Hi, I am a complete newbie with searchguard. I used the online certificate generator to set up the my single node cluster. I used the truststore and keystore files to do this. I see that within the client-certificates file there are files with CN=demouser which are used for a client. I have the cluster up and running. If I wanted to per say run the command "curl -XGET “https://localhost:9200/_cat/indices?v” from the shell to retrieve the indices how would I use the demouser files to do this. Is there something I have to set up in the elasticsearch.yml file? Thanks for helping a newbie out.
You don’t need a client certificate to communicate with an TLS secured cluster. This is only necessary when you really want to use TLS client certificate authentication. I guess that you have installed the Search Guard default configuration, right? In this case HTTP Basic Authentication is active and uses the internal user database for authentication and authorization. So you just need to add a basic auth header to curl. Since you use self-signed certificates, you either need to provide the root CA for certificate validation to curl. Or you tell curl to skip certificate validation. So the easiest (although not 100% secure since we skip cert validation) call is:
curl --insecure -u admin:admin -XGET "https://localhost:9200/_cat/indices?v
``
···
On Tuesday, July 3, 2018 at 5:44:44 PM UTC+2, Alexander Villamar wrote:
Hi, I am a complete newbie with searchguard. I used the online certificate generator to set up the my single node cluster. I used the truststore and keystore files to do this. I see that within the client-certificates file there are files with CN=demouser which are used for a client. I have the cluster up and running. If I wanted to per say run the command "curl -XGET “https://localhost:9200/_cat/indices?v” from the shell to retrieve the indices how would I use the demouser files to do this. Is there something I have to set up in the elasticsearch.yml file? Thanks for helping a newbie out.
Thanks for the reply. I want to truly use TLS client certificate authentication set up a working example. From the documentation I take it that I have to configure this in the sg_config.yml file. There is a lot there already by default so I am not too sure if any of the default configurations will interfere with this. Within “authc” section I’m guessing I’ll have to work with the “clientcert_auth_domain”? Sorry for all the questions, I am an intern trying to learn this on the fly. Thanks
···
On Wednesday, July 4, 2018 at 4:00:53 PM UTC-4, Jochen Kressin wrote:
You don’t need a client certificate to communicate with an TLS secured cluster. This is only necessary when you really want to use TLS client certificate authentication. I guess that you have installed the Search Guard default configuration, right? In this case HTTP Basic Authentication is active and uses the internal user database for authentication and authorization. So you just need to add a basic auth header to curl. Since you use self-signed certificates, you either need to provide the root CA for certificate validation to curl. Or you tell curl to skip certificate validation. So the easiest (although not 100% secure since we skip cert validation) call is:
curl --insecure -u admin:admin -XGET "https://localhost:9200/_cat/indices?v
``
On Tuesday, July 3, 2018 at 5:44:44 PM UTC+2, Alexander Villamar wrote:
Hi, I am a complete newbie with searchguard. I used the online certificate generator to set up the my single node cluster. I used the truststore and keystore files to do this. I see that within the client-certificates file there are files with CN=demouser which are used for a client. I have the cluster up and running. If I wanted to per say run the command "curl -XGET “https://localhost:9200/_cat/indices?v” from the shell to retrieve the indices how would I use the demouser files to do this. Is there something I have to set up in the elasticsearch.yml file? Thanks for helping a newbie out.
If you only want client certificate authentication, just remove everything in the authc section and follow this setup here:
But you can also combine authenticators. Say, use Basic Auth if client certificate auth did not succeed. In this case you would place the certificate athentication domain first in the auth chain by giving it an order of 0.
clientcert_auth_domain:
enabled: true
order**: 0**
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop
``
Then add a second one for Basic Auth and the internal user database with order 1:
basic_internal_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
``
But the configuration really depends on the use case you want to implement.
