Certificate DN
45 views
Skip to first unread message
ihjaz Mohamed
Oct 14, 2017, 4:25:28 PM10/14/17
to Search Guard Community Forum
Hi,
I don't understand what is happening here.
I have my admin certificate DN configured as follows.
searchguard.authcz.admin_dn:
- CN=vf-zr125-sm100.dr.avaya.com,O=Avaya,C=USWhen I try to initialize the SG, I get the following exception.
[2017-10-15T01:36:02,763][ERROR][c.f.s.t.SearchGuardRequestHandler] Error authentication transport user ElasticsearchSecurityException[java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: ExecutionException[java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: Exception[no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com];
org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:298) ~[search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:168) [search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) [search-guard-ssl-5.5.1-23.jar:5.5.1-23]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) [search-guard-5-5.5.1-16.jar:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) [transport-netty4-client-5.5.1.jar:5.5.1]
:
:
:
Caused by: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[?:?]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[?:?]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:272) ~[?:?]
... 43 moreIf I change the admin DN configuration as below in the reverse order it works.
searchguard.authcz.admin_dn:
- C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.comI don't understand what is happening here.
If I fetch if from certificate I get in the order with CN at the beginning.
# openssl x509 -in admin_cert.pem -noout -subject
subject= /CN=vf-zr125-sm100.dr.avaya.com/O=Avaya/C=USThen why is SG expecting the DN in the reverse order.
Also in the page here, the example show the admin certificate DN starting with CN.
Then why is it not working for me.
ihjaz Mohamed
Oct 16, 2017, 4:56:47 AM10/16/17
to Search Guard Community Forum
Can someone here please help me with this.
I need to understand this SearchGuard behavior to get it up and running. Why is it not allowing the DN with CN first?
ihjaz Mohamed
Oct 26, 2017, 9:30:15 AM10/26/17
to Search Guard Community Forum
Hi All,
Still waiting for some help here.
SG
Nov 1, 2017, 4:35:32 PM11/1/17
to search...@googlegroups.com
https://www.google.de/search?q=%2Copenssl+reverse+order+dn&oq=%2Copenssl+reverse+order+dn
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f31ab63d-8708-4626-9f12-a1524f34a8a4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f31ab63d-8708-4626-9f12-a1524f34a8a4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages