On Wednesday, October 10, 2018 at 10:33:07 AM UTC-5, rud wrote:
Search Guard and Elasticsearch version 6.0
Installed and used enterprise modules, if any yes-ES 6.1 version
JVM version and operating system version centos 6.8
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any yes-kibana
Hi Jochen,
My license is about to expire in couple of days on Production and we are working on it to get the renewed license. What would be the solution and procedure In case if i receive my license keys after expiration.
Is it the same procedure to apply renewed license as before and after expiration ? https://search-guard.com/faq/ says my cluster will still work.
Quick response would be appreciated.
Thanks
On Wednesday, September 12, 2018 at 9:30:50 PM UTC-5, rud wrote:
Can some one check this.
On Monday, September 10, 2018 at 5:02:57 PM UTC-5, rud wrote:
Another Question :(I am trying to understand NSS vs OPENSSL)
Got confused by reading the information on different websites, I really appreciate if you could share the information.
When i use curl with nssdb with certificates imported it uses (SSL_DIR=~/nss curl -vk --cert bdmsys:xxxx -XGET ‘https:/xxxxxxx/_cat/health’)
###SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (more secure than TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
When i use curl with --cert ./bdmsys.cer --key ./bdmsysd.key (curl -vk --cert ./bdmsys.cer --key ./bdmsysd.key -XGET ‘https://xxxxxx/_cat/health’)
###SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
###User-Agent: curl/7.29.0
On Monday, September 10, 2018 at 3:44:57 PM UTC-5, rud wrote:
I got it. Thanks a Bunch.
Here, What is the difference and where should we use both of them.
curl -vk --cert ./xxx.cer --key ./xxx.key -XGET ‘https://xxxx1.bxxxm:xxx/_searchguard/api/configuration/config’ (Here i don’t see LDAP passwords in the configuration file)
/sgadmin.sh --diagnose -cacert xxxxx -cn xxxx -h xxx-p xxxx-cd ./sgconfig -cert xxxxx -keyxxx -keypass xxx -r -nhnv (Here see LDAP passwords in the configuration file)
On Tuesday, August 21, 2018 at 4:45:54 PM UTC-5, Jochen Kressin wrote:
You do not need to upload the license to all nodes. The license is stored in the Search Guard configuration index and is this propagated to all nodes automatically.
On Tuesday, August 21, 2018 at 4:32:01 PM UTC-5, rud wrote:
Thank You, I can upload the license to individual hosts with sgadmin.sh.
Is there a way to apply license at cluster level via sgadmin.sh.
On Tuesday, August 7, 2018 at 2:12:50 PM UTC-5, Jochen Kressin wrote:
You are using the wrong certificate for your curl call. You need to use an admin certificate, in your case this one here:
Since you used a node or client certificate you see this error message:
{“status”:“FORBIDDEN”,“message”:“No permission to access REST API: Role based access not enabled… SG admin permissions required but CN=bdsys,O=xxx,L=xxx,ST=xxx,C=US is not an admin”}
``
The internal Kibana server user is never used for anything other than the Kibana index maintenance. So it needs to be configured, but it’s not an account for direct use.
If you want to
On Monday, August 6, 2018 at 9:45:16 PM UTC+2, rud wrote:
Hi Jochen,
Thank You for the support. Here
1)**
Using REST endpoint , I am trying to PUT the renewed licience - As license string is not visible sg_config.yml file
PUT /_searchguard/api/license/
{
“sg_license”:
}
Here i am using nss to SSL for curl| certificate database and imported certificates
SSL_DIR=~/nss curl -vk --cert bdsys --pass xxxx -sS -XGET ‘https://xxxx:xxx/_searchguard/api/license/’ (same for all the /_searchguard/api//)
{“status”:“FORBIDDEN”,“message”:“No permission to access REST API: Role based access not enabled… SG admin permissions required but CN=bdsys,O=xxx,L=xxx,ST=xxx,C=US is not an admin”}
How should i PUT the updated license with REST endpoint with admin certificate?
As i kw the "Kibana server user"used for maintenance, managing the .kibana index
We are not using any visualizations, When do i actually use the kibana server user name for any operations in the process of SG license renewel?
Yes, it just updates the license. The Kibana config GUI uses the same endpoint under the hood.
On Wednesday, August 1, 2018 at 9:05:08 PM UTC+2, rud wrote:
Thank You , I can retrive license by connecting any node in the cluster with admin certificate but we do not have Search Guard configuration GUI for adding license.
Applying the new license with REST API below leaves same existing access permissions?
PUT /_searchguard/api/license/
{
“sg_license”:
}
we have REST api is only exposed to client nodes with “Cname”,
kibana:
multitenancy_enabled: true
server_username: “db156”
On Wednesday, August 1, 2018 at 3:40:57 AM UTC-5, Jochen Kressin wrote:
-keypass /privdir/dbdm100/dbdmadmin.pass
``
Here you have to provide the actual password, not a file. If you are worried about having the password in the bash history you can also use the -prompt/–prompt-for-password switch which will turn on interactive mode.
On Wednesday, August 1, 2018 at 8:26:45 AM UTC+2, rud wrote:
I am trying to retrieve current configuration with proper credentials. Am i missing here.
01:20:20.597 [main] ERROR com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore - Your keystore or PEM does not contain a key. If you sepcified a key password try removing it. If you not sepcified a key password maybe you one because the key is password protected. Maybe you just confused keys and certificates.
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:105)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:251)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:823)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:403)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:120)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
… 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8]; nested: IllegalArgumentException[File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8]; nested: InvalidKeySpecException[Cannot retrieve the PKCS8EncodedKeySpec]; nested: BadPaddingException[Given final block not properly padded];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:192)
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:182)
… 12 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287)
… 15 more
Caused by: java.security.spec.InvalidKeySpecException: Cannot retrieve the PKCS8EncodedKeySpec
at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:255)
at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:965)
at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1013)
at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:993)
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)
… 18 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)
at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:250)
On Tuesday, July 31, 2018 at 9:40:43 AM UTC-5, Jochen Kressin wrote:
So if you don’t see the license in the config files I assume someone used Kibana or the REST API to upload it. The license you attached is definitely valid and active.
You can also use sgadmin with the -r/–retrieve switch to download the currently active configuration from the cluster. This will include the license string in sg_config.yml
On Tuesday, July 31, 2018 at 3:32:21 PM UTC+2, Rudra wrote:
Yeah, Thanks.
I am trying to understand the current configuration and it will be renewed.
On Tuesday, July 31, 2018 at 4:28:55 AM UTC-5, Jochen Kressin wrote:
I do not fully understand. Your initial question was how to apply a Search Guard license which is described in the documentation link I posted. If you do not have a license yet you probably run Search Guard with the trial license. Or, someone has uploaded the license directly via the REST API or the Search Guard configuration GUI. In this case, the license will not show up in the sg_config.yml file of course.
The procedure is exactly the same, yes. Your production cluster will continue to work even if the current license has expired. You will see warning messages about the expired license in many places, but Search Guard will continue to function. We will never put a production system at risk just because a renewal process is taking slightly longer than expected!
···
On Thursday, October 11, 2018 at 6:32:52 PM UTC+2, rud wrote:
Can some one please respond.
On Wednesday, October 10, 2018 at 10:33:07 AM UTC-5, rud wrote:
Search Guard and Elasticsearch version 6.0
Installed and used enterprise modules, if any yes-ES 6.1 version
JVM version and operating system version centos 6.8
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any yes-kibana
Hi Jochen,
My license is about to expire in couple of days on Production and we are working on it to get the renewed license. What would be the solution and procedure In case if i receive my license keys after expiration.
Is it the same procedure to apply renewed license as before and after expiration ? https://search-guard.com/faq/ says my cluster will still work.
Quick response would be appreciated.
Thanks
On Wednesday, September 12, 2018 at 9:30:50 PM UTC-5, rud wrote:
Can some one check this.
On Monday, September 10, 2018 at 5:02:57 PM UTC-5, rud wrote:
Another Question :(I am trying to understand NSS vs OPENSSL)
Got confused by reading the information on different websites, I really appreciate if you could share the information.
When i use curl with nssdb with certificates imported it uses (SSL_DIR=~/nss curl -vk --cert bdmsys:xxxx -XGET ‘https:/xxxxxxx/_cat/health’)
###SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (more secure than TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
When i use curl with --cert ./bdmsys.cer --key ./bdmsysd.key (curl -vk --cert ./bdmsys.cer --key ./bdmsysd.key -XGET ‘https://xxxxxx/_cat/health’)
###SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
###User-Agent: curl/7.29.0
On Monday, September 10, 2018 at 3:44:57 PM UTC-5, rud wrote:
I got it. Thanks a Bunch.
Here, What is the difference and where should we use both of them.
curl -vk --cert ./xxx.cer --key ./xxx.key -XGET ‘https://xxxx1.bxxxm:xxx/_searchguard/api/configuration/config’ (Here i don’t see LDAP passwords in the configuration file)
/sgadmin.sh --diagnose -cacert xxxxx -cn xxxx -h xxx-p xxxx-cd ./sgconfig -cert xxxxx -keyxxx -keypass xxx -r -nhnv (Here see LDAP passwords in the configuration file)
On Tuesday, August 21, 2018 at 4:45:54 PM UTC-5, Jochen Kressin wrote:
You do not need to upload the license to all nodes. The license is stored in the Search Guard configuration index and is this propagated to all nodes automatically.
On Tuesday, August 21, 2018 at 4:32:01 PM UTC-5, rud wrote:
Thank You, I can upload the license to individual hosts with sgadmin.sh.
Is there a way to apply license at cluster level via sgadmin.sh.
On Tuesday, August 7, 2018 at 2:12:50 PM UTC-5, Jochen Kressin wrote:
You are using the wrong certificate for your curl call. You need to use an admin certificate, in your case this one here:
Since you used a node or client certificate you see this error message:
{“status”:“FORBIDDEN”,“message”:“No permission to access REST API: Role based access not enabled… SG admin permissions required but CN=bdsys,O=xxx,L=xxx,ST=xxx,C=US is not an admin”}
``
The internal Kibana server user is never used for anything other than the Kibana index maintenance. So it needs to be configured, but it’s not an account for direct use.
If you want to
On Monday, August 6, 2018 at 9:45:16 PM UTC+2, rud wrote:
Hi Jochen,
Thank You for the support. Here
1)**
Using REST endpoint , I am trying to PUT the renewed licience - As license string is not visible sg_config.yml file
PUT /_searchguard/api/license/
{
“sg_license”:
}
Here i am using nss to SSL for curl| certificate database and imported certificates
SSL_DIR=~/nss curl -vk --cert bdsys --pass xxxx -sS -XGET ‘https://xxxx:xxx/_searchguard/api/license/’ (same for all the /_searchguard/api//)
{“status”:“FORBIDDEN”,“message”:“No permission to access REST API: Role based access not enabled… SG admin permissions required but CN=bdsys,O=xxx,L=xxx,ST=xxx,C=US is not an admin”}
How should i PUT the updated license with REST endpoint with admin certificate?
As i kw the "Kibana server user"used for maintenance, managing the .kibana index
We are not using any visualizations, When do i actually use the kibana server user name for any operations in the process of SG license renewel?
Yes, it just updates the license. The Kibana config GUI uses the same endpoint under the hood.
On Wednesday, August 1, 2018 at 9:05:08 PM UTC+2, rud wrote:
Thank You , I can retrive license by connecting any node in the cluster with admin certificate but we do not have Search Guard configuration GUI for adding license.
Applying the new license with REST API below leaves same existing access permissions?
PUT /_searchguard/api/license/
{
“sg_license”:
}
we have REST api is only exposed to client nodes with “Cname”,
kibana:
multitenancy_enabled: true
server_username: “db156”
On Wednesday, August 1, 2018 at 3:40:57 AM UTC-5, Jochen Kressin wrote:
-keypass /privdir/dbdm100/dbdmadmin.pass
``
Here you have to provide the actual password, not a file. If you are worried about having the password in the bash history you can also use the -prompt/–prompt-for-password switch which will turn on interactive mode.
On Wednesday, August 1, 2018 at 8:26:45 AM UTC+2, rud wrote:
I am trying to retrieve current configuration with proper credentials. Am i missing here.
01:20:20.597 [main] ERROR com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore - Your keystore or PEM does not contain a key. If you sepcified a key password try removing it. If you not sepcified a key password maybe you one because the key is password protected. Maybe you just confused keys and certificates.
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:105)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:251)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:823)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:403)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:120)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
… 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8]; nested: IllegalArgumentException[File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8]; nested: InvalidKeySpecException[Cannot retrieve the PKCS8EncodedKeySpec]; nested: BadPaddingException[Given final block not properly padded];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:192)
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:182)
… 12 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287)
… 15 more
Caused by: java.security.spec.InvalidKeySpecException: Cannot retrieve the PKCS8EncodedKeySpec
at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:255)
at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:965)
at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1013)
at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:993)
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)
… 18 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)
at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:250)
On Tuesday, July 31, 2018 at 9:40:43 AM UTC-5, Jochen Kressin wrote:
So if you don’t see the license in the config files I assume someone used Kibana or the REST API to upload it. The license you attached is definitely valid and active.
You can also use sgadmin with the -r/–retrieve switch to download the currently active configuration from the cluster. This will include the license string in sg_config.yml
On Tuesday, July 31, 2018 at 3:32:21 PM UTC+2, Rudra wrote:
Yeah, Thanks.
I am trying to understand the current configuration and it will be renewed.
On Tuesday, July 31, 2018 at 4:28:55 AM UTC-5, Jochen Kressin wrote:
I do not fully understand. Your initial question was how to apply a Search Guard license which is described in the documentation link I posted. If you do not have a license yet you probably run Search Guard with the trial license. Or, someone has uploaded the license directly via the REST API or the Search Guard configuration GUI. In this case, the license will not show up in the sg_config.yml file of course.
Thank You, For how long my cluster will work with expired license?
···
On Thursday, October 11, 2018 at 2:30:18 PM UTC-5, Jochen Kressin wrote:
The procedure is exactly the same, yes. Your production cluster will continue to work even if the current license has expired. You will see warning messages about the expired license in many places, but Search Guard will continue to function. We will never put a production system at risk just because a renewal process is taking slightly longer than expected!
On Thursday, October 11, 2018 at 6:32:52 PM UTC+2, rud wrote:
Can some one please respond.
On Wednesday, October 10, 2018 at 10:33:07 AM UTC-5, rud wrote:
Search Guard and Elasticsearch version 6.0
Installed and used enterprise modules, if any yes-ES 6.1 version
JVM version and operating system version centos 6.8
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any yes-kibana
Hi Jochen,
My license is about to expire in couple of days on Production and we are working on it to get the renewed license. What would be the solution and procedure In case if i receive my license keys after expiration.
Is it the same procedure to apply renewed license as before and after expiration ? https://search-guard.com/faq/ says my cluster will still work.
Quick response would be appreciated.
Thanks
On Wednesday, September 12, 2018 at 9:30:50 PM UTC-5, rud wrote:
Can some one check this.
On Monday, September 10, 2018 at 5:02:57 PM UTC-5, rud wrote:
Another Question :(I am trying to understand NSS vs OPENSSL)
Got confused by reading the information on different websites, I really appreciate if you could share the information.
When i use curl with nssdb with certificates imported it uses (SSL_DIR=~/nss curl -vk --cert bdmsys:xxxx -XGET ‘https:/xxxxxxx/_cat/health’)
###SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (more secure than TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
When i use curl with --cert ./bdmsys.cer --key ./bdmsysd.key (curl -vk --cert ./bdmsys.cer --key ./bdmsysd.key -XGET ‘https://xxxxxx/_cat/health’)
###SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
###User-Agent: curl/7.29.0
On Monday, September 10, 2018 at 3:44:57 PM UTC-5, rud wrote:
I got it. Thanks a Bunch.
Here, What is the difference and where should we use both of them.
curl -vk --cert ./xxx.cer --key ./xxx.key -XGET ‘https://xxxx1.bxxxm:xxx/_searchguard/api/configuration/config’ (Here i don’t see LDAP passwords in the configuration file)
/sgadmin.sh --diagnose -cacert xxxxx -cn xxxx -h xxx-p xxxx-cd ./sgconfig -cert xxxxx -keyxxx -keypass xxx -r -nhnv (Here see LDAP passwords in the configuration file)
On Tuesday, August 21, 2018 at 4:45:54 PM UTC-5, Jochen Kressin wrote:
You do not need to upload the license to all nodes. The license is stored in the Search Guard configuration index and is this propagated to all nodes automatically.
On Tuesday, August 21, 2018 at 4:32:01 PM UTC-5, rud wrote:
Thank You, I can upload the license to individual hosts with sgadmin.sh.
Is there a way to apply license at cluster level via sgadmin.sh.
