Certificate DN
瀏覽次數:45 次
跳到第一則未讀訊息
ihjaz Mohamed
2017年10月14日 下午4:25:282017/10/14
收件者:Search Guard Community Forum
Hi,
I don't understand what is happening here.
I have my admin certificate DN configured as follows.
searchguard.authcz.admin_dn:
- CN=vf-zr125-sm100.dr.avaya.com,O=Avaya,C=USWhen I try to initialize the SG, I get the following exception.
[2017-10-15T01:36:02,763][ERROR][c.f.s.t.SearchGuardRequestHandler] Error authentication transport user ElasticsearchSecurityException[java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: ExecutionException[java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: Exception[no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com];
org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:298) ~[search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:168) [search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) [search-guard-ssl-5.5.1-23.jar:5.5.1-23]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) [search-guard-5-5.5.1-16.jar:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) [transport-netty4-client-5.5.1.jar:5.5.1]
:
:
:
Caused by: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[?:?]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[?:?]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:272) ~[?:?]
... 43 moreIf I change the admin DN configuration as below in the reverse order it works.
searchguard.authcz.admin_dn:
- C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.comI don't understand what is happening here.
If I fetch if from certificate I get in the order with CN at the beginning.
# openssl x509 -in admin_cert.pem -noout -subject
subject= /CN=vf-zr125-sm100.dr.avaya.com/O=Avaya/C=USThen why is SG expecting the DN in the reverse order.
Also in the page here, the example show the admin certificate DN starting with CN.
Then why is it not working for me.
ihjaz Mohamed
2017年10月16日 凌晨4:56:472017/10/16
收件者:Search Guard Community Forum
Can someone here please help me with this.
I need to understand this SearchGuard behavior to get it up and running. Why is it not allowing the DN with CN first?
ihjaz Mohamed
2017年10月26日 上午9:30:152017/10/26
收件者:Search Guard Community Forum
Hi All,
Still waiting for some help here.
SG
2017年11月1日 下午4:35:322017/11/1
收件者:search...@googlegroups.com
https://www.google.de/search?q=%2Copenssl+reverse+order+dn&oq=%2Copenssl+reverse+order+dn
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f31ab63d-8708-4626-9f12-a1524f34a8a4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f31ab63d-8708-4626-9f12-a1524f34a8a4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
回覆所有人
回覆作者
轉寄
0 則新訊息