Basic SearchGuard 2 Install (Howto)

Hi Folks,

I am trying to install SG2 on a single node (Ubuntu 14.04) and having some difficulties. Here are the steps I went through:

  1. tar -zxvf elasticsearch-2.2.0.tar.gz
  2. cd elasticsearch-2.2.0
  3. `sudo bin/plugin install com.floragunn/search-guard-ssl/2.2.0.6
    4)``sudo bin/plugin install com.floragunn/search-guard-2/2.2.0.0-alpha2
  4. chmod a+x plugins/search-guard-2/tools/sgadmin.sh
  5. Open config/elasticsearch.yml and paste at the end:
    `
security.manager.enabled: false
searchguard.authcz.admin_dn:
  - "CN=kirk,OU=client,O=client,l=tEst, C=De"
searchguard.authcz.impersonation_dn:
  "CN=spock,OU=client,O=client,L=Test,C=DE":
    - worf
  "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
    - user2
    - user1

7) Open a new terminal and launch ES
8) Back to original terminal run: plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/kirk-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

After running this command, I get the below exceptions. The first is from the installation window where sgadmin was executed from. The second is the ES console.
I was try to get the simplest deployment running with the keystore that are provided with the plugins.

What am I missing? Any feedback would be much welcome.
Max.

Connect to localhost:9300
[19:07:46,760][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.SearchGuardKeyStore - AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]
	at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
	at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
	at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
	at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:286)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:351)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:340)
	at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:840)
	at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:860)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:144)

2016-02-29 19:07:47,501][WARN ][transport.netty ] [Farallah] exception caught on transport layer [[id: 0xe5fc5915, /127.0.0.1:59581 => /127.0.0.1:9300]], closing connection
java.io.StreamCorruptedException: invalid internal transport message format, got (16,3,3,0)
	at org.elasticsearch.transport.netty.SizeHeaderFrameDecoder.decode(SizeHeaderFrameDecoder.java:64)
	at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
	at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
	at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
	at or

Hi Max,

first, make sure that the SSL-part of SG is working correctly. In order to use strong encryption you need to either

- use OpenSSL
- install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files”

The easiest way is probably to install OpenSSL, given you are on Linux. The plugin should detect and use OpenSSL automatically. If you cannot use OpenSSL, you’ll need to download and install the JCE policy files.

We’re working on an updated version of the docs and should have them ready within the next week. It will also contain a quick start section!

···

On 29 Feb 2016, at 21:21, max.bridgewater@gmail.com wrote:

Hi Folks,

I am trying to install SG2 on a single node (Ubuntu 14.04) and having some difficulties. Here are the steps I went through:

1) tar -zxvf elasticsearch-2.2.0.tar.gz
2) cd elasticsearch-2.2.0
3) sudo bin/plugin install com.floragunn/search-guard-ssl/2.2.0.6
4)sudo bin/plugin install com.floragunn/search-guard-2/2.2.0.0-alpha2
5) chmod a+x plugins/search-guard-2/tools/sgadmin.sh
6) Open config/elasticsearch.yml and paste at the end:
    
security.manager.enabled: false
searchguard.authcz.admin_dn:
  - "CN=kirk,OU=client,O=client,l=tEst, C=De"
searchguard.authcz.impersonation_dn:
  "CN=spock,OU=client,O=client,L=Test,C=DE":
    - worf
  "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
    - user2
    - user1

7) Open a new terminal and launch ES
8) Back to original terminal run: plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/kirk-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv

After running this command, I get the below exceptions. The first is from the installation window where sgadmin was executed from. The second is the ES console.
I was try to get the simplest deployment running with the keystore that are provided with the plugins.

What am I missing? Any feedback would be much welcome.
Max.

Connect to localhost:9300
[19:07:46,760][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.SearchGuardKeyStore - AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]
  at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
  at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
  at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
  at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:286)
  at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:351)
  at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:340)
  at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:840)
  at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:860)
  at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:144)

2016-02-29 19:07:47,501][WARN ][transport.netty ] [Farallah] exception caught on transport layer [[id: 0xe5fc5915, /127.0.0.1:59581 => /127.0.0.1:9300]], closing connection
java.io.StreamCorruptedException: invalid internal transport message format, got (16,3,3,0)
  at org.elasticsearch.transport.netty.SizeHeaderFrameDecoder.decode(SizeHeaderFrameDecoder.java:64)
  at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
  at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
  at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
  at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
  at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
  at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
  at or

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8c171d09-b250-421d-a434-909576f43273%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Jochen Kressin
CTO
floragunn UG (haftungsbeschränkt)
Tempelhofer Ufer 16
10963 Berlin
+49 30 89379249

Geschäftsführung: Claudia Kressin
Amtsgericht Charlottenburg HRB 147010
USt-IdNr.: DE287373363

you have not configured SSL setup, so for example

searchguard.ssl.http.keystore_filepath:

is missing in elasticsearch.yml

···

Am Dienstag, 1. März 2016 01:21:25 UTC+1 schrieb m...er@gmail.com:

Hi Folks,

I am trying to install SG2 on a single node (Ubuntu 14.04) and having some difficulties. Here are the steps I went through:

  1. tar -zxvf elasticsearch-2.2.0.tar.gz
  2. cd elasticsearch-2.2.0
  3. `sudo bin/plugin install com.floragunn/search-guard-ssl/2.2.0.6
    4)``sudo bin/plugin install com.floragunn/search-guard-2/2.2.0.0-alpha2
  4. chmod a+x plugins/search-guard-2/tools/sgadmin.sh
  5. Open config/elasticsearch.yml and paste at the end:
    `
security.manager.enabled: false
searchguard.authcz.admin_dn:
  - "CN=kirk,OU=client,O=client,l=tEst, C=De"
searchguard.authcz.impersonation_dn:
  "CN=spock,OU=client,O=client,L=Test,C=DE":
    - worf
  "cn=webuser,ou=IT,ou=IT,dc=company,dc=com":
    - user2
    - user1

7) Open a new terminal and launch ES
8) Back to original terminal run: plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/kirk-keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv


After running this command, I get the below exceptions. The first is from the installation window where sgadmin was executed from. The second is the ES console.
I was try to get the simplest deployment running with the keystore that are provided with the plugins.

What am I missing? Any feedback would be much welcome.
Max.


Connect to localhost:9300
[19:07:46,760][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.SearchGuardKeyStore - AES 256 not supported, max key length for AES is 128. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]
	at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
	at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
	at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
	at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:286)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:351)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:340)
	at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:840)
	at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:860)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:144)





2016-02-29 19:07:47,501][WARN ][transport.netty ] [Farallah] exception caught on transport layer [[id: 0xe5fc5915, /[127.0.0.1:59581](http://127.0.0.1:59581) => /127.0.0.1:9300]], closing connection
java.io.StreamCorruptedException: invalid internal transport message format, got (16,3,3,0)
	at org.elasticsearch.transport.netty.SizeHeaderFrameDecoder.decode(SizeHeaderFrameDecoder.java:64)
	at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
	at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
	at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
	at or