Missing documentation for Client Certificate Validation
126 views
Skip to first unread message
Abhinay Thurlapati
Feb 25, 2017, 10:28:04 PM2/25/17
to Search Guard
Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the "http_authenticator.type" as "clientcert". There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.
Please provide the configuration details I need to follow in order to validate the client certificates.
Thanks
Abhinay.
SG
Feb 26, 2017, 5:43:49 AM2/26/17
to search...@googlegroups.com
see https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_config.yml
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
(order matters if you like to combine it with other authenticators)
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4d226de6-b524-42cd-95bb-fbb85238a2ee%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
(order matters if you like to combine it with other authenticators)
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4d226de6-b524-42cd-95bb-fbb85238a2ee%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
abhinay
Feb 26, 2017, 10:28:47 AM2/26/17
to search...@googlegroups.com
Thanks for the early response.
I followed this approach. I am trying to connect to elastic search using python requests module. I am sending clients signed certificate and the corresponding key generated using example scripts provided by the elastic search.
However, iam receiving the response "Authentication finally failed". Going through the source code, I think it's not matching with any of authentication mechanism.
How do I fix this issue. Also I would like define roles for the client certificate. In that case, in internal users yaml file, what could be the password of the hash.
Thanks
Abhinay
On 26-Feb-2017 4:13 PM, "SG" <in...@search-guard.com> wrote:
see https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_config.yml
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
(order matters if you like to combine it with other authenticators)
> Am 26.02.2017 um 04:28 schrieb Abhinay Thurlapati <abhinayt...@gmail.com>:
>
> Hi,
> I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the "http_authenticator.type" as "clientcert". There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.
>
> Please provide the configuration details I need to follow in order to validate the client certificates.
>
> Thanks
> Abhinay.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4d226de6-b524-42cd-95bb-fbb85238a2ee%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/DCA5DF08-365B-4C41-92A3-A0EBB1AFA068%40search-guard.com.
Me He
Mar 2, 2017, 9:38:22 AM3/2/17
to Search Guard
Hi Abhinay,
I ran into the same problem. Not sure if my findings will help you since I am struggling at an other point right now.
When trying to setup es with searchguard all from scratch without using bundle and example scripts, I stumbled over something interesting in elasticsearch.yml.example
On first glance I was no able to find any lines like the above in the yml files provided with the bundles I used.
best,
Meike
I ran into the same problem. Not sure if my findings will help you since I am struggling at an other point right now.
When trying to setup es with searchguard all from scratch without using bundle and example scripts, I stumbled over something interesting in elasticsearch.yml.example
# This is optional
# Only needed when impersonation is used
# Allow DNs (distinguished names) to impersonate as other users
#searchguard.authcz.impersonation_dn:
"CN=spock,OU=client,O=client,L=Test,C=DE":
# - worf
# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
# - user2
# - user1
# Auditlog configuration:On first glance I was no able to find any lines like the above in the yml files provided with the bundles I used.
best,
Meike
Me He
Mar 2, 2017, 9:43:19 AM3/2/17
to Search Guard
ah.. impersonation is something else...
but it seems searchguard is not able to validate the certificates
but it seems searchguard is not able to validate the certificates
abhinay
Mar 2, 2017, 10:02:56 AM3/2/17
to search...@googlegroups.com
Forgot to add one point. This search guard is behind apache. Could it be the case that Apache is not forwarding client certificate to search guard.
Thanks
Abhinay
On 02-Mar-2017 8:13 PM, "Me He" <googl...@kampfschnuffel.de> wrote:
ah.. impersonation is something else...
but it seems searchguard is not able to validate the certificates
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7d1a8edc-eae2-487a-8265-d24c0ee4fb56%40googlegroups.com.
Me He
Mar 6, 2017, 7:24:32 AM3/6/17
to Search Guard, abhinayt...@gmail.com
Hi,
if it is behind apache the client certificate may not be forwarded that is true. I have no idea how to check/fix that.
I got mine test instance with the bundle finally working.
I tried the wrong certificate as it seems, or did not copy truststore.jks properly around.
best,
Meike
if it is behind apache the client certificate may not be forwarded that is true. I have no idea how to check/fix that.
I got mine test instance with the bundle finally working.
I tried the wrong certificate as it seems, or did not copy truststore.jks properly around.
best,
Meike
On Thursday, March 2, 2017 at 4:02:56 PM UTC+1, Abhinay Thurlapati wrote:
Forgot to add one point. This search guard is behind apache. Could it be the case that Apache is not forwarding client certificate to search guard.ThanksAbhinay
On 02-Mar-2017 8:13 PM, "Me He" <googl...@kampfschnuffel.de> wrote:
ah.. impersonation is something else...--
but it seems searchguard is not able to validate the certificates
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages