On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

On Wednesday, June 27, 2018 at 1:14:50 PM UTC-5, Jochen Kressin wrote:

Sorry, that is not nearly enough information for us to help you. Please describe how you tried to change users and passwords and also what the output of sgadmin was when trying to apply the changes.

On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

On Thursday, June 28, 2018 at 7:18:24 PM UTC+2, InternalUserPWDchange wrote:

Hi,

1. Generated password using ./hash.sh.

2. Changed username and password (generated by step 1) in sg_internal_users.yml file.

3. run a command ./sgadmin.sh -other parameters -

Output :

ERR: CN=domainname.com is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

Please let me know.

Thanks

On Wednesday, June 27, 2018 at 1:14:50 PM UTC-5, Jochen Kressin wrote:

Sorry, that is not nearly enough information for us to help you. Please describe how you tried to change users and passwords and also what the output of sgadmin was when trying to apply the changes.

On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

On Friday, June 29, 2018 at 3:14:16 AM UTC-5, Jochen Kressin wrote:

Well, I think the error message is rather clear:

"Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

"

The certificate you use is not registered in elasticsearch.yml as admin certificate. Please check the respective entry as stated in the error message. If this does not solve the problem we need

"When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any"

In this case especially the elasticsearch.yml is relevant.

On Thursday, June 28, 2018 at 7:18:24 PM UTC+2, InternalUserPWDchange wrote:

Hi,

1. Generated password using ./hash.sh.

2. Changed username and password (generated by step 1) in sg_internal_users.yml file.

3. run a command ./sgadmin.sh -other parameters -

Output :

ERR: CN=domainname.com is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

Please let me know.

Thanks

On Wednesday, June 27, 2018 at 1:14:50 PM UTC-5, Jochen Kressin wrote:

Sorry, that is not nearly enough information for us to help you. Please describe how you tried to change users and passwords and also what the output of sgadmin was when trying to apply the changes.

On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

On Friday, June 29, 2018 at 6:06:15 PM UTC+2, InternalUserPWDchange wrote:

It is no different in elasticsearch.yml.

elasticsearch.yml :

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.transport.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.transport.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.http.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.http.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.authcz.admin_dn:

• “CN=domainname.com,O=Let’s Encrypt, C=US”

#searchguard.enable_snapshot_restore_privilege: true

#searchguard.check_snapshot_restore_write_privileges: true

searchguard.restapi.roles_enabled: [“sg_all_access”]

searchguard.enterprise_modules_enabled: false

Elasticsearch version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS (running on one node)

Java -version : 1.8.0_171

• changes are in sg_internal_users.yml file only, others are SearchGuard default config files.

sg_internal_user config file :

This is the internal user database

The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

#password is: password

#admin:

companyusername:

readonly: true

hash: hashpassword

roles:

- admin

attributes:

#no dots allowed in attribute names

attribute1: value1

attribute2: value2

attribute3: value3

#password is: logstashpassword

logstash:

hash: hashpassword

roles:

- logstash

Thank you for your help.

On Friday, June 29, 2018 at 3:14:16 AM UTC-5, Jochen Kressin wrote:

Well, I think the error message is rather clear:

"Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

"

The certificate you use is not registered in elasticsearch.yml as admin certificate. Please check the respective entry as stated in the error message. If this does not solve the problem we need

"When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any"

In this case especially the elasticsearch.yml is relevant.

On Thursday, June 28, 2018 at 7:18:24 PM UTC+2, InternalUserPWDchange wrote:

Hi,

1. Generated password using ./hash.sh.

2. Changed username and password (generated by step 1) in sg_internal_users.yml file.

3. run a command ./sgadmin.sh -other parameters -

Output :

ERR: CN=domainname.com is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

Please let me know.

Thanks

On Wednesday, June 27, 2018 at 1:14:50 PM UTC-5, Jochen Kressin wrote:

Sorry, that is not nearly enough information for us to help you. Please describe how you tried to change users and passwords and also what the output of sgadmin was when trying to apply the changes.

On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

On Sunday, July 1, 2018 at 6:02:56 AM UTC-5, Jochen Kressin wrote:

So have you actually tried to configure SG as stated in the error message?

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

From your post I see you have a different setting here:

searchguard.authcz.admin_dn:

• “CN=domainname.com,O=Let’s Encrypt, C=US”

``

If you are unsure check the DN of your admin certificate manually, you can find instructions about that here:

https://docs.search-guard.com/latest/troubleshooting-tls

Also, since I see this is an LetsEncrypt certificate: Are you trying to use this (one) certificate for REST, node and as admin certificate? This will not work, the admin certificate needs to be a different one than the node certificate. In other words, for a minimal SG setup you need at least two certificate: A node certificate and an admin certificate.

