JKS for Search Guard 6.3.0

[Vasileios Kokkinos]

I have installed Elasticsearch and Search Guard 6.3.0 (community edition) in my laptop that runs Ubuntu 14.04. For the Search Guard configuration I executed the demo installation script. I want to push some data to elasticsearch from a spring boot application and I am facing some certificate problems.

 

Is there a way to create the JKS certificates (kirk.jks and truststore.jks) from the demo certificates provided with the demo installation script?

 

Thanks in advance,

Vasileios 

[Jochen Kressin]

Usually, PEM certificates are the preferred way to configure Search Guard since JKS is a proprietary format. What kinds of problems do you have that forces you to use JKS over PEM?

You can use the keytool that ships with the JDK to import PEM to JKS. For an example you might want to refer to the sample PKI scripts that ship with Search Guard SSL:

https://github.com/floragunncom/search-guard-ssl/blob/es-6.3.0/example-pki-scripts/gen_node_cert.sh

We can also recommend the Keystore Explorer that comes with a GUI if you prefer that:

http://keystore-explorer.org/

[Vasileios Kokkinos]

Jochen thank you for your reply,

 

Actually, I want to push some data to elasticsearch from a spring boot application, using the TransportClient. After looking at https://search-guard.com/searchguard-elasicsearch-transport-clients/, I saw that I have to include the "absolute/path/to/keystore" and the "absolute/path/to/truststore", i.e. the jks files are necessary.

 

In any case, I will take a look at the .sh file and the Keystore Explorer that you mention and hopefully I will create a valid jks file from the demo certificates.

 

Once again thank you,

Vasileios

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d92a03bf-6959-44b1-963f-8aa78dcbfc50%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jochen Kressin]

Oh, I see. The blog post is a bit old, it was written for SG2 and SG5 when JKS was the preferred way of configuration. But you can also use PEM certificates for the Transport Client. Instead of  using these constants here for JKS:

  

  ...

  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,"<absolute/path/to/keystore>")

  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "<absolute/path/to/truststore>")

  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "<keystore_pasword>")

  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "<truststore_password>")

  ...

You can just use their PEM counterparts:

SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH

SEARCHGUARD_SSL_TRANSPORT_PEMKEY_PASSWORD

SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH

SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH

On Thursday, June 28, 2018 at 11:14:56 AM UTC+2, Vasileios Kokkinos wrote:

Jochen thank you for your reply,

 

Actually, I want to push some data to elasticsearch from a spring boot application, using the TransportClient. After looking at https://search-guard.com/searchguard-elasicsearch-transport-clients/, I saw that I have to include the "absolute/path/to/keystore" and the "absolute/path/to/truststore", i.e. the jks files are necessary.

 

In any case, I will take a look at the .sh file and the Keystore Explorer that you mention and hopefully I will create a valid jks file from the demo certificates.

 

Once again thank you,

Vasileios

On Wed, Jun 27, 2018 at 9:21 PM Jochen Kressin <jkre...@floragunn.com> wrote:

Usually, PEM certificates are the preferred way to configure Search Guard since JKS is a proprietary format. What kinds of problems do you have that forces you to use JKS over PEM?

You can use the keytool that ships with the JDK to import PEM to JKS. For an example you might want to refer to the sample PKI scripts that ship with Search Guard SSL:

https://github.com/floragunncom/search-guard-ssl/blob/es-6.3.0/example-pki-scripts/gen_node_cert.sh

We can also recommend the Keystore Explorer that comes with a GUI if you prefer that:

http://keystore-explorer.org/

On Tuesday, June 26, 2018 at 2:13:13 PM UTC+2, Vasileios Kokkinos wrote:

I have installed Elasticsearch and Search Guard 6.3.0 (community edition) in my laptop that runs Ubuntu 14.04. For the Search Guard configuration I executed the demo installation script. I want to push some data to elasticsearch from a spring boot application and I am facing some certificate problems.

 

Is there a way to create the JKS certificates (kirk.jks and truststore.jks) from the demo certificates provided with the demo installation script?

 

Thanks in advance,

Vasileios 

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

[Vasileios Kokkinos]

Indeed that worked!

Thanks Jochen

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d92a03bf-6959-44b1-963f-8aa78dcbfc50%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f42c6e0e-566c-4152-8ea1-023a80e9c227%40googlegroups.com.