Running sgadmin.sh for first time
425 views
Skip to first unread message
Ajay B
Jul 13, 2016, 4:32:56 PM7/13/16
to Search Guard
Hi
I am trying to setup searchguard with ES2.3.3. As per the documentation info I am able to create the certificates with provided example.sh script but unable to execute. It gives me error on executing the sgadmin.sh script as follows: (tried with localhost for IP and icl options as well without success).
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/node-0-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
Connect to 10.236.133.186:9300
ERR: Cannot connect to elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{10.236.133.186}{10.236.133.186:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
....
Whereas the cluster is up and running:
root@node-0:/usr/local/elasticsearch# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
{
"cluster_name" : "ESTEST-ANS",
"status" : "green",
"timed_out" : false,
...
I had modifled the root-ca.conf and signing-ca.conf with my info as below:
0.domainComponent = "dbplat.altus.bblabs.net"
organizationName = "ESDBA."
organizationalUnitName = "ESDBA. Root CA"
commonName = "ESDBA. Root CA"
executing the script example.sh with these info generated required files and I am using the higlighted files in sgadmin commnd to run . Are these correct files to use for sgadmin ? If not which script generates files for sgadmin use for initial admin user configuration. (Do not have separate certificate to use).
-rw-r--r-- 1 root root 1143 Jul 13 19:07 node-0.csr
-rw-r--r-- 1 root root 4319 Jul 13 19:07 node-0-keystore.jks
-rw-r--r-- 1 root root 5076 Jul 13 19:07 node-0-keystore.p12
-rw-r--r-- 1 root root 1436 Jul 13 19:07 node-0-signed.pem
...
-rw-r--r-- 1 root root 4254 Jul 13 19:07 spock-keystore.jks
-rw-r--r-- 1 root root 5002 Jul 13 19:07 spock-keystore.p12
-rw-r--r-- 1 root root 1346 Jul 13 19:07 spock-signed.pem
-rw-r--r-- 1 root root 1032 Jul 13 19:07 truststore.jks
Does the following entry in elasticsearch.yml file need to be made before ES startup and running sgadmin or after running sgadmin ?
I am trying to setup searchguard with ES2.3.3. As per the documentation info I am able to create the certificates with provided example.sh script but unable to execute. It gives me error on executing the sgadmin.sh script as follows: (tried with localhost for IP and icl options as well without success).
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/node-0-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
Connect to 10.236.133.186:9300
ERR: Cannot connect to elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{10.236.133.186}{10.236.133.186:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
....
Whereas the cluster is up and running:
root@node-0:/usr/local/elasticsearch# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
{
"cluster_name" : "ESTEST-ANS",
"status" : "green",
"timed_out" : false,
...
I had modifled the root-ca.conf and signing-ca.conf with my info as below:
0.domainComponent = "dbplat.altus.bblabs.net"
organizationName = "ESDBA."
organizationalUnitName = "ESDBA. Root CA"
commonName = "ESDBA. Root CA"
executing the script example.sh with these info generated required files and I am using the higlighted files in sgadmin commnd to run . Are these correct files to use for sgadmin ? If not which script generates files for sgadmin use for initial admin user configuration. (Do not have separate certificate to use).
-rw-r--r-- 1 root root 1143 Jul 13 19:07 node-0.csr
-rw-r--r-- 1 root root 4319 Jul 13 19:07 node-0-keystore.jks
-rw-r--r-- 1 root root 5076 Jul 13 19:07 node-0-keystore.p12
-rw-r--r-- 1 root root 1436 Jul 13 19:07 node-0-signed.pem
...
-rw-r--r-- 1 root root 4254 Jul 13 19:07 spock-keystore.jks
-rw-r--r-- 1 root root 5002 Jul 13 19:07 spock-keystore.p12
-rw-r--r-- 1 root root 1346 Jul 13 19:07 spock-signed.pem
-rw-r--r-- 1 root root 1032 Jul 13 19:07 truststore.jks
Does the following entry in elasticsearch.yml file need to be made before ES startup and running sgadmin or after running sgadmin ?
searchguard.authcz.admin_dn:
- cn=admin,ou=Test,ou=ou,dc=company,dc=com
With bundled download it executes properly, but from the scripts/files it is using, it is not clear at which step files needed to run sgadmin
were created as the files are already existing in bundled distribution and example.sh contents are not identical between bundled
release and separately downloaded scripts from master.zip from GIT.
Am I missing some step ?
Thanks in advance for clarification.
Ajay
SG
Jul 14, 2016, 3:44:07 PM7/14/16
to search...@googlegroups.com
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/<here the admin client cert needs to be used> -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
<here the admin client cert needs to be used>: this needs to be a certificate gernerated with "gen_client_node_cert.sh" and the dn must match the one configured in "searchguard.authcz.admin_dn"
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6c59c70-9a5b-4d45-b53d-ce7777d0e485%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
<here the admin client cert needs to be used>: this needs to be a certificate gernerated with "gen_client_node_cert.sh" and the dn must match the one configured in "searchguard.authcz.admin_dn"
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6c59c70-9a5b-4d45-b53d-ce7777d0e485%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Ajay B
Jul 15, 2016, 2:17:34 PM7/15/16
to Search Guard
Now I get error listed at the end of this mail:
Here are my steps to generate certs:
./gen_root_ca.sh "capass" "changeit"
./gen_node_cert.sh 0 changeit "capass"
./gen_client_node_cert.sh ESDBA changeit capass
Generated files copied to sgconfig directory, contents are:
elasticsearch.yml.example
ESDBA-keystore.jks
sg_action_groups.yml
sg_config.yml
sg_internal_users.yml
sg_roles_mapping.yml
sg_roles.yml
truststore.jks
Root and siging conf file entries as follows :
[ ca_dn ]
Here are my steps to generate certs:
./gen_root_ca.sh "capass" "changeit"
./gen_node_cert.sh 0 changeit "capass"
./gen_client_node_cert.sh ESDBA changeit capass
Generated files copied to sgconfig directory, contents are:
elasticsearch.yml.example
ESDBA-keystore.jks
sg_action_groups.yml
sg_config.yml
sg_internal_users.yml
sg_roles_mapping.yml
sg_roles.yml
truststore.jks
Root and siging conf file entries as follows :
[ ca_dn ]
0.domainComponent = "dbplat.altus.bblabs.net"
organizationName = "ESDBA."
Elasticsearch.yml has the entry:
searchguard.authcz.admin_dn:
- CN=ESDBA
Executing command like below produces this error:
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/ESDBA-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
Connect to 10.236.133.186:9300
[18:05:53,054][ERROR] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Hermes] SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
Any incorrect or incomplete entry ?
Thanks
searchguard.authcz.admin_dn:
- CN=ESDBA
Executing command like below produces this error:
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -cn ESDBA -h 10.236.133.186 -ks plugins/search-guard-2/sgconfig/ESDBA-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
Connect to 10.236.133.186:9300
[18:05:53,054][ERROR] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Hermes] SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
Any incorrect or incomplete entry ?
Thanks
Clifford
Jul 21, 2016, 4:49:19 AM7/21/16
to Search Guard
i also failed many times. at last i input almost all of the param(Indispensably kspass and tspass), it worked.
在 2016年7月16日星期六 UTC+8上午2:17:34,Ajay B写道:
在 2016年7月16日星期六 UTC+8上午2:17:34,Ajay B写道:
Reply all
Reply to author
Forward
0 new messages