On Friday, June 29, 2018 at 6:06:15 PM UTC+2, InternalUserPWDchange wrote:

It is no different in elasticsearch.yml.

elasticsearch.yml :

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.transport.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.transport.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.http.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.http.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.authcz.admin_dn:

• “CN=domainname.com,O=Let’s Encrypt, C=US”

#searchguard.enable_snapshot_restore_privilege: true

#searchguard.check_snapshot_restore_write_privileges: true

searchguard.restapi.roles_enabled: [“sg_all_access”]

searchguard.enterprise_modules_enabled: false

Elasticsearch version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS (running on one node)

Java -version : 1.8.0_171

• changes are in sg_internal_users.yml file only, others are SearchGuard default config files.

sg_internal_user config file :

This is the internal user database

The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

#password is: password

#admin:

companyusername:

readonly: true

hash: hashpassword

roles:

- admin

attributes:

#no dots allowed in attribute names

attribute1: value1

attribute2: value2

attribute3: value3

#password is: logstashpassword

logstash:

hash: hashpassword

roles:

- logstash

Thank you for your help.

On Friday, June 29, 2018 at 3:14:16 AM UTC-5, Jochen Kressin wrote:

Well, I think the error message is rather clear:

"Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

"

The certificate you use is not registered in elasticsearch.yml as admin certificate. Please check the respective entry as stated in the error message. If this does not solve the problem we need

"When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any"

In this case especially the elasticsearch.yml is relevant.

On Thursday, June 28, 2018 at 7:18:24 PM UTC+2, InternalUserPWDchange wrote:

Hi,

1. Generated password using ./hash.sh.

2. Changed username and password (generated by step 1) in sg_internal_users.yml file.

3. run a command ./sgadmin.sh -other parameters -

Output :

ERR: CN=domainname.com is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

Please let me know.

Thanks

On Wednesday, June 27, 2018 at 1:14:50 PM UTC-5, Jochen Kressin wrote:

Sorry, that is not nearly enough information for us to help you. Please describe how you tried to change users and passwords and also what the output of sgadmin was when trying to apply the changes.

On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

On Monday, July 2, 2018 at 6:47:48 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have a different certificate for node!

On Sunday, July 1, 2018 at 6:02:56 AM UTC-5, Jochen Kressin wrote:

So have you actually tried to configure SG as stated in the error message?

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

From your post I see you have a different setting here:

searchguard.authcz.admin_dn:

• “CN=domainname.com,O=Let’s Encrypt, C=US”

``

If you are unsure check the DN of your admin certificate manually, you can find instructions about that here:

https://docs.search-guard.com/latest/troubleshooting-tls

Also, since I see this is an LetsEncrypt certificate: Are you trying to use this (one) certificate for REST, node and as admin certificate? This will not work, the admin certificate needs to be a different one than the node certificate. In other words, for a minimal SG setup you need at least two certificate: A node certificate and an admin certificate.

On Friday, June 29, 2018 at 6:06:15 PM UTC+2, InternalUserPWDchange wrote:

It is no different in elasticsearch.yml.

elasticsearch.yml :

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.transport.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.transport.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.http.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.http.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.authcz.admin_dn:

• “CN=domainname.com,O=Let’s Encrypt, C=US”

#searchguard.enable_snapshot_restore_privilege: true

#searchguard.check_snapshot_restore_write_privileges: true

searchguard.restapi.roles_enabled: [“sg_all_access”]

searchguard.enterprise_modules_enabled: false

Elasticsearch version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS (running on one node)

Java -version : 1.8.0_171

• changes are in sg_internal_users.yml file only, others are SearchGuard default config files.

sg_internal_user config file :

This is the internal user database

The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

#password is: password

#admin:

companyusername:

readonly: true

hash: hashpassword

roles:

- admin

attributes:

#no dots allowed in attribute names

attribute1: value1

attribute2: value2

attribute3: value3

#password is: logstashpassword

logstash:

hash: hashpassword

roles:

- logstash

Thank you for your help.

On Friday, June 29, 2018 at 3:14:16 AM UTC-5, Jochen Kressin wrote:

Well, I think the error message is rather clear:

"Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

"

The certificate you use is not registered in elasticsearch.yml as admin certificate. Please check the respective entry as stated in the error message. If this does not solve the problem we need

"When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any"

In this case especially the elasticsearch.yml is relevant.

