tools/sgadmin.sh - Error "no valid cipher suites for transport protocol"

[Eliran Boraks]

I am trying to set-up the sgadmin, following this article https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md 

When running the sgadmin tool I am getting the following. I do have the Java Cryptography Extension installed. 

$ ./sgadmin.sh -ts truststore.jks -tspass changeit -ks kirk-keystore.jks -kspass changeit -cd ../sgconfig -icl -nhnv

Will connect to localhost:9300 ... done

ERR: An unexpected ElasticsearchSecurityException occured: no valid cipher suites for transport protocol

Trace:

ElasticsearchSecurityException[no valid cipher suites for transport protocol]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:155)

at com.floragunn.searchguard.ssl.SearchGuardSSLModule.<init>(SearchGuardSSLModule.java:40)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.nodeModules(SearchGuardSSLPlugin.java:128)

at org.elasticsearch.plugins.PluginsService.nodeModules(PluginsService.java:263)

at org.elasticsearch.client.transport.TransportClient$Builder.build(TransportClient.java:141)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:315)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:101)

Here is system setup: 

ls -l /elasticsearch-2.4.3/plugins/search-guard-2/tools

-rw-rw-r--. 1  214 Feb  3 12:50 hash.bat

-rw-rw-r--. 1  197 Feb  3 12:50 hash.sh

-rw-rw-r--. 1 4423 Feb 17 12:56 kirk-keystore.jks

-rw-rw-r--. 1 222 Feb  3 12:50 sgadmin.bat

-rwxrwxrwx. 1 218 Feb  3 12:50 sgadmin.sh

-rw-rw-r--. 1 1096 Feb 17 12:56 truststore.jks

$ java -version

java version "1.8.0"

Java(TM) SE Runtime Environment (build pxa6480sr4-20170127_01(SR4))

IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20170117_333500 (JIT enabled, AOT enabled)

J9VM - R28_20170117_0200_B333500

JIT  - tr.r14.java.green_20170115_130932

GC   - R28_20170117_0200_B333500_CMPRSS

J9CL - 20170117_333500)

JCL - 20170125_01 based on Oracle jdk8u121-b13

elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: changeit

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.authcz.admin_dn: CN=kirk,OU=client,O=client,L=test, C=DE

"elasticsearch.yml" 135L, 4552C

Output of ES:

[2017-02-17 19:56:02,420][INFO ][node                     ] [Nekra] version[2.4.3], pid[1430], build[d38a34e/2016-12-07T16:28:56Z]

[2017-02-17 19:56:02,421][INFO ][node                     ] [Nekra] initializing ...

[2017-02-17 19:56:03,226][INFO ][com.floragunn.searchguard.ssl.SearchGuardSSLPlugin] Search Guard 2 plugin also available

[2017-02-17 19:56:03,245][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Clustername: elasticsearch

[2017-02-17 19:56:03,245][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Node [null] is a transportClient: false/tribeNode: false/tribeNodeClient: false

[2017-02-17 19:56:03,246][INFO ][plugins                  ] [Nekra] modules [reindex, lang-expression, lang-groovy], plugins [search-guard-ssl, search-guard-2], sites []

[2017-02-17 19:56:03,278][INFO ][env                      ] [Nekra] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [5.6gb], net total_space [9.9gb], spins? [unknown], types [rootfs]

[2017-02-17 19:56:03,278][INFO ][env                      ] [Nekra] heap size [1.9gb], compressed ordinary object pointers [true]

[2017-02-17 19:56:03,278][WARN ][env                      ] [Nekra] max file descriptors [4096] for elasticsearch process likely too low, consider increasing to at least [65536]

[2017-02-17 19:56:03,335][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL

[2017-02-17 19:56:03,780][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] Config directory is /opt/elastic/ElasticSearch/elasticsearch-2.4.3/config/, from there the key- and truststore files are resolved relatively

[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTPProvider:null with ciphers []

[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-02-17 19:56:03,826][INFO ][com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-02-17 19:56:04,137][INFO ][com.floragunn.searchguard.configuration.ConfigurationModule] FLS/DLS valve not bound (noop)

[2017-02-17 19:56:04,139][INFO ][com.floragunn.searchguard.auditlog.AuditLogModule] Auditlog not available

[2017-02-17 19:56:04,304][INFO ][transport                ] [Nekra] Using [com.floragunn.searchguard.transport.SearchGuardTransportService] as transport service, overridden by [search-guard2]

[2017-02-17 19:56:04,304][INFO ][transport                ] [Nekra] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]

[2017-02-17 19:56:07,110][INFO ][node                     ] [Nekra] initialized

[2017-02-17 19:56:07,110][INFO ][node                     ] [Nekra] starting ...

