ELK Searchguard config issues

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip

elasticsearch.yml (4.3 KB)

···

While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

The error message is here:

Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:
searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

``

You are executing sgadmin_demo.sh but you changed the DNs of the certificates in elasticsearch.yml:

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

``

But you still use the demo certificates:

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

``

This, of course, will not work. What is it that you want to achieve?

···

On Saturday, July 28, 2018 at 11:39:53 AM UTC+2, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

···

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

···

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

···

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

There are three chapters about LDAP integration in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:

https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:

https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

···

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

Please find attached sgconfig.yml wherein i have provided all our ldap configuration level details.Coul dyou please verify it once. Now, i still have a doubt about tls certificates as don’t want to use either ssl or tls.

How can i disable certificate validation the below part in the documentation section.

Certificate validation

By default Search Guard validates the TLS certificate of the LDAP server(s) against the Root CA configured in elasticsearch.yml, either as PEM certificate or a truststore:

searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.truststore_filepath: ...

If your server uses a certificate signed by a different CA, import this CA to your truststore or add it to your trusted CA file on each node.

You can also use a separate root CA in PEM format by setting one of the following configuration options:

config:
  pemtrustedcas_filepath: /path/to/trusted_cas.pem

sg_config.yml (10.5 KB)

···

On Tuesday, 7 August 2018 20:14:55 UTC+1, Jochen Kressin wrote:

There are three chapters about LDAP integration in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:

https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:

https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

My point is our LDAP configuration do not use SSL/TLS. How can i disable it in elasticsearch.yml or at searchguard level.

···

On Thursday, 9 August 2018 04:10:55 UTC+1, harika gudumasu wrote:

Please find attached sgconfig.yml wherein i have provided all our ldap configuration level details.Coul dyou please verify it once. Now, i still have a doubt about tls certificates as don’t want to use either ssl or tls.

How can i disable certificate validation the below part in the documentation section.

Certificate validation

By default Search Guard validates the TLS certificate of the LDAP server(s) against the Root CA configured in elasticsearch.yml, either as PEM certificate or a truststore:

searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.truststore_filepath: ...

If your server uses a certificate signed by a different CA, import this CA to your truststore or add it to your trusted CA file on each node.

You can also use a separate root CA in PEM format by setting one of the following configuration options:

config:
  pemtrustedcas_filepath: /path/to/trusted_cas.pem

On Tuesday, 7 August 2018 20:14:55 UTC+1, Jochen Kressin wrote:

There are three chapters about LDAP integration in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:

https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:

https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

You can find the connection settings for LDAP in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

If you do not want to use TLS for your LDAP connection then simply do not configure it.

···

On Friday, August 10, 2018 at 7:59:25 AM UTC+2, harika gudumasu wrote:

My point is our LDAP configuration do not use SSL/TLS. How can i disable it in elasticsearch.yml or at searchguard level.

On Thursday, 9 August 2018 04:10:55 UTC+1, harika gudumasu wrote:

Please find attached sgconfig.yml wherein i have provided all our ldap configuration level details.Coul dyou please verify it once. Now, i still have a doubt about tls certificates as don’t want to use either ssl or tls.

How can i disable certificate validation the below part in the documentation section.

Certificate validation

By default Search Guard validates the TLS certificate of the LDAP server(s) against the Root CA configured in elasticsearch.yml, either as PEM certificate or a truststore:

searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.truststore_filepath: ...

If your server uses a certificate signed by a different CA, import this CA to your truststore or add it to your trusted CA file on each node.

You can also use a separate root CA in PEM format by setting one of the following configuration options:

config:
  pemtrustedcas_filepath: /path/to/trusted_cas.pem

On Tuesday, 7 August 2018 20:14:55 UTC+1, Jochen Kressin wrote:

There are three chapters about LDAP integration in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:

https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:

https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

Please find elasticsearch.yml file as below.

(UAT) bwadmind@lonrs11800$ cat elasticsearch.yml

======================== Elasticsearch Configuration =========================

···

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: MWBW_GMH_DEV

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: lonrs11800

node.master: true

node.data: true

Add custom attributes to the node:

node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /opt/app/tibco/install/elasticsearch-6.2.2/data

Path to log files:

path.logs: /opt/app/tibco/install/elasticsearch-6.2.2/logs

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 11.195.97.46

network.bind_host: 11.195.97.46

transport.host: localhost

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is [“127.0.0.1”, “[::1]”]

discovery.zen.ping.unicast.hosts: [“lonrs11800”, “lonrs11819”]

Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 1

For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 1

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

action.destructive_requires_name: true

cluster.routing.allocation.enable: all

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.ssl.transport.enabled: false

######## End Search Guard Demo Configuration ########


when i disable ssl and trying to start elasticsearch, facing below exceptions. Could you please help.

[2018-08-13T06:06:53,718][ERROR][o.e.b.Bootstrap ] Exception

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

… 15 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:240) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

… 15 more

[2018-08-13T06:06:53,726][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [lonrs11800] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:240) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

On Friday, 10 August 2018 09:55:29 UTC+1, Jochen Kressin wrote:

You can find the connection settings for LDAP in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

If you do not want to use TLS for your LDAP connection then simply do not configure it.

On Friday, August 10, 2018 at 7:59:25 AM UTC+2, harika gudumasu wrote:

My point is our LDAP configuration do not use SSL/TLS. How can i disable it in elasticsearch.yml or at searchguard level.

On Thursday, 9 August 2018 04:10:55 UTC+1, harika gudumasu wrote:

Please find attached sgconfig.yml wherein i have provided all our ldap configuration level details.Coul dyou please verify it once. Now, i still have a doubt about tls certificates as don’t want to use either ssl or tls.

How can i disable certificate validation the below part in the documentation section.

Certificate validation

By default Search Guard validates the TLS certificate of the LDAP server(s) against the Root CA configured in elasticsearch.yml, either as PEM certificate or a truststore:

searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.truststore_filepath: ...

If your server uses a certificate signed by a different CA, import this CA to your truststore or add it to your trusted CA file on each node.

You can also use a separate root CA in PEM format by setting one of the following configuration options:

config:
  pemtrustedcas_filepath: /path/to/trusted_cas.pem

On Tuesday, 7 August 2018 20:14:55 UTC+1, Jochen Kressin wrote:

There are three chapters about LDAP integration in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:

https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:

https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

So I’m still unsure about the question here. Let me try to rephrase: The only thing you want to do is to connect to your LDAP server without TLS, is this correct?

Like I wrote, in that case just do not enable LDAP TLS in sg_config.yml. This has nothing to do with any entry in elasticsearch.yml.

The error message you are seeing tells me that you tried to disable transport TLS (encryption for traffic between the nodes). This is not possible. Transport TLS is mandatory in Search Guard, and the config option you probably used is also not documented. So this line here:

searchguard.ssl.transport.enabled: false

``

needs to be removed.

···

On Monday, August 13, 2018 at 7:10:53 AM UTC+2, harika gudumasu wrote:

Please find elasticsearch.yml file as below.

(UAT) bwadmind@lonrs11800$ cat elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: MWBW_GMH_DEV

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: lonrs11800

node.master: true

node.data: true

Add custom attributes to the node:

node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /opt/app/tibco/install/elasticsearch-6.2.2/data

Path to log files:

path.logs: /opt/app/tibco/install/elasticsearch-6.2.2/logs

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 11.195.97.46

network.bind_host: 11.195.97.46

transport.host: localhost

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is [“127.0.0.1”, “[::1]”]

discovery.zen.ping.unicast.hosts: [“lonrs11800”, “lonrs11819”]

Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 1

For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 1

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

action.destructive_requires_name: true

cluster.routing.allocation.enable: all

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.ssl.transport.enabled: false

######## End Search Guard Demo Configuration ########


when i disable ssl and trying to start elasticsearch, facing below exceptions. Could you please help.

[2018-08-13T06:06:53,718][ERROR][o.e.b.Bootstrap ] Exception

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

… 15 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:240) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

… 15 more

[2018-08-13T06:06:53,726][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [lonrs11800] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:240) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

On Friday, 10 August 2018 09:55:29 UTC+1, Jochen Kressin wrote:

You can find the connection settings for LDAP in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

If you do not want to use TLS for your LDAP connection then simply do not configure it.

