Search Guard SSL for Elasticsearch 2.1 released
340 views
Skip to first unread message
in...@search-guard.com
Dec 12, 2015, 2:59:24 PM12/12/15
to Search Guard
Elasticsearch SSL for free.
Search Guard SSL is a free and open source plugin for Elasticsearch which provides SSL for Elasticsearch. It does not provide authentication and authorization.
https://github.com/floragunncom/search-guard-ssl
Prerequisites:
- Java 7 or 8 (recommended)
- Elasticsearch 2.1.0
Praveen Herur
Jan 6, 2016, 6:01:38 PM1/6/16
to Search Guard
Hi,
This is very useful! Can you clarify if this is backward compatible with an earlier version of Elasticsearch (1.7x)?
Thanks!
SG
Jan 13, 2016, 4:01:47 PM1/13/16
to search...@googlegroups.com
not backward compatible, but you can use https://github.com/floragunncom/search-guard/
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b2ebf067-67bf-418d-b23d-56869c464201%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b2ebf067-67bf-418d-b23d-56869c464201%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
ca...@cn.ibm.com
Feb 2, 2016, 5:15:12 AM2/2/16
to Search Guard
Hello,
I'm configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what's wrong with my configuration? Thanks a lot!
My configuration by referring to the wiki:
1. generate the root ca by "./gen_root_ca.sh capassword_use_a_strong_one truststorepassword"
2. sign CSR's with the newly generated root CA above
./bin/elasticsearch
[2016-02-02 16:53:33,146][WARN ][bootstrap] unable to install syscall filter: prctl(PR_GET_NO_NEW_PRIVS): Invalid argument
[2016-02-02 16:53:33,359][INFO ][node] [elasticsearch-129] version[2.1.0], pid[26946], build[72cd1f1/2015-11-18T22:40:03Z]
[2016-02-02 16:53:33,359][INFO ][node ] [elasticsearch-129] initializing ...
[2016-02-02 16:53:33,582][INFO ][plugins] [elasticsearch-129] loaded [search-guard-ssl], sites []
[2016-02-02 16:53:33,604][INFO ][env] [elasticsearch-129] using [1] data paths, mounts [[/home/work (/dev/sda3)]], net usable_space [82.3gb], net total_space [116.1gb], spins? [possibly], types [ext3]
[2016-02-02 16:53:33,659][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: netty-tcnative (Not found in java.library.path)
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-02-02 16:53:34,273][WARN ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:false
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:true
[2016-02-02 16:53:34,626][INFO ][transport] [elasticsearch-129] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] initialized
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] starting ...
[2016-02-02 16:53:36,231][INFO ][transport] [elasticsearch-129] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-02-02 16:53:36,239][INFO ][discovery] [elasticsearch-129] elasticsearch/TjQJb5iiQkGZcwW9lCjPWA
[2016-02-02 16:53:36,271][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [elasticsearch-129] exception caught on transport layer [[id: 0xf49f9829]], closing connection
java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:135)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.createClientTransportSSLEngine(SearchGuardKeyStore.java:305)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport$ClientSSLHandler.connectRequested(SearchGuardSSLNettyTransport.java:120)
at org.jboss.netty.channel.SimpleChannelHandler.handleDownstream(SimpleChannelHandler.java:272)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:591)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:582)
at org.jboss.netty.channel.Channels.connect(Channels.java:634)
at org.jboss.netty.channel.AbstractChannel.connect(AbstractChannel.java:216)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.jav a:229)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
at org.elasticsearch.transport.netty.NettyTransport.connectToChannelsLight(NettyTransport.java:913)
at org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:880)
at org.elasticsearch.transport.netty.NettyTransport.connectToNodeLight(NettyTransport.java:852)
at org.elasticsearch.transport.TransportService.connectToNodeLight(TransportService.java:250)
at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing$3.run(UnicastZenPing.java:395)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.security.cert.CertificateException: found no certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:83)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:967)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:133)
... 17 more
I'm new with SSL configuration. Thank you for your help.
I'm configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what's wrong with my configuration? Thanks a lot!
My configuration by referring to the wiki:
1. generate the root ca by "./gen_root_ca.sh capassword_use_a_strong_one truststorepassword"
2. sign CSR's with the newly generated root CA above
openssl ca \
-in ca/signing-ca.csr \
-notext \
-out signed-csr.pem \
-config etc/signing-ca.conf \
-extensions v3_req \
-batch \
-passin pass:capassword_use_a_strong_one \
-extensions server_ext
3. distribute the truststore.jks(generated in step 1) to all elasticsearch node(I have only one elasticsearch node, named "elasticsearch-129") and put it into config dir.
4. Generate for each node a separate keystore.
#Generate a new key
keytool -genkey \
-alias NODE_NAME \
-keystore NODE_NAME-keystore.jks \
-keyalg RSA \
-keysize 2048 \
-validity 712 \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
#Generate a CSR (Certificate signing request)
keytool -certreq \
-alias elasticsearch-129 \
-keystore elasticsearch-129-keystore.jks \
-file elasticsearch-129.csr \
-keyalg rsa \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
5. sign CRS generated above with the root ca generated in step 1.
6. import the signed CSR together with the root certificate chain into the keystore
cat ca/chain-ca.pem elasticsearch-129.pem | keytool \
-importcert \
-keystore elasticsearch-129-keystore.jks \
-storepass mykspassword \
-noprompt \
-alias elasticsearch-129
7. distribute the elasticsearch-129-keystore.jks to elasticsearch node and put it into the config dir.
Above is all my configuration. The following is the start log and I've highlighted the error message.
./bin/elasticsearch
[2016-02-02 16:53:33,146][WARN ][bootstrap] unable to install syscall filter: prctl(PR_GET_NO_NEW_PRIVS): Invalid argument
[2016-02-02 16:53:33,359][INFO ][node] [elasticsearch-129] version[2.1.0], pid[26946], build[72cd1f1/2015-11-18T22:40:03Z]
[2016-02-02 16:53:33,359][INFO ][node ] [elasticsearch-129] initializing ...
[2016-02-02 16:53:33,582][INFO ][plugins] [elasticsearch-129] loaded [search-guard-ssl], sites []
[2016-02-02 16:53:33,604][INFO ][env] [elasticsearch-129] using [1] data paths, mounts [[/home/work (/dev/sda3)]], net usable_space [82.3gb], net total_space [116.1gb], spins? [possibly], types [ext3]
[2016-02-02 16:53:33,659][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL not available because of java.lang.UnsatisfiedLinkError: netty-tcnative (Not found in java.library.path)
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:JDK
[2016-02-02 16:53:33,679][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-02-02 16:53:34,273][WARN ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:false
[2016-02-02 16:53:34,273][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:true
[2016-02-02 16:53:34,626][INFO ][transport] [elasticsearch-129] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] initialized
[2016-02-02 16:53:36,168][INFO ][node] [elasticsearch-129] starting ...
[2016-02-02 16:53:36,231][INFO ][transport] [elasticsearch-129] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2016-02-02 16:53:36,239][INFO ][discovery] [elasticsearch-129] elasticsearch/TjQJb5iiQkGZcwW9lCjPWA
[2016-02-02 16:53:36,271][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [elasticsearch-129] exception caught on transport layer [[id: 0xf49f9829]], closing connection
java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:135)
at com.floragunn.searchguard.ssl.SearchGuardKeyStore.createClientTransportSSLEngine(SearchGuardKeyStore.java:305)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport$ClientSSLHandler.connectRequested(SearchGuardSSLNettyTransport.java:120)
at org.jboss.netty.channel.SimpleChannelHandler.handleDownstream(SimpleChannelHandler.java:272)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:591)
at org.jboss.netty.channel.DefaultChannelPipeline.sendDownstream(DefaultChannelPipeline.java:582)
at org.jboss.netty.channel.Channels.connect(Channels.java:634)
at org.jboss.netty.channel.AbstractChannel.connect(AbstractChannel.java:216)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.jav a:229)
at org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
at org.elasticsearch.transport.netty.NettyTransport.connectToChannelsLight(NettyTransport.java:913)
at org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:880)
at org.elasticsearch.transport.netty.NettyTransport.connectToNodeLight(NettyTransport.java:852)
at org.elasticsearch.transport.TransportService.connectToNodeLight(TransportService.java:250)
at org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing$3.run(UnicastZenPing.java:395)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.security.cert.CertificateException: found no certificates: /tmp/sg_609338662165226698.pem
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:83)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:967)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:133)
... 17 more
I'm new with SSL configuration. Thank you for your help.
in...@search-guard.com
Feb 2, 2016, 12:56:21 PM2/2/16
to Search Guard
you can ignore all messages but not the last (java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem)
can you please post your elasticsearch.yml file?
Ping GP Cao
Feb 2, 2016, 8:12:12 PM2/2/16
to search...@googlegroups.com
Hello,
Please find the elasticsearch.yml in attachment. I'm not sure if the configuration is wrong.
----- Original message -----
From: in...@search-guard.com
Sent by: search...@googlegroups.com
To: Search Guard <search...@googlegroups.com>
Cc:
Subject: [search-guard group] Re: Search Guard SSL for Elasticsearch 2.1 released
Date: Wed, Feb 3, 2016 1:57 AM
you can ignore all messages but not the last (java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem)
can you please post your elasticsearch.yml file?
