Connect to Elasticsearch w/Search Guard using REST API by only passing certificates?

Search Guard
1

Hi,

I am using Elasticsearch 6.3.0 with Search Guard 23.1 on Ubuntu 16.04.

I’m using the Java transport client to connect to Elasticsearch and can successfully connect passing only the certificates. There is no need to pass credentials like username and password .

This is the code:

Settings settings1 = Settings.builder()
.put(“path.home”, “/”)
.put(“searchguard.ssl.transport.enabled”, true)
.put(“cluster.name”, “searchguard_demo”)
.put(“searchguard.ssl.transport.enforce_hostname_verification”, “false”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,“/home/adgog/Documents/elasticsearch-6.3.0/config/kirk.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/kirk-key.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/root-ca.pem”)
.build();

TransportClient client = new PreBuiltTransportClient(settings1, SearchGuardPlugin.class)
.addTransportAddress(new TransportAddress(InetAddress.getByName(“10.0.2.15”), 9300));

``

On the other hand while using the high level REST Client I have to pass credentials (username and password ) along with certificates.

String user = “admin”;
String password = “admin”;
String keystorePassword= “pass123”;

CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new File(“/home/adgog/my_keystore.jks”), keystorePassword.toCharArray(),
new TrustSelfSignedStrategy()).build();

RestHighLevelClient client1 = new RestHighLevelClient(RestClient.builder(new HttpHost(“localhost”, 9200, “https”)).setHttpClientConfigCallback(httpClientBuilder → httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext)));

``

Is there any way to connect using certificates only, similar to the transport client? Or is it necessary to pass username and password as well?

2

Yes, this is possible by using the client certificate authenticator:

This will pick up any client TLS certificate from the REST call. It will validate it against the configured root CA and use the DN of the certificate to assign SG roles.

···

On Thursday, September 27, 2018 at 10:24:37 AM UTC+2, Advait Gogate wrote:

Hi,

I am using Elasticsearch 6.3.0 with Search Guard 23.1 on Ubuntu 16.04.

I’m using the Java transport client to connect to Elasticsearch and can successfully connect passing only the certificates. There is no need to pass credentials like username and password .

This is the code:

Settings settings1 = Settings.builder()
.put(“path.home”, “/”)
.put(“searchguard.ssl.transport.enabled”, true)
.put(“cluster.name”, “searchguard_demo”)
.put(“searchguard.ssl.transport.enforce_hostname_verification”, “false”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,“/home/adgog/Documents/elasticsearch-6.3.0/config/kirk.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/kirk-key.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/root-ca.pem”)
.build();

TransportClient client = new PreBuiltTransportClient(settings1, SearchGuardPlugin.class)
.addTransportAddress(new TransportAddress(InetAddress.getByName(“10.0.2.15”), 9300));

``

On the other hand while using the high level REST Client I have to pass credentials (username and password ) along with certificates.

String user = “admin”;
String password = “admin”;
String keystorePassword= “pass123”;

CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new File(“/home/adgog/my_keystore.jks”), keystorePassword.toCharArray(),
new TrustSelfSignedStrategy()).build();

RestHighLevelClient client1 = new RestHighLevelClient(RestClient.builder(new HttpHost(“localhost”, 9200, “https”)).setHttpClientConfigCallback(httpClientBuilder → httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext)));

``

Is there any way to connect using certificates only, similar to the transport client? Or is it necessary to pass username and password as well?

3

Can I use .pem files instead of .jks files in the same way using highLevelRestClient?

···

On Thursday, September 27, 2018 at 1:54:37 PM UTC+5:30, Advait Gogate wrote:

Hi,

I am using Elasticsearch 6.3.0 with Search Guard 23.1 on Ubuntu 16.04.

I’m using the Java transport client to connect to Elasticsearch and can successfully connect passing only the certificates. There is no need to pass credentials like username and password .

This is the code:

Settings settings1 = Settings.builder()
.put(“path.home”, “/”)
.put(“searchguard.ssl.transport.enabled”, true)
.put(“cluster.name”, “searchguard_demo”)
.put(“searchguard.ssl.transport.enforce_hostname_verification”, “false”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,“/home/adgog/Documents/elasticsearch-6.3.0/config/kirk.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/kirk-key.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “/home/adgog/Documents/elasticsearch-6.3.0/config/root-ca.pem”)
.build();

TransportClient client = new PreBuiltTransportClient(settings1, SearchGuardPlugin.class)
.addTransportAddress(new TransportAddress(InetAddress.getByName(“10.0.2.15”), 9300));

``

On the other hand while using the high level REST Client I have to pass credentials (username and password ) along with certificates.

String user = “admin”;
String password = “admin”;
String keystorePassword= “pass123”;

CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new File(“/home/adgog/my_keystore.jks”), keystorePassword.toCharArray(),
new TrustSelfSignedStrategy()).build();

RestHighLevelClient client1 = new RestHighLevelClient(RestClient.builder(new HttpHost(“localhost”, 9200, “https”)).setHttpClientConfigCallback(httpClientBuilder → httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext)));

``

Is there any way to connect using certificates only, similar to the transport client? Or is it necessary to pass username and password as well?

4

see https://gist.github.com/floragunncom/e1807599f0fa9c9338ffcb0ac45b27d1

···

Am 25.01.2019 um 08:08 schrieb Kasinaat Selvi Sukesh <kasinaat007@gmail.com>:

Can I use .pem files instead of .jks files in the same way using highLevelRestClient?

On Thursday, September 27, 2018 at 1:54:37 PM UTC+5:30, Advait Gogate wrote:
Hi,

I am using Elasticsearch 6.3.0 with Search Guard 23.1 on Ubuntu 16.04.
I'm using the Java transport client to connect to Elasticsearch and can successfully connect passing only the certificates. There is no need to pass credentials like username and password .
This is the code:
Settings settings1 = Settings.builder()
            .put("path.home", "/")
            .put("searchguard.ssl.transport.enabled", true)
            .put("cluster.name", "searchguard_demo")
            .put("searchguard.ssl.transport.enforce_hostname_verification", "false")
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,"/home/adgog/Documents/elasticsearch-6.3.0/config/kirk.pem")
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/adgog/Documents/elasticsearch-6.3.0/config/kirk-key.pem")
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/adgog/Documents/elasticsearch-6.3.0/config/root-ca.pem")
            .build();

TransportClient client = new PreBuiltTransportClient(settings1, SearchGuardPlugin.class)
          .addTransportAddress(new TransportAddress(InetAddress.getByName("10.0.2.15"), 9300));

On the other hand while using the high level REST Client I have to pass credentials (username and password ) along with certificates.

String user = "admin";
String password = "admin";
String keystorePassword= "pass123";

CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new File("/home/adgog/my_keystore.jks"), keystorePassword.toCharArray(),
new TrustSelfSignedStrategy()).build();

RestHighLevelClient client1 = new RestHighLevelClient(RestClient.builder(new HttpHost("localhost", 9200, "https")).setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext)));

Is there any way to connect using certificates only, similar to the transport client? Or is it necessary to pass username and password as well?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5caa5ad-5226-45e5-871e-03b9e1d78826%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.