How to Configure Searchguard on Elasticsearch Cluster with multiple nodes

Hi,

I am trying to configure Searchguard plugin for our Elasticsearch 4 node cluster.

Basically my goal is to forward logs to Elasticsearch through HTTPS from all the sources like Kubernetes, Nginx and Jenkins machines, and also access Elasticsearch from kibana with HTTPS.

How many certificates it’s needed? and what kind of certificates its needed?

We have our own SSL tool to generate certificates., i have created 2 DNS names one for nodes and another one for admin (elastic-server.example.com and elastic-elient.example.com).

by using our SSL tool create total 4 keys and 2 root certs(elastic-server.example.com.key, elastic-server.example.com.pem, rootca.pem and elastic-elient.example.com.key, elastic-client.example.com.pem, rootca-client.pem)

elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.pem

searchguard.ssl.transport.pemkey_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.key

searchguard.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/ssl/rootca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.pem

searchguard.ssl.http.pemkey_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.key

searchguard.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/ssl/rootca.pem

searchguard.nodes_dn:

- CN=elastic1-0.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

- CN= elastic1-1.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

- CN= elastic1-2.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

- CN= elastic1-3.example.com,OU=Corp,O=example EX, Inc.,DC= example,DC=net

searchguard.authcz.admin_dn:

- CN=elastic-client.example.com,OU=Corp,O= example EX, Inc.,DC= example,DC=net

i am not able to connect to elastic cluster from outside through HTTPS and also getting below error.

./sgadmin.sh -cd …/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/ssl/root-client.pem -cert /etc/elasticsearch/ssl/elastic-client.example.com.pem -key /etc/elasticsearch/ssl/elastic-client.example.com.key

WARNING: JAVA_HOME not set, will use /bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as CN=elastic-client.example.com,OU=IT,O=example,L=ss,ST=wa,C=US

ERR: CN=elastic-client.example.com,OU=IT,O=Example,L=ss,ST=WA,C=US is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

*- “CN=elastic-client.example.com,OU=IT,O=example,L=ss,ST=wa,C=US” *

Elasticsearch service is running on all the nodes, please someone suggest me whether am following correct procedure or not, Thanks.

Could someone please give me some idea what are/kind the certificates needs to generate for Elastic Cluster to access Elastic cluster from outside through HTTPs and also node to node communication through HTTPS.

I have installed Elastic and kibana 6.5.4 versions.

Thats all pretty well documented here: https://docs.search-guard.com/latest/index

You can also have a look on our blogs posts: https://search-guard.com/blog/ or on this articles:



For generating certificates see https://docs.search-guard.com/latest/offline-tls-tool#tls-tool

···

Am 07.02.2019 um 01:22 schrieb Krishna G <krishna85.g@gmail.com>:

Hi,

I am trying to configure Searchguard plugin for our Elasticsearch 4 node cluster.

Basically my goal is to forward logs to Elasticsearch through HTTPS from all the sources like Kubernetes, Nginx and Jenkins machines, and also access Elasticsearch from kibana with HTTPS.

How many certificates it's needed? and what kind of certificates its needed?

We have our own SSL tool to generate certificates., i have created 2 DNS names one for nodes and another one for admin (elastic-server.example.com and elastic-elient.example.com).

by using our SSL tool create total 4 keys and 2 root certs(elastic-server.example.com.key, elastic-server.example.com.pem, rootca.pem and elastic-elient.example.com.key, elastic-client.example.com.pem, rootca-client.pem)

elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.pem

searchguard.ssl.transport.pemkey_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.key

searchguard.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/ssl/rootca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.pem

searchguard.ssl.http.pemkey_filepath: /etc/elasticsearch/ssl/elastic-server.example.com.key

searchguard.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/ssl/rootca.pem

searchguard.nodes_dn:

- CN=elastic1-0.example.com,OU=Corp,O=example EX\, Inc.,DC= example,DC=net

- CN= elastic1-1.example.com,OU=Corp,O=example EX\, Inc.,DC= example,DC=net

- CN= elastic1-2.example.com,OU=Corp,O=example EX\, Inc.,DC= example,DC=net

- CN= elastic1-3.example.com,OU=Corp,O=example EX\, Inc.,DC= example,DC=net

searchguard.authcz.admin_dn:

- CN=elastic-client.example.com,OU=Corp,O= example EX\, Inc.,DC= example,DC=net

Could someone please give me some idea what are/kind the certificates needs to generate for Elastic Cluster to access Elastic cluster from outside through HTTPs and also node to node communication through HTTPS.

I have installed Elastic and kibana 6.5.4 versions.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/21b2086d-7f12-4f29-ac01-62e761dbf1de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.