Hi,
I am using Elasticsearch 6.3.0 with Search Guard 23.1 on Ubuntu 16.04.
I’m using the Java transport client to connect to Elasticsearch and can successfully connect passing only the certificates. There is no need to pass credentials like username and password .
This is the code:
Settings settings1 = Settings.builder()
.put(“path.home”, “/”)
.put(“searchguard.ssl.transport.enabled”, true)
.put(“cluster.name”, “searchguard_demo”)
.put(“searchguard.ssl.transport.enforce_hostname_verification”, “false”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,“/home/adgog/Documents/elasticsearch-6.3.0/config/kirk.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/kirk-key.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/root-ca.pem”)
.build();
TransportClient client = new PreBuiltTransportClient(settings1, SearchGuardPlugin.class)
.addTransportAddress(new TransportAddress(InetAddress.getByName(“10.0.2.15”), 9300));
``
On the other hand while using the high level REST Client I have to pass credentials (username and password ) along with certificates.
String user = “admin”;
String password = “admin”;
String keystorePassword= “pass123”;
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new File(“/home/adgog/my_keystore.jks”), keystorePassword.toCharArray(),
new TrustSelfSignedStrategy()).build();
RestHighLevelClient client1 = new RestHighLevelClient(RestClient.builder(new HttpHost(“localhost”, 9200, “https”)).setHttpClientConfigCallback(httpClientBuilder → httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext)));
``
Is there any way to connect using certificates only, similar to the transport client? Or is it necessary to pass username and password as well?