Connect to Elasticsearch w/Search Guard using REST API by only passing certificates?
200 views
Skip to first unread message
Advait Gogate
Sep 27, 2018, 4:24:37 AM9/27/18
to Search Guard Community Forum
Hi,
I am using Elasticsearch 6.3.0 with Search Guard 23.1 on Ubuntu 16.04.
I'm using the Java transport client to connect to Elasticsearch and can successfully connect passing only the certificates. There is no need to pass credentials like username and password .
This is the code:
Settings settings1 = Settings.builder()
.put("path.home", "/")
.put("searchguard.ssl.transport.enabled", true)
.put("cluster.name", "searchguard_demo")
.put("searchguard.ssl.transport.enforce_hostname_verification", "false")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,"/home/adgog/Documents/elasticsearch-6.3.0/config/kirk.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/adgog/Documents/elasticsearch-6.3.0/config/kirk-key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/adgog/Documents/elasticsearch-6.3.0/config/root-ca.pem")
.build();
TransportClient client = new PreBuiltTransportClient(settings1, SearchGuardPlugin.class)
.addTransportAddress(new TransportAddress(InetAddress.getByName("10.0.2.15"), 9300));
On the other hand while using the high level REST Client I have to pass credentials (username and password ) along with certificates.
String user = "admin";
String password = "admin";
String keystorePassword= "pass123";
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new File("/home/adgog/my_keystore.jks"), keystorePassword.toCharArray(),
new TrustSelfSignedStrategy()).build();
RestHighLevelClient client1 = new RestHighLevelClient(RestClient.builder(new HttpHost("localhost", 9200, "https")).setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext)));
Is there any way to connect using certificates only, similar to the transport client? Or is it necessary to pass username and password as well?
Jochen Kressin
Sep 27, 2018, 6:15:33 AM9/27/18
to Search Guard Community Forum
Yes, this is possible by using the client certificate authenticator:
This will pick up any client TLS certificate from the REST call. It will validate it against the configured root CA and use the DN of the certificate to assign SG roles.
Message has been deleted
Kasinaat Selvi Sukesh
Jan 25, 2019, 2:08:02 AM1/25/19
to Search Guard Community Forum
Can I use .pem files instead of .jks files in the same way using highLevelRestClient?
SG
Feb 3, 2019, 11:17:51 AM2/3/19
to search...@googlegroups.com
see https://gist.github.com/floragunncom/e1807599f0fa9c9338ffcb0ac45b27d1
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5caa5ad-5226-45e5-871e-03b9e1d78826%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5caa5ad-5226-45e5-871e-03b9e1d78826%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages