Basic understanding of "SSL Only Mode"

Dear all,

I would like to get a basic understanding for the new “SSL Only Mode”.

Regarding the configuration steps is it still necessary to “initialize” Search Guard via sgadmin when TLS and “SSL Only Mode” configuration is in place?

Would the following procedure be enough?

  1. Disable shard allocation
  2. Stop all nodes
  3. Install the Search Guard plugin on all nodes
  4. Generate certificates
  5. Add the TLS and “SSL Only Mode” configuration to elasticsearch.yml
  6. Restart Elasticsearch
  7. Enable shard allocation
  8. Done?

Thanks in advance and kind regards,

Daniel

According to https://docs.search-guard.com/latest/search-guard-oem-ssl-only#ssl-only-mode sgadmin is not relevant if the "ssl only mode" is enabled.

Regarding your prodecure: What is the initial state of the cluster? No SG or Full SG installed?

···

Am 15.12.2018 um 11:31 schrieb ppan887@gmail.com:

Dear all,

I would like to get a basic understanding for the new "SSL Only Mode".

Regarding the configuration steps is it still necessary to "initialize" Search Guard via sgadmin when TLS and "SSL Only Mode" configuration is in place?

Would the following procedure be enough?
1. Disable shard allocation
2. Stop all nodes
3. Install the Search Guard plugin on all nodes
4. Generate certificates
5. Add the TLS and "SSL Only Mode" configuration to elasticsearch.yml
6. Restart Elasticsearch
7. Enable shard allocation
8. Done?

Thanks in advance and kind regards,
Daniel

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a3c8f7a7-a51e-4775-839a-f9ed57d398cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Currently SG is fully installed and initialized. Might this lead to problems when I try enabling "SSL Only Mode"?

what is your use case? why do you want to "downgrade"?

···

Am 15.12.2018 um 17:31 schrieb ppan887@gmail.com:

Currently SG is fully installed and initialized. Might this lead to problems when I try enabling "SSL Only Mode"?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/62623b77-cb06-4d41-929c-373d695be9e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I’m pretty new to the ELK stack and it’s just an idea right now to keep the Elasticsearch backend and configuration as lean as possible and to simplify troubleshooting. Our frontend by the way is a Graylog cluster for centralized log management. At the same time I want to avoid MITM attacks and therefore use transport encryption. The actual access control should be secured by let’s say iptables.

Would there be a searchguard index if “SSL Only Mode” is enabled or asked differently could I simply delete the searchguard index after enabling?

···

Am Samstag, 15. Dezember 2018 18:07:40 UTC+1 schrieb Search Guard:

what is your use case? why do you want to “downgrade”?

Am 15.12.2018 um 17:31 schrieb ppa...@gmail.com:

Currently SG is fully installed and initialized. Might this lead to problems when I try enabling “SSL Only Mode”?


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/62623b77-cb06-4d41-929c-373d695be9e1%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

There is no searchguard index in SSL only mode and after enabling it you should really delete it.

···

Am 16.12.2018 um 08:05 schrieb ppan887@gmail.com:

I'm pretty new to the ELK stack and it's just an idea right now to keep the Elasticsearch backend and configuration as lean as possible and to simplify troubleshooting. Our frontend by the way is a Graylog cluster for centralized log management. At the same time I want to avoid MITM attacks and therefore use transport encryption. The actual access control should be secured by let's say iptables.

Would there be a searchguard index if "SSL Only Mode" is enabled or asked differently could I simply delete the searchguard index after enabling?

Am Samstag, 15. Dezember 2018 18:07:40 UTC+1 schrieb Search Guard:
what is your use case? why do you want to "downgrade"?

> Am 15.12.2018 um 17:31 schrieb ppa...@gmail.com:
>
> Currently SG is fully installed and initialized. Might this lead to problems when I try enabling "SSL Only Mode"?
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/62623b77-cb06-4d41-929c-373d695be9e1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/fedc30a7-500a-4108-b2b3-0238f3bd786b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks for your feedback. I have successfully “downgraded” today and also deleted the searchguard index.

···

Am Montag, 17. Dezember 2018 07:46:13 UTC+1 schrieb Search Guard:

There is no searchguard index in SSL only mode and after enabling it you should really delete it.

Am 16.12.2018 um 08:05 schrieb ppa...@gmail.com:

I’m pretty new to the ELK stack and it’s just an idea right now to keep the Elasticsearch backend and configuration as lean as possible and to simplify troubleshooting. Our frontend by the way is a Graylog cluster for centralized log management. At the same time I want to avoid MITM attacks and therefore use transport encryption. The actual access control should be secured by let’s say iptables.

Would there be a searchguard index if “SSL Only Mode” is enabled or asked differently could I simply delete the searchguard index after enabling?

Am Samstag, 15. Dezember 2018 18:07:40 UTC+1 schrieb Search Guard:

what is your use case? why do you want to “downgrade”?

Am 15.12.2018 um 17:31 schrieb ppa...@gmail.com:

Currently SG is fully installed and initialized. Might this lead to problems when I try enabling “SSL Only Mode”?


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/62623b77-cb06-4d41-929c-373d695be9e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/fedc30a7-500a-4108-b2b3-0238f3bd786b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.