@amalk12 Now, you need to initialize the SG configuration. To achieve that you’ll have to use the sgctl.sh tool for FLX version and sgadmin.sh for the legacy one.
Please follow the SG documentation to install and configure the SG plugin for Kibana.
Also, double-check the corresponding version of the Elasticsearch and Kibana plugins before the installation.
For the Kibana yml configuration, do we need to add http configuration in the ELK node servers …? how would i know which version of SG Plugin am i using is it the flx version or the older ones.
@amalk12 Please follow the link for the SG versions matrix.
Once you complete the plugin installation, you should configure your required authentication type.
All other Kibana configuration options are described in the official Kibana documentation.
What HTTP configuration do you refer to? Is it Kibana to Elasticsearch cluster connection or web browser to Kibana web UI?
the kibana version i m using is 53.0.0 . I am looking at the SG Document which talks about the http configuration in elk yml files to connect to Kibana. so wanted to know, does the http connection is needed to connect to kibana sg plugin
Ok, will go through the docs.
Thanks
@AKCG12 Could you share the exact place in the SG documentation that you’re referring to?
The elk yml doesn’t exist. You either have elasticsearch.yml, kibana.yml or logstash.yml.
ELK refers to all three products (Elasticsearch Logstash Kibana).
Yes, i meant the Elasticsearch.yml here . Currently i am trying to run the Initialize search-guard index by using sgadmin tool and this is the error i am getting . I have generated a Admin certificate .
@amalk12 According to your previous posts, your Elasticsearch is using the FLX plugin.
That would mean you’re using the Kibana legacy plugin (53.0.0) with Elasticsearch SG FLX, am I correct?
If you’re using SG FLX, you must use sgctl tool to upload the security plugin configuration.
To upload SG configuration you use an admin certificate instead of node certificates as per SG documentation.
Also, that admin certificate must be listed in elastcisearch.yml in each node.
I am using the ELK 53.4.0 Version and not the FLX version. I am trying to run the SGadmin tool. to initialize the sg index without success.
I have 3 nodes, currently i am trying to run the two nodes and form a cluster. One Node is up and says it is waiting for the other node. While other node says it is unable to connect and do a handshake with the node. not sure what would be a issue here, is it a issue related to rootca. i have root ca placed in the config directory of the elk.
Is the SG Index need to be intialized before the cluster is formed
@amalk12 SG index is mandatory to enable security features in the Elastcisearch cluster.
As per my previous comment, you’ve executed sgadmin.bat with node certificate and key (node4.pem and node4.key).
As per documentation, sgadmin.sh requires an admin certificate that is defined in elasticsearch.yml
searchguard.authcz.admin_dn:
- CN=LXX,OU=ID,O=HA,L=baa, C=com
Also, the error from your screenshot indicates that the SG plugin can’t read the ciphered key.
If you used ciphered key with the sgadmin.bat script then you must provide a key password.
-keypass <password> Password of the key of
admin certificate
(optional)
Hi Pablo,
I have only generated the node4.key and node4.pem certificate , there is no password generated. The Admin certificate is defined in my elasticsearch.yml file in all 3 nodes(elk servers).
can you plz let me know the correct command to initialize the SG Index.
Hi Pablo,
this is my command to initialize the SG Index using the SG Admin command
.\sgadmin.bat -cd D:\ELK\elasticsearch-7.17.3-windows-x86_64\elasticsearch-7.17.3\plugins\search-guard-7\sgconfig -icl -key D:\ELK\elasticsearch-7.17.3-windows-x86_64\elasticsearch-7.17.3\config\node4.key -cert D:\ELK\elasticsearch-7.17.3-windows-x86_64\elasticsearch-7.17.3\config\node4.pem -cacert D:\ELK\elasticsearch-7.17.3-windows-x86_64\elasticsearch-7.17.3\config\HAL-CA.cer -nhnv -h xxxxxx.com
Here where can i add the password … and what will be the command to add the password for the node4.pem certificate
I have the admin certificate created in kibana server and i am running this command from the ELK Server
Hi Pablo,
I was troubleshooting the Certificate issue , i ran the tlsdiag tool to check on the certs… ./sgtlsdiag.sh -ca D:\Newfolder\ELKCerts_New\ELKCerts_New\xx.ca.pem -crt D:\Newfolder\ELKCerts_New\ELKCerts_New\node4.pem
it looks like it is unable to recognize the root.ca certificate or is it fine
HI Pablo,
can you please look at this and update me … thank you
@amalk12 Try the below command too and share the output.
openssl x509 -in node4.pem -noout text
How did you generate this certificate? Have you tried SG TLS Tool?
Yes, i have used the SG TLS Tool to generate the certificates. I have created CSRs to submit to my Security team
From where should i run this command - openssl x509 -in node4.pem -noout text
should i run from the search guard tlsdiag tool
The Major issue is , i am unable to form a cluster of my elk nodes. I start one Node, it says waiting to form a cluster, and then i go and start a second node, i get the transport layer certificate issue. Handshake failure, unknown certificate or received fatal alert, received fatal alert: certificate_unknown javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
I think it clearly points out that there is a issue with the node connectivity between the cluster( i have 3 nodes). I have added the root ca to the java trust store … wat else can i do to reslove this issue… i am having a tough time resolving this issue
Does the CA Root certificate needs to be a Pem file or a cer file… will that have an issue