On Tuesday, August 7, 2018 at 2:12:50 PM UTC-5, Jochen Kressin wrote:
You are using the wrong certificate for your curl call. You need to use an admin certificate, in your case this one here:
Since you used a node or client certificate you see this error message:
{“status”:“FORBIDDEN”,“message”:“No permission to access REST API: Role based access not enabled… SG admin permissions required but CN=bdsys,O=xxx,L=xxx,ST=xxx,C=US is not an admin”}
``
The internal Kibana server user is never used for anything other than the Kibana index maintenance. So it needs to be configured, but it’s not an account for direct use.
If you want to
On Monday, August 6, 2018 at 9:45:16 PM UTC+2, rud wrote:
Hi Jochen,
Thank You for the support. Here
1)**
Using REST endpoint , I am trying to PUT the renewed licience - As license string is not visible sg_config.yml file
PUT /_searchguard/api/license/
{
“sg_license”:
}
Here i am using nss to SSL for curl| certificate database and imported certificates
SSL_DIR=~/nss curl -vk --cert bdsys --pass xxxx -sS -XGET ‘https://xxxx:xxx/_searchguard/api/license/’ (same for all the /_searchguard/api//)
{“status”:“FORBIDDEN”,“message”:“No permission to access REST API: Role based access not enabled… SG admin permissions required but CN=bdsys,O=xxx,L=xxx,ST=xxx,C=US is not an admin”}
How should i PUT the updated license with REST endpoint with admin certificate?
As i kw the "Kibana server user"used for maintenance, managing the .kibana index
We are not using any visualizations, When do i actually use the kibana server user name for any operations in the process of SG license renewel?
Yes, it just updates the license. The Kibana config GUI uses the same endpoint under the hood.
On Wednesday, August 1, 2018 at 9:05:08 PM UTC+2, rud wrote:
Thank You , I can retrive license by connecting any node in the cluster with admin certificate but we do not have Search Guard configuration GUI for adding license.
Applying the new license with REST API below leaves same existing access permissions?
PUT /_searchguard/api/license/
{
“sg_license”:
}
we have REST api is only exposed to client nodes with “Cname”,
kibana:
multitenancy_enabled: true
server_username: “db156”
On Wednesday, August 1, 2018 at 3:40:57 AM UTC-5, Jochen Kressin wrote:
-keypass /privdir/dbdm100/dbdmadmin.pass
``
Here you have to provide the actual password, not a file. If you are worried about having the password in the bash history you can also use the -prompt/–prompt-for-password switch which will turn on interactive mode.
On Wednesday, August 1, 2018 at 8:26:45 AM UTC+2, rud wrote:
I am trying to retrieve current configuration with proper credentials. Am i missing here.
01:20:20.597 [main] ERROR com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore - Your keystore or PEM does not contain a key. If you sepcified a key password try removing it. If you not sepcified a key password maybe you one because the key is password protected. Maybe you just confused keys and certificates.
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452)
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:105)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:103)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:128)
at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:251)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:823)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:403)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:120)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443)
… 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8]; nested: IllegalArgumentException[File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8]; nested: InvalidKeySpecException[Cannot retrieve the PKCS8EncodedKeySpec]; nested: BadPaddingException[Given final block not properly padded];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:192)
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:182)
… 12 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /privdir/dbdm100/dbdm-admin.key.pk8
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287)
… 15 more
Caused by: java.security.spec.InvalidKeySpecException: Cannot retrieve the PKCS8EncodedKeySpec
at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:255)
at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:965)
at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1013)
at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:993)
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)
… 18 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)
at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at javax.crypto.EncryptedPrivateKeyInfo.getKeySpec(EncryptedPrivateKeyInfo.java:250)
On Tuesday, July 31, 2018 at 9:40:43 AM UTC-5, Jochen Kressin wrote:
So if you don’t see the license in the config files I assume someone used Kibana or the REST API to upload it. The license you attached is definitely valid and active.
You can also use sgadmin with the -r/–retrieve switch to download the currently active configuration from the cluster. This will include the license string in sg_config.yml
On Tuesday, July 31, 2018 at 3:32:21 PM UTC+2, Rudra wrote:
Yeah, Thanks.
I am trying to understand the current configuration and it will be renewed.
On Tuesday, July 31, 2018 at 4:28:55 AM UTC-5, Jochen Kressin wrote:
I do not fully understand. Your initial question was how to apply a Search Guard license which is described in the documentation link I posted. If you do not have a license yet you probably run Search Guard with the trial license. Or, someone has uploaded the license directly via the REST API or the Search Guard configuration GUI. In this case, the license will not show up in the sg_config.yml file of course.