On Thursday, June 28, 2018 at 7:18:24 PM UTC+2, InternalUserPWDchange wrote:

Hi,

1. Generated password using ./hash.sh.

2. Changed username and password (generated by step 1) in sg_internal_users.yml file.

3. run a command ./sgadmin.sh -other parameters -

Output :

ERR: CN=domainname.com is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

Please let me know.

Thanks

On Wednesday, June 27, 2018 at 1:14:50 PM UTC-5, Jochen Kressin wrote:

Sorry, that is not nearly enough information for us to help you. Please describe how you tried to change users and passwords and also what the output of sgadmin was when trying to apply the changes.

On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

On Monday, July 2, 2018 at 12:12:03 PM UTC-5, Jochen Kressin wrote:

So have you actually tried to configure SG as stated in the error message?

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

On Monday, July 2, 2018 at 6:47:48 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have a different certificate for node!

On Sunday, July 1, 2018 at 6:02:56 AM UTC-5, Jochen Kressin wrote:

So have you actually tried to configure SG as stated in the error message?

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

From your post I see you have a different setting here:

searchguard.authcz.admin_dn:

• “CN=domainname.com,O=Let’s Encrypt, C=US”

``

If you are unsure check the DN of your admin certificate manually, you can find instructions about that here:

https://docs.search-guard.com/latest/troubleshooting-tls

Also, since I see this is an LetsEncrypt certificate: Are you trying to use this (one) certificate for REST, node and as admin certificate? This will not work, the admin certificate needs to be a different one than the node certificate. In other words, for a minimal SG setup you need at least two certificate: A node certificate and an admin certificate.

On Friday, June 29, 2018 at 6:06:15 PM UTC+2, InternalUserPWDchange wrote:

It is no different in elasticsearch.yml.

elasticsearch.yml :

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.transport.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.transport.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: ./certs/fullchain.pem

searchguard.ssl.http.pemkey_filepath: ./certs/privkey.pem

searchguard.ssl.http.pemtrustedcas_filepath: ./certs/chain.pem

searchguard.authcz.admin_dn:

• “CN=domainname.com,O=Let’s Encrypt, C=US”

#searchguard.enable_snapshot_restore_privilege: true

#searchguard.check_snapshot_restore_write_privileges: true

searchguard.restapi.roles_enabled: [“sg_all_access”]

searchguard.enterprise_modules_enabled: false

Elasticsearch version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS (running on one node)

Java -version : 1.8.0_171

• changes are in sg_internal_users.yml file only, others are SearchGuard default config files.

sg_internal_user config file :

This is the internal user database

The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

#password is: password

#admin:

companyusername:

readonly: true

hash: hashpassword

roles:

- admin

attributes:

#no dots allowed in attribute names

attribute1: value1

attribute2: value2

attribute3: value3

#password is: logstashpassword

logstash:

hash: hashpassword

roles:

- logstash

Thank you for your help.

On Friday, June 29, 2018 at 3:14:16 AM UTC-5, Jochen Kressin wrote:

Well, I think the error message is rather clear:

"Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

"

The certificate you use is not registered in elasticsearch.yml as admin certificate. Please check the respective entry as stated in the error message. If this does not solve the problem we need

"When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any"

In this case especially the elasticsearch.yml is relevant.

On Thursday, June 28, 2018 at 7:18:24 PM UTC+2, InternalUserPWDchange wrote:

Hi,

1. Generated password using ./hash.sh.

2. Changed username and password (generated by step 1) in sg_internal_users.yml file.

3. run a command ./sgadmin.sh -other parameters -

Output :

ERR: CN=domainname.com is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

• “CN=domainname.com”

Please let me know.

Thanks

On Wednesday, June 27, 2018 at 1:14:50 PM UTC-5, Jochen Kressin wrote:

Sorry, that is not nearly enough information for us to help you. Please describe how you tried to change users and passwords and also what the output of sgadmin was when trying to apply the changes.

On Tuesday, June 26, 2018 at 7:14:06 PM UTC+2, InternalUserPWDchange wrote:

Hi,

I have changed default username and passwords but it does not make any difference. I can still log in to Kibana using old username and passwords.

Please let me know how to make it work.

ES version : 6.2.2 , SearchGuard : 6.2.2-22.3

Installed on AWS

Thanks.

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any