On Friday, August 10, 2018 at 7:59:25 AM UTC+2, harika gudumasu wrote:

My point is our LDAP configuration do not use SSL/TLS. How can i disable it in elasticsearch.yml or at searchguard level.

On Thursday, 9 August 2018 04:10:55 UTC+1, harika gudumasu wrote:

Please find attached sgconfig.yml wherein i have provided all our ldap configuration level details.Coul dyou please verify it once. Now, i still have a doubt about tls certificates as don’t want to use either ssl or tls.

How can i disable certificate validation the below part in the documentation section.

Certificate validation

By default Search Guard validates the TLS certificate of the LDAP server(s) against the Root CA configured in elasticsearch.yml, either as PEM certificate or a truststore:

searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.truststore_filepath: ...

If your server uses a certificate signed by a different CA, import this CA to your truststore or add it to your trusted CA file on each node.

You can also use a separate root CA in PEM format by setting one of the following configuration options:

config:
  pemtrustedcas_filepath: /path/to/trusted_cas.pem

On Tuesday, 7 August 2018 20:14:55 UTC+1, Jochen Kressin wrote:

There are three chapters about LDAP integration in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:

https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:

https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

Hi Jochen,

Sorry for not getting back to you.

Have few more questions.

Can i turn off both ssl and tls?

and configure only smtp with searchguard?

···

On Tuesday, 14 August 2018 20:26:11 UTC+1, Jochen Kressin wrote:

So I’m still unsure about the question here. Let me try to rephrase: The only thing you want to do is to connect to your LDAP server without TLS, is this correct?

Like I wrote, in that case just do not enable LDAP TLS in sg_config.yml. This has nothing to do with any entry in elasticsearch.yml.

The error message you are seeing tells me that you tried to disable transport TLS (encryption for traffic between the nodes). This is not possible. Transport TLS is mandatory in Search Guard, and the config option you probably used is also not documented. So this line here:

searchguard.ssl.transport.enabled: false

``

needs to be removed.

On Monday, August 13, 2018 at 7:10:53 AM UTC+2, harika gudumasu wrote:

Please find elasticsearch.yml file as below.

(UAT) bwadmind@lonrs11800$ cat elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: MWBW_GMH_DEV

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: lonrs11800

node.master: true

node.data: true

Add custom attributes to the node:

node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /opt/app/tibco/install/elasticsearch-6.2.2/data

Path to log files:

path.logs: /opt/app/tibco/install/elasticsearch-6.2.2/logs

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 11.195.97.46

network.bind_host: 11.195.97.46

transport.host: localhost

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is [“127.0.0.1”, “[::1]”]

discovery.zen.ping.unicast.hosts: [“lonrs11800”, “lonrs11819”]

Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 1

For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 1

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

action.destructive_requires_name: true

cluster.routing.allocation.enable: all

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.ssl.transport.enabled: false

######## End Search Guard Demo Configuration ########


when i disable ssl and trying to start elasticsearch, facing below exceptions. Could you please help.

[2018-08-13T06:06:53,718][ERROR][o.e.b.Bootstrap ] Exception

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

… 15 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:240) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

… 15 more

[2018-08-13T06:06:53,726][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [lonrs11800] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:240) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]

… 6 more

On Friday, 10 August 2018 09:55:29 UTC+1, Jochen Kressin wrote:

You can find the connection settings for LDAP in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

If you do not want to use TLS for your LDAP connection then simply do not configure it.

On Friday, August 10, 2018 at 7:59:25 AM UTC+2, harika gudumasu wrote:

My point is our LDAP configuration do not use SSL/TLS. How can i disable it in elasticsearch.yml or at searchguard level.

On Thursday, 9 August 2018 04:10:55 UTC+1, harika gudumasu wrote:

Please find attached sgconfig.yml wherein i have provided all our ldap configuration level details.Coul dyou please verify it once. Now, i still have a doubt about tls certificates as don’t want to use either ssl or tls.

How can i disable certificate validation the below part in the documentation section.

Certificate validation

By default Search Guard validates the TLS certificate of the LDAP server(s) against the Root CA configured in elasticsearch.yml, either as PEM certificate or a truststore:

searchguard.ssl.transport.pemtrustedcas_filepath: ...
searchguard.ssl.http.truststore_filepath: ...

If your server uses a certificate signed by a different CA, import this CA to your truststore or add it to your trusted CA file on each node.

You can also use a separate root CA in PEM format by setting one of the following configuration options:

config:
  pemtrustedcas_filepath: /path/to/trusted_cas.pem

On Tuesday, 7 August 2018 20:14:55 UTC+1, Jochen Kressin wrote:

There are three chapters about LDAP integration in the docs:

Connecting to LDAP:

https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:

https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:

https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:

I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don’t have any certificates or TLS is not required for our project.

How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:

If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:

https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:

Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn’s and do not want to use “CN=kirk,OU=client,O=client,L=test,C=de”. Hence, i have updated below.

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:

Hi Team,

Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip


While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one’s. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”

For internode communication (communication between nodes) you can not disable SSL/TLS. For the communication with your LDAP server TLS/SSL is not mandatory.
Regarding "and configure only smtp with searchguard?" i don't get this. SMTP (Simple Mail Transfer Protocol, which is for sending E-Mails) is not supported nor related to Search Guard.

···

Am 06.12.2018 um 11:45 schrieb harika gudumasu <harika.gudumasu@gmail.com>:

Hi Jochen,

Sorry for not getting back to you.

Have few more questions.

Can i turn off both ssl and tls?
and configure only smtp with searchguard?

On Tuesday, 14 August 2018 20:26:11 UTC+1, Jochen Kressin wrote:
So I'm still unsure about the question here. Let me try to rephrase: The only thing you want to do is to connect to your LDAP server without TLS, is this correct?

Like I wrote, in that case just do not enable LDAP TLS in sg_config.yml. This has nothing to do with any entry in elasticsearch.yml.

The error message you are seeing tells me that you tried to disable transport TLS (encryption for traffic between the nodes). This is not possible. Transport TLS is mandatory in Search Guard, and the config option you probably used is also not documented. So this line here:

searchguard.ssl.transport.enabled: false

needs to be removed.

On Monday, August 13, 2018 at 7:10:53 AM UTC+2, harika gudumasu wrote:
Please find elasticsearch.yml file as below.

(UAT) bwadmind@lonrs11800$ cat elasticsearch.yml
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: MWBW_GMH_DEV
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: lonrs11800
node.master: true
node.data: true
#
# Add custom attributes to the node:
#
node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /opt/app/tibco/install/elasticsearch-6.2.2/data
#
# Path to log files:
#
path.logs: /opt/app/tibco/install/elasticsearch-6.2.2/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
bootstrap.system_call_filter: false
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 11.195.97.46
network.bind_host: 11.195.97.46
transport.host: localhost
#
# Set a custom port for HTTP:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.zen.ping.unicast.hosts: ["lonrs11800", "lonrs11819"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
discovery.zen.minimum_master_nodes: 1
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
gateway.recover_after_nodes: 1
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
action.destructive_requires_name: true
cluster.routing.allocation.enable: all

######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production
searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net
searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net
searchguard.ssl.transport.enabled: false
######## End Search Guard Demo Configuration ########
----------------------------------------------------------------------------------------------------------------------

when i disable ssl and trying to start elasticsearch, facing below exceptions. Could you please help.

[2018-08-13T06:06:53,718][ERROR][o.e.b.Bootstrap ] Exception
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.2.jar:6.2.2]
        at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.2.jar:6.2.2]
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
        ... 15 more
Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to 'true'
        at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
        ... 15 more
[2018-08-13T06:06:53,726][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [lonrs11800] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
        at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]
Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
        ... 6 more
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
        ... 6 more
Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to 'true'
        at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
        ... 6 more

On Friday, 10 August 2018 09:55:29 UTC+1, Jochen Kressin wrote:
You can find the connection settings for LDAP in the docs:

Connecting to LDAP:
https://docs.search-guard.com/latest/active-directory-ldap-connection

If you do not want to use TLS for your LDAP connection then simply do not configure it.

