Client Certificate configuration on search Guard

Search Guard
1

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: Search Guard: 6.2.4-13/Eleastic Search:elasticsearch-6.2.4

  • Installed and used enterprise modules, if any No

  • JVM version and operating system version: jdk1.8.0_66/Windows 2008

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Need help to configure Client Certificate on Windows 2008 server.

It is a standalone configuration with Elasticsearch, Kibana and Search Guard are on same box.

I have followed the documentation and configured Community Edition with Demo Certificate need help on how to configure a Go daddy certificate [DER] as Client Certificate

Please find the Eleastic.yml settings and help me with changes.

searchguard.enterprise_modules_enabled: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.clientauth_mode: OPTIONAL

searchguard.ssl.transport.pemcert_filepath: xxx_2017.pem

security.manager.enabled: false

searchguard.nodes_dn:

  • ‘CN = *.xyz.com,O = xyz INC.,L = xxx,S = xxx,C = xx’

Regards

Raghuram

2

To add further

searchguard.ssl.transport.pemcert_filepath: xxx_2017.pem

I used Keytools to convert CER certificate to PEM however, I need help on theses errors

failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Caused by: org.elasticsearch.ElasticsearchException: Empty file path for searchguard.ssl.transport.pemkey_filepath

ElasticSearch.log (11.6 KB)

···

On Monday, July 16, 2018 at 4:42:38 PM UTC+5:30, Raghuram P wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: Search Guard: 6.2.4-13/Eleastic Search:elasticsearch-6.2.4
  • Installed and used enterprise modules, if any No
  • JVM version and operating system version: jdk1.8.0_66/Windows 2008
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Need help to configure Client Certificate on Windows 2008 server.

It is a standalone configuration with Elasticsearch, Kibana and Search Guard are on same box.

I have followed the documentation and configured Community Edition with Demo Certificate need help on how to configure a Go daddy certificate [DER] as Client Certificate

Please find the Eleastic.yml settings and help me with changes.

searchguard.enterprise_modules_enabled: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.clientauth_mode: OPTIONAL

searchguard.ssl.transport.pemcert_filepath: xxx_2017.pem

security.manager.enabled: false

searchguard.nodes_dn:

  • ‘CN = *.xyz.com,O = xyz INC.,L = xxx,S = xxx,C = xx’

Regards

Raghuram

3

Your TLS confguration is incomplete. For transport and ssl you need:

  • trusted root CA

  • PEM certificate

  • PEM key

  • Optional: PEM key password, if key has a password.

In your transport configuration you are lacking:

searchguard.ssl.transport.pemkey_filepath

searchguard.ssl.transport.pemtrustedcas_filepath

as the error message implies. The https configuration is also incomplete. Have a look at the docs and at the config the demo installer produces:

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

``

This is the minimal configuration you need.

···

On Monday, July 16, 2018 at 2:07:57 PM UTC+2, Raghuram P wrote:

To add further

searchguard.ssl.transport.pemcert_filepath: xxx_2017.pem

I used Keytools to convert CER certificate to PEM however, I need help on theses errors

failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Caused by: org.elasticsearch.ElasticsearchException: Empty file path for searchguard.ssl.transport.pemkey_filepath

On Monday, July 16, 2018 at 4:42:38 PM UTC+5:30, Raghuram P wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: Search Guard: 6.2.4-13/Eleastic Search:elasticsearch-6.2.4
  • Installed and used enterprise modules, if any No
  • JVM version and operating system version: jdk1.8.0_66/Windows 2008
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Need help to configure Client Certificate on Windows 2008 server.

It is a standalone configuration with Elasticsearch, Kibana and Search Guard are on same box.

I have followed the documentation and configured Community Edition with Demo Certificate need help on how to configure a Go daddy certificate [DER] as Client Certificate

Please find the Eleastic.yml settings and help me with changes.

searchguard.enterprise_modules_enabled: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.clientauth_mode: OPTIONAL

searchguard.ssl.transport.pemcert_filepath: xxx_2017.pem

security.manager.enabled: false

searchguard.nodes_dn:

  • ‘CN = *.xyz.com,O = xyz INC.,L = xxx,S = xxx,C = xx’

Regards

Raghuram

4

In this case, we have Go daddy certificate and server certificate and server key. How can we generate the admin certificate and key?

5

Thats just another regular certificate. But make sure that the DN is distinguishable from your node certificates.

But in general we recommend to use self signed certificates for the transport protocol which is typically not exposed to the outside. For HTTPS you can easily use your go daddy certificates.