsearch.yml
```
path:
logs: /tmp
conf: /usr/share/elasticsearch/config
cluster.name: ${CLUSTER_NAME}
node:
name: ${NODE_NAME}
master: ${NODE_MASTER}
data: ${NODE_DATA}
ingest: ${NODE_INGEST}
discovery.zen:
minimum_master_nodes: ${MINIMUM_MASTER_NODES}
ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}
http:
enabled: ${HTTP_ENABLE}
compression: true
cors:
enabled: ${HTTP_CORS_ENABLE}
allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}
searchguard:
ssl.transport:
enabled: true
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
ssl.http:
enabled: ${HTTP_SSL}
# clientauth_mode: REQUIRE
clientauth_mode: OPTIONAL
enable_openssl_if_available: true
pemkey_filepath: searchguard/ssl/elastic.key.pem
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
enforce_hostname_verification: false
authcz.admin_dn:
- "CN=elastic ,OU=devops, C=COM"
```
kibana.yml
```
server.port: 5601
server.host: '0.0.0.0'
elasticsearch.url: 'http://elasticsearch:9200'
elasticsearch.username: "elastic"
elasticsearch.password: "changeme"
searchguard.cookie.password: "defaultcookie"
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.requestHeadersWhitelist: [ "authorization", "x-forwarded-for", "x-forwarded-by", "x-proxy-user", "x-proxy-roles" ]```
SG
Oct 31, 2017, 5:25:44 AM10/31/17
to search...@googlegroups.com
Sorry, did not get you fully:
Do you mean a single pem file which contains the certificate and the key as well?
Currently this is not possible, you need to set pemtrustedcas_filepath, pemkey_filepath and pemcert_filepath
In you example below the is "searchguard.ssl.transport.pemtrustedcas_filepath" missing.
An in kibana yml you may want to use https://elasticsearch:9200 instead of http://elasticsearch:9200
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1e8187fc-0728-4fd3-a262-66ac80ee259a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Do you mean a single pem file which contains the certificate and the key as well?
Currently this is not possible, you need to set pemtrustedcas_filepath, pemkey_filepath and pemcert_filepath
In you example below the is "searchguard.ssl.transport.pemtrustedcas_filepath" missing.
An in kibana yml you may want to use https://elasticsearch:9200 instead of http://elasticsearch:9200
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1e8187fc-0728-4fd3-a262-66ac80ee259a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Udit Verma
Oct 31, 2017, 5:57:12 AM10/31/17
to Search Guard Community Forum
Yes I did add a key and cert separately,
searchguard:
ssl.transport:
pemkey_filepath: searchguard/ssl/elastic.key.
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
Do I need to add anything else..?
Jochen Kressin
Nov 1, 2017, 3:11:43 PM11/1/17
to Search Guard Community Forum
As posted above, you need to set pemtrustedcas_filepath as well.
Reply all
Reply to author
Forward
0 new messages