On Friday, August 10, 2018 at 7:59:25 AM UTC+2, harika gudumasu wrote:
My point is our LDAP configuration do not use SSL/TLS. How can i disable it in elasticsearch.yml or at searchguard level.

On Thursday, 9 August 2018 04:10:55 UTC+1, harika gudumasu wrote:
Please find attached sgconfig.yml wherein i have provided all our ldap configuration level details.Coul dyou please verify it once. Now, i still have a doubt about tls certificates as don't want to use either ssl or tls.

How can i disable certificate validation the below part in the documentation section.

Certificate validation

By default Search Guard validates the TLS certificate of the LDAP server(s) against the Root CA configured in elasticsearch.yml, either as PEM certificate or a truststore:

searchguard.ssl.transport.
pemtrustedcas_filepath: ...
searchguard.ssl.http.
truststore_filepath: ...

If your server uses a certificate signed by a different CA, import this CA to your truststore or add it to your trusted CA file on each node.

You can also use a separate root CA in PEM format by setting one of the following configuration options:

config:

pemtrustedcas_filepath: /path/to/trusted_cas.pem

On Tuesday, 7 August 2018 20:14:55 UTC+1, Jochen Kressin wrote:
There are three chapters about LDAP integration in the docs:

Connecting to LDAP:
https://docs.search-guard.com/latest/active-directory-ldap-connection

LDAP authentication:
https://docs.search-guard.com/latest/active-directory-ldap-authentication

LDAP authorization:
https://docs.search-guard.com/latest/active-directory-ldap-authorisation

I think you should go through them, in this order, and configure LDAP accordingly.

On Tuesday, August 7, 2018 at 6:40:00 AM UTC+2, harika gudumasu wrote:
I have ELK up and running currently and i am able to see logs properly in Kibana. Now my requirement is to integrate it with LDAP. I have base DN and password for it.
I don't have any certificates or TLS is not required for our project.
How can i proceed further?

On Tuesday, 31 July 2018 10:36:22 UTC+1, Jochen Kressin wrote:
If you want to use your own certificates then you need to install and configure them. It is not sufficient to just change the DNs. You still have the demo certificates configure in elasticsearch.yml. You cannot remove the configuration but update it to use your own certificates. You need node certificates and at least one admin certificate.

TLS configuration:
https://docs.search-guard.com/latest/configuring-tls

Types of certificates.
https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

On Tuesday, July 31, 2018 at 11:22:02 AM UTC+2, harika gudumasu wrote:
Hi Jochen,

Thanks for your reply. My intention is to use our own ldap dn's and do not want to use "CN=kirk,OU=client,O=client,L=test,C=de". Hence, i have updated below.
searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net
searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

Does that mean that i am not supposed to use demo certificates, can i remove all the below lines in my case?

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

On Saturday, 28 July 2018 10:39:53 UTC+1, harika gudumasu wrote:
Hi Team,
Please find the details as below:

ELK versions as below

drwxr-xr-x 9 bwadmind mwbwdev 4096 Apr 13 06:19 elasticsearch-6.2.2

drwxr-xr-x 7 bwadmind mwbwdev 4096 Apr 26 08:25 filebeat-6.2.2-linux-x86_64

drwxr-xr-x 13 bwadmind mwbwdev 4096 Jun 4 11:28 kibana-6.2.2-linux-x86_64

drwxr-xr-x 12 bwadmind mwbwdev 4096 Jun 2 00:38 logstash-6.2.2

Searchguard vesion and installable

https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-6/6.2.2-22.3/search-guard-6-6.2.2-22.3.zip
-------------------------------------------
While running sgadmin_demo.sh facing the below error. LDAP configuarions which i have provided it is not able to pick up. Instead it is taking the default one's. Could you please help.

(UAT) bwadmind@lonrs11800$ ./sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 ... done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=kirk,OU=client,O=client,L=test,C=de

ERR: CN=kirk,OU=client,O=client,L=test,C=de is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

  - "CN=kirk,OU=client,O=client,L=test,C=de"

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/93f01e71-f8a7-4c41-8c67-65d47b8f717a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi Jochen,

I have only one node.

Please find attached elasticsearch.yml file and sg_config.yml file. we don’t use any ldap cerficates but have our hosts,bind_dn etc which i have updated.

Still while trying to start elasticsearch facing below exceptions. Please help in getting them resolved.

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugi

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

Caused by: org.elasticsearch.ElasticsearchException: searchguard.ssl.transport.keystore_filepath or searchguard.ssl.transport.pemkey_filepath must be set if transport ssl is reqested.

elasticsearch.yml (3.29 KB)

sg_config.yml (2.44 KB)

···

On Thursday, 6 December 2018 12:20:58 UTC, Search Guard wrote:

For internode communication (communication between nodes) you can not disable SSL/TLS. For the communication with your LDAP server TLS/SSL is not mandatory.

Regarding “and configure only smtp with searchguard?” i don’t get this. SMTP (Simple Mail Transfer Protocol, which is for sending E-Mails) is not supported nor related to Search Guard.

Am 06.12.2018 um 11:45 schrieb harika gudumasu harika....@gmail.com:

Hi Jochen,

Sorry for not getting back to you.

Have few more questions.

Can i turn off both ssl and tls?

and configure only smtp with searchguard?

On Tuesday, 14 August 2018 20:26:11 UTC+1, Jochen Kressin wrote:

So I’m still unsure about the question here. Let me try to rephrase: The only thing you want to do is to connect to your LDAP server without TLS, is this correct?

Like I wrote, in that case just do not enable LDAP TLS in sg_config.yml. This has nothing to do with any entry in elasticsearch.yml.

The error message you are seeing tells me that you tried to disable transport TLS (encryption for traffic between the nodes). This is not possible. Transport TLS is mandatory in Search Guard, and the config option you probably used is also not documented. So this line here:

searchguard.ssl.transport.enabled: false

needs to be removed.

On Monday, August 13, 2018 at 7:10:53 AM UTC+2, harika gudumasu wrote:

Please find elasticsearch.yml file as below.

(UAT) bwadmind@lonrs11800$ cat elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: MWBW_GMH_DEV

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: lonrs11800

node.master: true

node.data: true

Add custom attributes to the node:

node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /opt/app/tibco/install/elasticsearch-6.2.2/data

Path to log files:

path.logs: /opt/app/tibco/install/elasticsearch-6.2.2/logs

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 11.195.97.46

network.bind_host: 11.195.97.46

transport.host: localhost

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is [“127.0.0.1”, “[::1]”]

discovery.zen.ping.unicast.hosts: [“lonrs11800”, “lonrs11819”]

Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 1

For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 1

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

action.destructive_requires_name: true

cluster.routing.allocation.enable: all

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.ssl.transport.enabled: false

######## End Search Guard Demo Configuration ########


when i disable ssl and trying to start elasticsearch, facing below exceptions. Could you please help.

[2018-08-13T06:06:53,718][ERROR][o.e.b.Bootstrap ] Exception

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 15 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 15 more

[2018-08-13T06:06:53,726][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [lonrs11800] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

Even if you run only one node you have to configure the whole SSL/TLS stuff.

Thats because the node opens a port where transport clients (or other nodes) can connect to.

And maybe you want it for securing your http communication?

Luckily there are two things out there to make this easy:

https://search-guard.com/tls-certificate-generator/

Both tools generate certificates for you and a elasticsearch.yml snippet for copy and paste.

···

On Wednesday, 12 December 2018 06:26:51 UTC+1, harika gudumasu wrote:

Hi Jochen,

I have only one node.

Please find attached elasticsearch.yml file and sg_config.yml file. we don’t use any ldap cerficates but have our hosts,bind_dn etc which i have updated.

Still while trying to start elasticsearch facing below exceptions. Please help in getting them resolved.

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugi

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

Caused by: org.elasticsearch.ElasticsearchException: searchguard.ssl.transport.keystore_filepath or searchguard.ssl.transport.pemkey_filepath must be set if transport ssl is reqested.

On Thursday, 6 December 2018 12:20:58 UTC, Search Guard wrote:

For internode communication (communication between nodes) you can not disable SSL/TLS. For the communication with your LDAP server TLS/SSL is not mandatory.

Regarding “and configure only smtp with searchguard?” i don’t get this. SMTP (Simple Mail Transfer Protocol, which is for sending E-Mails) is not supported nor related to Search Guard.

Am 06.12.2018 um 11:45 schrieb harika gudumasu harika....@gmail.com:

Hi Jochen,

Sorry for not getting back to you.

Have few more questions.

Can i turn off both ssl and tls?

and configure only smtp with searchguard?

On Tuesday, 14 August 2018 20:26:11 UTC+1, Jochen Kressin wrote:

So I’m still unsure about the question here. Let me try to rephrase: The only thing you want to do is to connect to your LDAP server without TLS, is this correct?

Like I wrote, in that case just do not enable LDAP TLS in sg_config.yml. This has nothing to do with any entry in elasticsearch.yml.

The error message you are seeing tells me that you tried to disable transport TLS (encryption for traffic between the nodes). This is not possible. Transport TLS is mandatory in Search Guard, and the config option you probably used is also not documented. So this line here:

searchguard.ssl.transport.enabled: false

needs to be removed.

On Monday, August 13, 2018 at 7:10:53 AM UTC+2, harika gudumasu wrote:

Please find elasticsearch.yml file as below.

(UAT) bwadmind@lonrs11800$ cat elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: MWBW_GMH_DEV

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: lonrs11800

node.master: true

node.data: true

Add custom attributes to the node:

node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /opt/app/tibco/install/elasticsearch-6.2.2/data

Path to log files:

path.logs: /opt/app/tibco/install/elasticsearch-6.2.2/logs

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 11.195.97.46

network.bind_host: 11.195.97.46

transport.host: localhost

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is [“127.0.0.1”, “[::1]”]

discovery.zen.ping.unicast.hosts: [“lonrs11800”, “lonrs11819”]

Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 1

For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 1

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

action.destructive_requires_name: true

cluster.routing.allocation.enable: all

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.ssl.transport.enabled: false

######## End Search Guard Demo Configuration ########


when i disable ssl and trying to start elasticsearch, facing below exceptions. Could you please help.

[2018-08-13T06:06:53,718][ERROR][o.e.b.Bootstrap ] Exception

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 15 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 15 more

[2018-08-13T06:06:53,726][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [lonrs11800] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.

I have configured tls certificates now and added the lines from elasticsearch.yml snippet file to my config file. Could you please check if my properties file looks fine.

Elasticsearch plugin descriptor file

This file must exist as ‘plugin-descriptor.properties’ inside a plugin.

···

example plugin for “foo”

foo.zip <-- zip file for the plugin, with this structure:

|____ .jar <-- classes, resources, dependencies

|____ .jar <-- any number of jars

|____ plugin-descriptor.properties <-- example contents below:

classname=foo.bar.BazPlugin

description=My cool plugin

version=6.0

elasticsearch.version=6.2.2

java.version=1.8

mandatory elements for all plugins:

‘description’: simple summary of the plugin

description=searchguard_plugin

‘version’: plugin’s version

version=6.2.2

‘name’: the plugin name

name=search-guard-6

‘java.version’: version of java the code is built against

use the system property java.specification.version

version string must be a sequence of nonnegative decimal integers

separated by “.”'s and may have leading zeros

java.version=1.8

‘classname’: the name of the class to load, fully-qualified.

classname=com.floragunn.searchguard.SearchGuardPlugin

‘elasticsearch.version’: version of elasticsearch compiled against

elasticsearch.version=6.2.2

optional elements for plugins:

‘has.native.controller’: whether or not the plugin has a native controller

has.native.controller=false

Facing below errors while starting elasticsearch.

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: duplicate plugin: - Plugin information:

Name: search-guard-6

Description: searchguard_plugin

Version: 6.2.2

Native Controller: false

Requires Keystore: false

Extended Plugins:

  • Classname: com.floragunn.searchguard.SearchGuardPlugin

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.IllegalStateException: duplicate plugin: - Plugin information:

Name: search-guard-6

Description: searchguard_plugin

Version: 6.2.2

Native Controller: false

Requires Keystore: false

Extended Plugins:

  • Classname: com.floragunn.searchguard.SearchGuardPlugin

at org.elasticsearch.plugins.PluginsService.getPluginBundles(PluginsService.java:355) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.getPluginBundles(PluginsService.java:328) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.plugins.PluginsService.(PluginsService.java:135) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]

On Wednesday, 12 December 2018 05:47:19 UTC, Search Guard wrote:

Even if you run only one node you have to configure the whole SSL/TLS stuff.

