Hello everyone,
I have a question regarding the SSL certificates. A little background on my setup: one elasticsearch server with logstash. Logstash has beats inputs configured over SSL. So I allready have client/server certificates. Can I somehow reuse this server certificates?
My question is when is this “oid” entry needed when configuring certificates for search guard. When I read the certificate section in search-guard-ssl-docs its not there, but in search-guard-docs it is required for server certificate. This is what I don´t understand. Isn’t there only one server certificate? Or are there two certificates one for inter-node layer and one for external comunication? Aha, maybe now I get it. I just needed to ask a question about it. 
Do I really need to configure ssl on the elasticsearch cluster interfaces, since I only have one node? Should I do it nonetheless?
Thanks for your time and kind regards,
Uros
Hi,
Thanks for the hint regarding the docs, we’re trying to make things more clear in future. But basically, the docs are correct in the sense that if you just use Search Guard SSL (without Search Guard), you do not need the oid in the certificate. If you use Search Guard, the oid is mandatory to identify requests between nodes. BTW, the oid value will be configurable in future thanks to this community contribution: https://github.com/floragunncom/search-guard/pull/168
To give you some background: Search Guard basically checks for each incoming request if the request is allowed or not. If for example a user does not have privileges for a particular type request, say deleting documents, the request is declined. These privilege checks are different for a regular user/client request, or for an “internal” request from a (trusted) node in the cluster. Thus, Search Guard needs to reliably identify if the request comes from a trusted node or not. This is what the oid is for. Plus, it also makes sure that you cannot simply join a cluster with a client certificate (without the oid).
Since Search Guard SSL doesn’t do privilege checks at all, but “only” TLS, the distinction between client- and server certs is not necessary here.
Depending on your setup, you can choose to run SG with one certificate for the transport layer, and one certificate for the REST layer. However, it’s also perfectly fine to use the same cert for both transport- and REST-layer.
···
On Wednesday, 13 July 2016 16:34:59 UTC+2, Uros Meglic wrote:
Hello everyone,
I have a question regarding the SSL certificates. A little background on my setup: one elasticsearch server with logstash. Logstash has beats inputs configured over SSL. So I allready have client/server certificates. Can I somehow reuse this server certificates?
My question is when is this “oid” entry needed when configuring certificates for search guard. When I read the certificate section in search-guard-ssl-docs its not there, but in search-guard-docs it is required for server certificate. This is what I don´t understand. Isn’t there only one server certificate? Or are there two certificates one for inter-node layer and one for external comunication? Aha, maybe now I get it. I just needed to ask a question about it.
Do I really need to configure ssl on the elasticsearch cluster interfaces, since I only have one node? Should I do it nonetheless?
Thanks for your time and kind regards,
Uros
So what’s the gist of this? Do I need the following line in my elasticsearch.yml file, with SG+SSL and SG configured?
searchguard.cert.oid: ‘1.2.3.4.5.5’
``
···
On Wednesday, July 13, 2016 at 11:05:58 AM UTC-4, in...@search-guard.com wrote:
Hi,
Thanks for the hint regarding the docs, we’re trying to make things more clear in future. But basically, the docs are correct in the sense that if you just use Search Guard SSL (without Search Guard), you do not need the oid in the certificate. If you use Search Guard, the oid is mandatory to identify requests between nodes. BTW, the oid value will be configurable in future thanks to this community contribution: https://github.com/floragunncom/search-guard/pull/168
To give you some background: Search Guard basically checks for each incoming request if the request is allowed or not. If for example a user does not have privileges for a particular type request, say deleting documents, the request is declined. These privilege checks are different for a regular user/client request, or for an “internal” request from a (trusted) node in the cluster. Thus, Search Guard needs to reliably identify if the request comes from a trusted node or not. This is what the oid is for. Plus, it also makes sure that you cannot simply join a cluster with a client certificate (without the oid).