Am Dienstag, 2. Februar 2016 11:15:12 UTC+1 schrieb ...cp@...m.com:
Hello,
I'm configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what's wrong with my configuration? Thanks a lot!
My configuration by referring to the wiki:
1. generate the root ca by "./gen_root_ca.sh capassword_use_a_strong_one truststorepassword"
2. sign CSR's with the newly generated root CA above
openssl ca \
-in ca/signing-ca.csr \
-notext \
-out signed-csr.pem \
-config etc/signing-ca.conf \
-extensions v3_req \
-batch \
-passin pass:capassword_use_a_strong_one \
-extensions server_ext3. distribute the truststore.jks(generated in step 1) to all elasticsearch node(I have only one elasticsearch node, named "elasticsearch-129") and put it into config dir.4. Generate for each node a separate keystore.#Generate a new key
keytool -genkey \
-alias NODE_NAME \
-keystore NODE_NAME-keystore.jks \
-keyalg RSA \
-keysize 2048 \
-validity 712 \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
#Generate a CSR (Certificate signing request)
keytool -certreq \
-alias elasticsearch-129 \
-keystore elasticsearch-129-keystore.jks \
-file elasticsearch-129.csr \
-keyalg rsa \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"5. sign CRS generated above with the root ca generated in step 1.6. import the signed CSR together with the root certificate chain into the keystore
cat ca/chain-ca.pem elasticsearch-129.pem | keytool \
-importcert \
-keystore elasticsearch-129-keystore.jks \
-storepass mykspassword \
-noprompt \
-alias elasticsearch-1297. distribute the elasticsearch-129-keystore.jks to elasticsearch node and put it into the config dir.Above is all my configuration. The following is the start log and I've highlighted the error message.
--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/qUuDnFmOFJY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1cb1fc6b-65f4-4c8c-b5bd-558f7d04593d%40googlegroups.com.
Ping GP Cao
Feb 2, 2016, 10:59:52 PM2/2/16
to search...@googlegroups.com
Hi,
I didn't deploy elasticsearch in any Servlet container, but referring to the wiki, I added a tomcat native jar file into the search-guard-ssl folder since using openssl to generate certificate.
Do I need to deploy elasticsearch in any container in order to enable SSL? Thanks a lot for your help(^_^)
----- Original message -----
From: in...@search-guard.com
Sent by: search...@googlegroups.com
To: Search Guard <search...@googlegroups.com>
Cc:
Subject: [search-guard group] Re: Search Guard SSL for Elasticsearch 2.1 released
Date: Wed, Feb 3, 2016 1:57 AM
you can ignore all messages but not the last (java.lang.IllegalArgumentException: File does not contain valid certificates: /tmp/sg_609338662165226698.pem)
can you please post your elasticsearch.yml file?
Am Dienstag, 2. Februar 2016 11:15:12 UTC+1 schrieb ...cp@...m.com:
Hello,
I'm configuring search-guard-ssl for elasticseach 2.1 but encountered some problems. Below is my configuration and the log information when starting elasticsearch. Could you please tell me what's wrong with my configuration? Thanks a lot!
My configuration by referring to the wiki:
1. generate the root ca by "./gen_root_ca.sh capassword_use_a_strong_one truststorepassword"
2. sign CSR's with the newly generated root CA above
openssl ca \
-in ca/signing-ca.csr \
-notext \
-out signed-csr.pem \
-config etc/signing-ca.conf \
-extensions v3_req \
-batch \
-passin pass:capassword_use_a_strong_one \
-extensions server_ext3. distribute the truststore.jks(generated in step 1) to all elasticsearch node(I have only one elasticsearch node, named "elasticsearch-129") and put it into config dir.4. Generate for each node a separate keystore.#Generate a new key
keytool -genkey \
-alias NODE_NAME \
-keystore NODE_NAME-keystore.jks \
-keyalg RSA \
-keysize 2048 \
-validity 712 \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"
#Generate a CSR (Certificate signing request)
keytool -certreq \
-alias elasticsearch-129 \
-keystore elasticsearch-129-keystore.jks \
-file elasticsearch-129.csr \
-keyalg rsa \
-keypass mykspassword \
-storepass mykspassword \
-dname "CN=127.0.0.1, OU=department, O=company, L=localityName, C=US"5. sign CRS generated above with the root ca generated in step 1.6. import the signed CSR together with the root certificate chain into the keystore
cat ca/chain-ca.pem elasticsearch-129.pem | keytool \
-importcert \
-keystore elasticsearch-129-keystore.jks \
-storepass mykspassword \
-noprompt \
-alias elasticsearch-1297. distribute the elasticsearch-129-keystore.jks to elasticsearch node and put it into the config dir.Above is all my configuration. The following is the start log and I've highlighted the error message.
--
Reply all
Reply to author
Forward
0 new messages