···
On Thursday, July 5, 2018 at 5:02:05 PM UTC+2, Alexander Villamar wrote:
Thanks for the reply. I want to truly use TLS client certificate authentication set up a working example. From the documentation I take it that I have to configure this in the sg_config.yml file. There is a lot there already by default so I am not too sure if any of the default configurations will interfere with this. Within “authc” section I’m guessing I’ll have to work with the “clientcert_auth_domain”? Sorry for all the questions, I am an intern trying to learn this on the fly. Thanks
On Wednesday, July 4, 2018 at 4:00:53 PM UTC-4, Jochen Kressin wrote:
You don’t need a client certificate to communicate with an TLS secured cluster. This is only necessary when you really want to use TLS client certificate authentication. I guess that you have installed the Search Guard default configuration, right? In this case HTTP Basic Authentication is active and uses the internal user database for authentication and authorization. So you just need to add a basic auth header to curl. Since you use self-signed certificates, you either need to provide the root CA for certificate validation to curl. Or you tell curl to skip certificate validation. So the easiest (although not 100% secure since we skip cert validation) call is:
curl --insecure -u admin:admin -XGET "https://localhost:9200/_cat/indices?v
``
On Tuesday, July 3, 2018 at 5:44:44 PM UTC+2, Alexander Villamar wrote:
Hi, I am a complete newbie with searchguard. I used the online certificate generator to set up the my single node cluster. I used the truststore and keystore files to do this. I see that within the client-certificates file there are files with CN=demouser which are used for a client. I have the cluster up and running. If I wanted to per say run the command "curl -XGET “https://localhost:9200/_cat/indices?v” from the shell to retrieve the indices how would I use the demouser files to do this. Is there something I have to set up in the elasticsearch.yml file? Thanks for helping a newbie out.
Thank you so much for your help Jochen, I appreciate it.
···
On Thursday, July 5, 2018 at 11:07:12 AM UTC-4, Jochen Kressin wrote:
If you only want client certificate authentication, just remove everything in the authc section and follow this setup here:
https://docs.search-guard.com/latest/client-certificate-auth
But you can also combine authenticators. Say, use Basic Auth if client certificate auth did not succeed. In this case you would place the certificate athentication domain first in the auth chain by giving it an order of 0.
clientcert_auth_domain:
enabled: true
order**: 0**
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop
``
Then add a second one for Basic Auth and the internal user database with order 1:
basic_internal_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
``
But the configuration really depends on the use case you want to implement.
On Thursday, July 5, 2018 at 5:02:05 PM UTC+2, Alexander Villamar wrote:
Thanks for the reply. I want to truly use TLS client certificate authentication set up a working example. From the documentation I take it that I have to configure this in the sg_config.yml file. There is a lot there already by default so I am not too sure if any of the default configurations will interfere with this. Within “authc” section I’m guessing I’ll have to work with the “clientcert_auth_domain”? Sorry for all the questions, I am an intern trying to learn this on the fly. Thanks
On Wednesday, July 4, 2018 at 4:00:53 PM UTC-4, Jochen Kressin wrote:
You don’t need a client certificate to communicate with an TLS secured cluster. This is only necessary when you really want to use TLS client certificate authentication. I guess that you have installed the Search Guard default configuration, right? In this case HTTP Basic Authentication is active and uses the internal user database for authentication and authorization. So you just need to add a basic auth header to curl. Since you use self-signed certificates, you either need to provide the root CA for certificate validation to curl. Or you tell curl to skip certificate validation. So the easiest (although not 100% secure since we skip cert validation) call is:
curl --insecure -u admin:admin -XGET "https://localhost:9200/_cat/indices?v
``
On Tuesday, July 3, 2018 at 5:44:44 PM UTC+2, Alexander Villamar wrote:
Hi, I am a complete newbie with searchguard. I used the online certificate generator to set up the my single node cluster. I used the truststore and keystore files to do this. I see that within the client-certificates file there are files with CN=demouser which are used for a client. I have the cluster up and running. If I wanted to per say run the command "curl -XGET “https://localhost:9200/_cat/indices?v” from the shell to retrieve the indices how would I use the demouser files to do this. Is there something I have to set up in the elasticsearch.yml file? Thanks for helping a newbie out.