Thats because the node opens a port where transport clients (or other nodes) can connect to.

And maybe you want it for securing your http communication?

Luckily there are two things out there to make this easy:

https://search-guard.com/tls-certificate-generator/

https://docs.search-guard.com/latest/offline-tls-tool#tls-tool

Both tools generate certificates for you and a elasticsearch.yml snippet for copy and paste.

On Wednesday, 12 December 2018 06:26:51 UTC+1, harika gudumasu wrote:

Hi Jochen,

I have only one node.

Please find attached elasticsearch.yml file and sg_config.yml file. we don’t use any ldap cerficates but have our hosts,bind_dn etc which i have updated.

Still while trying to start elasticsearch facing below exceptions. Please help in getting them resolved.

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugi

… 6 more

Caused by: java.lang.reflect.InvocationTargetException

Caused by: org.elasticsearch.ElasticsearchException: searchguard.ssl.transport.keystore_filepath or searchguard.ssl.transport.pemkey_filepath must be set if transport ssl is reqested.

On Thursday, 6 December 2018 12:20:58 UTC, Search Guard wrote:

For internode communication (communication between nodes) you can not disable SSL/TLS. For the communication with your LDAP server TLS/SSL is not mandatory.

Regarding “and configure only smtp with searchguard?” i don’t get this. SMTP (Simple Mail Transfer Protocol, which is for sending E-Mails) is not supported nor related to Search Guard.

Am 06.12.2018 um 11:45 schrieb harika gudumasu harika....@gmail.com:

Hi Jochen,

Sorry for not getting back to you.

Have few more questions.

Can i turn off both ssl and tls?

and configure only smtp with searchguard?

On Tuesday, 14 August 2018 20:26:11 UTC+1, Jochen Kressin wrote:

So I’m still unsure about the question here. Let me try to rephrase: The only thing you want to do is to connect to your LDAP server without TLS, is this correct?

Like I wrote, in that case just do not enable LDAP TLS in sg_config.yml. This has nothing to do with any entry in elasticsearch.yml.

The error message you are seeing tells me that you tried to disable transport TLS (encryption for traffic between the nodes). This is not possible. Transport TLS is mandatory in Search Guard, and the config option you probably used is also not documented. So this line here:

searchguard.ssl.transport.enabled: false

needs to be removed.

On Monday, August 13, 2018 at 7:10:53 AM UTC+2, harika gudumasu wrote:

Please find elasticsearch.yml file as below.

(UAT) bwadmind@lonrs11800$ cat elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: MWBW_GMH_DEV

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: lonrs11800

node.master: true

node.data: true

Add custom attributes to the node:

node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /opt/app/tibco/install/elasticsearch-6.2.2/data

Path to log files:

path.logs: /opt/app/tibco/install/elasticsearch-6.2.2/logs

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 11.195.97.46

network.bind_host: 11.195.97.46

transport.host: localhost

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is [“127.0.0.1”, “[::1]”]

discovery.zen.ping.unicast.hosts: [“lonrs11800”, “lonrs11819”]

Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 1

For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 1

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

action.destructive_requires_name: true

cluster.routing.allocation.enable: all

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.authcz.admin_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.nodes_dn: cn=app-mware_bwadmin,ou=application,ou=generic accounts,ou=user environment,dc=fm,dc=rbsgrp,dc=net

searchguard.ssl.transport.enabled: false

######## End Search Guard Demo Configuration ########


when i disable ssl and trying to start elasticsearch, facing below exceptions. Could you please help.

[2018-08-13T06:06:53,718][ERROR][o.e.b.Bootstrap ] Exception

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 15 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 15 more

[2018-08-13T06:06:53,726][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [lonrs11800] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.2.jar:6.2.2]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:240) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.2.jar:6.2.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.