Since Search Guard SSL doesn’t do privilege checks at all, but “only” TLS, the distinction between client- and server certs is not necessary here.
Depending on your setup, you can choose to run SG with one certificate for the transport layer, and one certificate for the REST layer. However, it’s also perfectly fine to use the same cert for both transport- and REST-layer.
On Wednesday, 13 July 2016 16:34:59 UTC+2, Uros Meglic wrote:
Hello everyone,
I have a question regarding the SSL certificates. A little background on my setup: one elasticsearch server with logstash. Logstash has beats inputs configured over SSL. So I allready have client/server certificates. Can I somehow reuse this server certificates?
My question is when is this “oid” entry needed when configuring certificates for search guard. When I read the certificate section in search-guard-ssl-docs its not there, but in search-guard-docs it is required for server certificate. This is what I don´t understand. Isn’t there only one server certificate? Or are there two certificates one for inter-node layer and one for external comunication? Aha, maybe now I get it. I just needed to ask a question about it.
Do I really need to configure ssl on the elasticsearch cluster interfaces, since I only have one node? Should I do it nonetheless?
Thanks for your time and kind regards,
Uros
No need to add this, because ‘1.2.3.4.5.5’ is the default value of this setting. Changing the OID value is only necessary in very specific scenarios, for example, when you alread have an existing PKI infrastructure in place and cannot choose the settings of your certificates freely. The configuration key is listed in the docs under “Expert settings”, as well as ‘searchguard.config_index_name’. Usually, you can leave those settings alone.
···
On Thursday, 3 November 2016 23:42:21 UTC+2, ZillaYT wrote:
So what’s the gist of this? Do I need the following line in my elasticsearch.yml file, with SG+SSL and SG configured?
searchguard.cert.oid: ‘1.2.3.4.5.5’
``
On Wednesday, July 13, 2016 at 11:05:58 AM UTC-4, in...@search-guard.com wrote:
Hi,
Thanks for the hint regarding the docs, we’re trying to make things more clear in future. But basically, the docs are correct in the sense that if you just use Search Guard SSL (without Search Guard), you do not need the oid in the certificate. If you use Search Guard, the oid is mandatory to identify requests between nodes. BTW, the oid value will be configurable in future thanks to this community contribution: https://github.com/floragunncom/search-guard/pull/168
To give you some background: Search Guard basically checks for each incoming request if the request is allowed or not. If for example a user does not have privileges for a particular type request, say deleting documents, the request is declined. These privilege checks are different for a regular user/client request, or for an “internal” request from a (trusted) node in the cluster. Thus, Search Guard needs to reliably identify if the request comes from a trusted node or not. This is what the oid is for. Plus, it also makes sure that you cannot simply join a cluster with a client certificate (without the oid).
Since Search Guard SSL doesn’t do privilege checks at all, but “only” TLS, the distinction between client- and server certs is not necessary here.
Depending on your setup, you can choose to run SG with one certificate for the transport layer, and one certificate for the REST layer. However, it’s also perfectly fine to use the same cert for both transport- and REST-layer.
On Wednesday, 13 July 2016 16:34:59 UTC+2, Uros Meglic wrote:
Hello everyone,
I have a question regarding the SSL certificates. A little background on my setup: one elasticsearch server with logstash. Logstash has beats inputs configured over SSL. So I allready have client/server certificates. Can I somehow reuse this server certificates?
My question is when is this “oid” entry needed when configuring certificates for search guard. When I read the certificate section in search-guard-ssl-docs its not there, but in search-guard-docs it is required for server certificate. This is what I don´t understand. Isn’t there only one server certificate? Or are there two certificates one for inter-node layer and one for external comunication? Aha, maybe now I get it. I just needed to ask a question about it.
Do I really need to configure ssl on the elasticsearch cluster interfaces, since I only have one node? Should I do it nonetheless?
Thanks for your time and kind regards,
Uros