How to user sgadm? (ERR: Parsing failed. Reason: Specify at least -ks or -cert)

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

Elasticsearch version:7.7.0

Server OS version:Windows 2019

Describe the issue: i don’t understand how we use sgadin

Steps to reproduce:

  1. It was gui enabled and it was some roles and users creatd
  2. now I need to user internal database with sg_internal_users.yml
  3. earlier I already added users such as admin, but I already forgot how to do it

Now I have generated a hash, added a new user to the config and want to import it.

if I run sgadmin.but

it returns error:
C:\Program Files\Elastic\Elasticsearch\7.7.0\plugins\search-guard-7\tools>sgadmin.bat
Search Guard Admin v7
ERR: Parsing failed. Reason: Specify at least -ks or -cert

What I`m doing wrong?

Expected behavior:

Provide configuration:
elasticsearch/config/elasticsearch.yml

bootstrap.memory_lock: false
cluster.name: elasticsearch
http.port: 9200
node.data: true
node.ingest: true
node.master: true
node.name: ELK01
path.data: C:\ProgramData\Elastic\Elasticsearch\data
path.logs: C:\ProgramData\Elastic\Elasticsearch\logs
transport.tcp.port: 9300
xpack.license.self_generated.type: basic
xpack.security.enabled: false
transport.host: localhost
network.host: 0.0.0.0

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: “esnode-key.pem”
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.enterprise_modules_enabled: false

#searchguard.ssl.transport.keystore_type: PFX
#searchguard.ssl.transport.keystore_filepath: Wildcard_2019_05.pfx
#searchguard.ssl.transport.keystore_password: “somee_P@ssw0rd!!”
#searchguard.ssl.transport.truststore_type: PFX
#searchguard.ssl.transport.truststore_filepath: Wildcard_2019_05.pfx
#searchguard.ssl.transport.truststore_password: “P@ssw0rd!!”

searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test,C=de
    searchguard.enable_snapshot_restore_privilege: true
    searchguard.check_snapshot_restore_write_privileges: true
    searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]
    xpack.ccr.enabled: false

elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml

_sg_meta:
type: “config”
config_version: 3
sg_config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
proxy_auth_domain:
description: “Authenticate via proxy”
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
jwt_auth_domain:
description: “Authenticate via Json Web Token”
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “base64 encoded HMAC key or public RSA/ECDSA pem key”
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
description: “Authenticate via SSL client certificates”
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)

        type: ldap # NOT FREE FOR COMMERCIAL USE
        config:
          # enable ldaps
          enable_ssl: false
          # enable start tls, enable_ssl should be false
          enable_start_tls: false
          # send client certificate
          enable_ssl_client_auth: false
          # verify ldap hostname
          verify_hostnames: true
          hosts:
            - localhost:8389
          bind_dn: null
          password: null
          userbase: 'ou=people,dc=example,dc=com'
          # Filter to search for users (currently in the whole subtree beneath userbase)
          # {0} is substituted with the username 
          usersearch: '(sAMAccountName={0})'
          # Use this attribute from the user as username (if not set then DN is used)
          username_attribute: null

authz:
internal_authorization:
http_enabled: true
authorization_backend:
type: internal
kibana/config/kibana.yml (if relevant)

Thank you!

Hi.

You need to specify at least -ks or -cert. Look at examples of sgadmin usage here https://docs.search-guard.com/latest/sgadmin-examples#sgadmin-examples

Thank you. But I tried :slight_smile:

C:\ProgramData\Elastic\Elasticsearch\config\Wildcard_2019_05.pfx - is certificate what is using elastic

Here what I got:

.\sgadmin.bat -cd “C:\Program Files\Elastic\Elasticsearch\7.7.0\plugins\search-guard-7\sgconfig” -ks "C:\ProgramData\Elastic\Elasticsearch\config\Wildcard_2019_05.pfx"
-ts “C:\ProgramData\Elastic\Elasticsearch\config\Wildcard_2019_05.pfx” -tspass "somePassword"
-kspass “somePassword” -nhnv
-icl
Search Guard Admin v7
Will connect to localhost:9300 … done
16:21:05.026 [elasticsearch[client][transport_worker][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - Exception during establishing a SSL connection: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgo
rithmParameterException: the trustAnchors parameter must be non-empty
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.ssl.Handshaker.checkThrown(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:1.8.0_251]
at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_251]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1324) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1219) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1266) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498) ~[netty-codec-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437) ~[netty-codec-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.45.Final.jar:4.1.45.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.45.Final.jar:4.1.45.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.45.Final.jar:4.1.45.Final]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_251]
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.(Unknown Source) ~[?:1.8.0_251]
at sun.security.validator.Validator.getInstance(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.getValidator(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_251]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:1.8.0_251]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1494) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1508) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1392) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
… 20 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(Unknown Source) ~[?:1.8.0_251]
at java.security.cert.PKIXParameters.(Unknown Source) ~[?:1.8.0_251]
at java.security.cert.PKIXBuilderParameters.(Unknown Source) ~[?:1.8.0_251]
at sun.security.validator.PKIXValidator.(Unknown Source) ~[?:1.8.0_251]
at sun.security.validator.Validator.getInstance(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.getValidator(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_251]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_251]
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:1.8.0_251]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1494) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1508) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1392) ~[netty-handler-4.1.45.Final.jar:4.1.45.Final]
… 20 more
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{ZSr9m9P6Tai276MgS2GhdQ}{localhost}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:352)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:248)
at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:57)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:396)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:399)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:388)
at com.floragunn.searchguard.tools.SearchGuardAdmin.execute(SearchGuardAdmin.java:513)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:145)

This message means that the trust store you specified was:

  • empty,
  • not found, or
  • couldn’t be opened (due to access permissions for example).

Please tell me why I need to specify a certificate at all? Why is this needed?

Please tell me why I need to specify a certificate at all? Why is this needed?

Well, you need to specify either a TLS certificate or a key store to prove your identity to SG. How does SG know it is you who wants to change the configuration and not a malicious user …

it works

.\sgadmin.bat -f “C:\Program Files\Elastic\Elasticsearch\7.7.0\plugins\search-guard-7\sgconfig\sg_internal_users.yml” -cacert “C:\ProgramData\Elastic\Elasticsearch\config\root-ca.pem” -cert “C:\ProgramData\Elastic\Elasticsearch\config\kirk.pem” -key “C:\ProgramData\Elastic\Elasticsearch\config\kirk-key.pem” -nhnv

thank you

1 Like