[2017-02-17 19:56:07,292][INFO ][com.floragunn.searchguard.transport.SearchGuardTransportService] [Nekra] publish_address {10.240.0.24:9300}, bound_addresses {[::]:9300}

[2017-02-17 19:56:07,296][INFO ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Nekra] Check if searchguard index exists ...

[2017-02-17 19:56:07,302][DEBUG][action.admin.indices.exists.indices] [Nekra] no known master node, scheduling a retry

[2017-02-17 19:56:07,308][INFO ][discovery                ] [Nekra] elasticsearch/pRteXY99TWyxyGZtUAkBJQ

[2017-02-17 19:56:10,444][INFO ][cluster.service          ] [Nekra] new_master {Nekra}{pRteXY99TWyxyGZtUAkBJQ}{10.240.0.24}{10.240.0.24:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)

[2017-02-17 19:56:10,508][INFO ][http                     ] [Nekra] publish_address {10.240.0.24:9200}, bound_addresses {[::]:9200}

[2017-02-17 19:56:10,508][INFO ][node                     ] [Nekra] started

[2017-02-17 19:56:10,527][INFO ][gateway                  ] [Nekra] recovered [0] indices into cluster_state

[2017-02-17 19:56:10,528][INFO ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Nekra] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster

 

[Search Guard]

IBM J9 VM is not supported, pls. use OpenJDK or OracleJVM.

If you would like to run it anyway try Search Guard v11 with Search Guard SSL v20, this might be working but no guarantee

[Eliran Boraks]

That is interesting because I did download Oracle's Java and I set it to JAVA_HOME. I can't change the underline Java since, I don't have root. 

That mean that 'sgadmin.sh' isn't using the JAVA_HOME? 

Eliran

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/4NzDbF2X6Mo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ae3029fc-9b0b-4e14-89ba-8ef80cec8172%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Keep in touch

Twitter 

LinkedIn

Facebook

[SG]

you can look into sgadmin.sh to see how it works

> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ae3029fc-9b0b-4e14-89ba-8ef80cec8172%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Keep in touch
> Twitter
> LinkedIn
> Facebook
>

> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAAn%2BYTP8s3emsXvjHTPqsq64Y2hYyGqMgXCw-YnrfsSeCuQ49A%40mail.gmail.com.

[Eliran Boraks]

I fixed it by adding the following: 

$JAVA_HOME/bin/java

Thanks

> To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ae3029fc-9b0b-4e14-89ba-8ef80cec8172%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Keep in touch
> Twitter
> LinkedIn
> Facebook
>
> --

> You received this message because you are subscribed to the Google Groups "Search Guard" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAAn%2BYTP8s3emsXvjHTPqsq64Y2hYyGqMgXCw-YnrfsSeCuQ49A%40mail.gmail.com.

> For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/4NzDbF2X6Mo/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/A3549202-2F34-4616-8C5D-9F259270838F%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

[SG]

thx, also fixed in master: https://github.com/floragunncom/search-guard/commit/a776ab93d6a18afcf0c5c73afddb51177c2f2125

> > To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ae3029fc-9b0b-4e14-89ba-8ef80cec8172%40googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Keep in touch
> > Twitter
> > LinkedIn
> > Facebook
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAAn%2BYTP8s3emsXvjHTPqsq64Y2hYyGqMgXCw-YnrfsSeCuQ49A%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/4NzDbF2X6Mo/unsubscribe.

> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/A3549202-2F34-4616-8C5D-9F259270838F%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Keep in touch
> Twitter
> LinkedIn
> Facebook
>

> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAAn%2BYTMrPsQ%2BOHQqxcZnwg%3DcOLOSd7GWGvj%2B3kPKCpKM%3DJW6ug%40mail.gmail.com.