Is there any way to use single pem file for elastic search instead of keystore and trustore files.

  • Search Guard and Elasticsearch version: 5.5.2

here is what I tried in my elasticsearch.yml

path:
  logs: /tmp
  conf: /usr/share/elasticsearch/config

cluster.name: ${CLUSTER_NAME}

node:
  name: ${NODE_NAME}
  master: ${NODE_MASTER}
  data: ${NODE_DATA}
  ingest: ${NODE_INGEST}

discovery.zen:
  minimum_master_nodes: ${MINIMUM_MASTER_NODES}
  ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}

http:
  enabled: ${HTTP_ENABLE}
  compression: true
  cors:
    enabled: ${HTTP_CORS_ENABLE}
    allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}

searchguard:
    ssl.transport:
        enabled: true
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    ssl.http:
        enabled: ${HTTP_SSL}
        # clientauth_mode: REQUIRE
        clientauth_mode: OPTIONAL
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    authcz.admin_dn:
      - "CN=elastic ,OU=devops, C=COM"

kibana.yml

server.port: 5601
server.host: ‘0.0.0.0’
elasticsearch.url: ‘http://elasticsearch:9200
elasticsearch.username: “elastic”
elasticsearch.password: “changeme”
searchguard.cookie.password: “defaultcookie”
elasticsearch.ssl.verificationMode: “certificate”
elasticsearch.requestHeadersWhitelist: [ “authorization”, “x-forwarded-for”, “x-forwarded-by”, “x-proxy-user”, “x-proxy-roles” ]```

Sorry, did not get you fully:
Do you mean a single pem file which contains the certificate and the key as well?
Currently this is not possible, you need to set pemtrustedcas_filepath, pemkey_filepath and pemcert_filepath

In you example below the is "searchguard.ssl.transport.pemtrustedcas_filepath" missing.
An in kibana yml you may want to use https://elasticsearch:9200 instead of http://elasticsearch:9200

···

Am 31.10.2017 um 07:52 schrieb Udit Verma <udit.verma@srijan.net>:

* Search Guard and Elasticsearch version: 5.5.2

here is what I tried in my elasticsearch.yml

path:
  logs: /tmp
  conf: /usr/share/elasticsearch/config

cluster.name: ${CLUSTER_NAME}

node:
  name: ${NODE_NAME}
  master: ${NODE_MASTER}
  data: ${NODE_DATA}
  ingest: ${NODE_INGEST}

discovery.zen:
  minimum_master_nodes: ${MINIMUM_MASTER_NODES}
  ping.unicast.hosts: ${HOSTS}
network.host: ${NETWORK_HOST}

http:
  enabled: ${HTTP_ENABLE}
  compression: true
  cors:
    enabled: ${HTTP_CORS_ENABLE}
    allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}

searchguard:
    ssl.transport:
        enabled: true
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    ssl.http:
        enabled: ${HTTP_SSL}
        # clientauth_mode: REQUIRE
        clientauth_mode: OPTIONAL
        enable_openssl_if_available: true
        pemkey_filepath: searchguard/ssl/elastic.key.pem
        pemcert_filepath: searchguard/ssl/elastic.crtfull.pem
        enforce_hostname_verification: false
    authcz.admin_dn:
      - "CN=elastic ,OU=devops, C=COM"

kibana.yml
```
server.port: 5601
server.host: '0.0.0.0'
elasticsearch.url: 'http://elasticsearch:9200'
elasticsearch.username: "elastic"
elasticsearch.password: "changeme"
searchguard.cookie.password: "defaultcookie"
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.requestHeadersWhitelist: [ "authorization", "x-forwarded-for", "x-forwarded-by", "x-proxy-user", "x-proxy-roles" ]```

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1e8187fc-0728-4fd3-a262-66ac80ee259a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yes I did add a key and cert separately,
searchguard:
ssl.transport:
pemkey_filepath: searchguard/ssl/elastic.key.
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem

``

as a setting, still Elasticsearch wasn’t able to start.
Do I need to add anything else…?

As posted above, you need to set pemtrustedcas_filepath as well.

···

On Tuesday, October 31, 2017 at 10:57:12 AM UTC+1, Udit Verma wrote:

Yes I did add a key and cert separately,
searchguard:
ssl.transport:
pemkey_filepath: searchguard/ssl/elastic.key.
pemcert_filepath: searchguard/ssl/elastic.crtfull.pem

``

as a setting, still Elasticsearch wasn’t able to start.
Do I need to add anything else…?