Is X-Pack transport java client compatible with search-guard ssl?

Can I use X-Pack java client to create transport connection to search guard ssl?

I tried it with minimum configuration:

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
    .put("cluster.name", "elasticsearch")
    .put("xpack.security.user", "admin:admin")
    ...
    .build())
  .addTransportAddress(new InetSocketTransportAddress("localhost", 9300));

but it didn't work.

I'm getting error when making a request:
> Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{XeBoeAgsR_2kcJT9KTnQ6g}{127.0.0.1}{127.0.0.1:9300}]]
> at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:314)
>         at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:228)

The version of ES and SG is 5.0 and I run it with default setting following this instruction: https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

why you want do this?

It should be no problem to connect with the normal transport client,

see https://github.com/floragunncom/search-guard/blob/5.0.0/src/main/java/com/floragunn/searchguard/tools/SearchGuardAdmin.java#L289

Nevertheless you need a ssl certificate to make the connection, username/password alone is not sufficient cause ssl for transport layer is mandatory with Search Guard.

More on that: https://floragunn.com/searchguard-elasicsearch-transport-clients/ and https://floragunn.com/transport-client-authentication-authorization/ and https://floragunn.com/search-guard-ssl-tls/

···

On Wednesday, 21 December 2016 00:07:24 UTC+1, Andi B wrote:

Can I use X-Pack java client to create transport connection to search guard ssl?

I tried it with minimum configuration:

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
    .put("[cluster.name](http://cluster.name)", "elasticsearch")
    .put("xpack.security.user", "admin:admin")
    ...
    .build())
  .addTransportAddress(new InetSocketTransportAddress("localhost", 9300));

but it didn’t work.

I’m getting error when making a request:



Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{XeBoeAgsR_2kcJT9KTnQ6g}{127.0.0.1}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:314)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:228)

The version of ES and SG is 5.0 and I run it with default setting following this instruction: https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

Thank you.

So I had made it working with this steps:

  1. Add dependency to search-guard-ssl plugin on maven pom.xml:

     <dependency>
         <groupId>com.floragunn</groupId>
         <artifactId>search-guard-ssl</artifactId>
         <version>5.0.0-17</version>
     </dependency>
    

``

  1. I found CN=localhost-keystore.jks and truststore.jks on elasticsearch-5.0.0-localhost’s config folder so I use those keystore & truststore on the code. I also found their password from config/elasticsearch.yml.

     Settings settings = Settings.builder()
         .put("cluster.name", "elasticsearch")
         .put("path.home", "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost")
         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/CN=localhost-keystore.jks")
         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/truststore.jks")
         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "7bf985c6005ec24dbe6f")
         .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "5ad771e520d2e1e19225")
         .build();
    
      TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class)
    
         .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("localhost"), 9300));
    
      ClusterHealthStatus status = client.admin().cluster().prepareHealth().get().getStatus();
    
      System.out.println("Cluster health status: " + status);
    

``

It’s interesting that I have to put “path.home” setting, otherwise I would get error “java.lang.IllegalStateException: path.home is not configured”.

Let me know if there are something missing or things that can be improved.

···

On Wednesday, December 21, 2016 at 6:24:55 AM UTC+7, Search Guard wrote:

why you want do this?

It should be no problem to connect with the normal transport client,

see https://github.com/floragunncom/search-guard/blob/5.0.0/src/main/java/com/floragunn/searchguard/tools/SearchGuardAdmin.java#L289

Nevertheless you need a ssl certificate to make the connection, username/password alone is not sufficient cause ssl for transport layer is mandatory with Search Guard.

More on that: https://floragunn.com/searchguard-elasicsearch-transport-clients/ and https://floragunn.com/transport-client-authentication-authorization/ and https://floragunn.com/search-guard-ssl-tls/

On Wednesday, 21 December 2016 00:07:24 UTC+1, Andi B wrote:

Can I use X-Pack java client to create transport connection to search guard ssl?

I tried it with minimum configuration:

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
    .put("[cluster.name](http://cluster.name)", "elasticsearch")
    .put("xpack.security.user", "admin:admin")
    ...
    .build())
  .addTransportAddress(new InetSocketTransportAddress("localhost", 9300));

but it didn’t work.

I’m getting error when making a request:



Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{XeBoeAgsR_2kcJT9KTnQ6g}{127.0.0.1}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:314)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:228)

The version of ES and SG is 5.0 and I run it with default setting following this instruction: https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

The needs of setting “path.home” is bugging me, since I’m using transport client not node client, why is there a need to set the path.home?

Is there a way to disable the path.home validation?

···

On Wednesday, December 21, 2016 at 6:41:46 PM UTC+7, Andi B wrote:

Thank you.

So I had made it working with this steps:

  1. Add dependency to search-guard-ssl plugin on maven pom.xml:
    <dependency>
        <groupId>com.floragunn</groupId>
        <artifactId>search-guard-ssl</artifactId>
        <version>5.0.0-17</version>
    </dependency>

``

  1. I found CN=localhost-keystore.jks and truststore.jks on elasticsearch-5.0.0-localhost’s config folder so I use those keystore & truststore on the code. I also found their password from config/elasticsearch.yml.
    Settings settings = Settings.builder()
        .put("[cluster.name](http://cluster.name)", "elasticsearch")
        .put("path.home", "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/CN=localhost-keystore.jks")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/truststore.jks")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "7bf985c6005ec24dbe6f")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "5ad771e520d2e1e19225")
        .build();


     TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class)
        .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("localhost"), 9300));

     ClusterHealthStatus status = client.admin().cluster().prepareHealth().get().getStatus();
     System.out.println("Cluster health status: " + status);

``

It’s interesting that I have to put “path.home” setting, otherwise I would get error “java.lang.IllegalStateException: path.home is not configured”.

Let me know if there are something missing or things that can be improved.

On Wednesday, December 21, 2016 at 6:24:55 AM UTC+7, Search Guard wrote:

why you want do this?

It should be no problem to connect with the normal transport client,

see https://github.com/floragunncom/search-guard/blob/5.0.0/src/main/java/com/floragunn/searchguard/tools/SearchGuardAdmin.java#L289

Nevertheless you need a ssl certificate to make the connection, username/password alone is not sufficient cause ssl for transport layer is mandatory with Search Guard.

More on that: https://floragunn.com/searchguard-elasicsearch-transport-clients/ and https://floragunn.com/transport-client-authentication-authorization/ and https://floragunn.com/search-guard-ssl-tls/

On Wednesday, 21 December 2016 00:07:24 UTC+1, Andi B wrote:

Can I use X-Pack java client to create transport connection to search guard ssl?

I tried it with minimum configuration:

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
    .put("[cluster.name](http://cluster.name)", "elasticsearch")
    .put("xpack.security.user", "admin:admin")
    ...
    .build())
  .addTransportAddress(new InetSocketTransportAddress("localhost", 9300));

but it didn’t work.

I’m getting error when making a request:



Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{XeBoeAgsR_2kcJT9KTnQ6g}{127.0.0.1}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:314)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:228)

The version of ES and SG is 5.0 and I run it with default setting following this instruction: https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

Hello Ben,
I’m trying to setup SSL using search guard in elastic search similar to what you have done. could you please help me in providing the documentation for this.

···

On Wednesday, December 21, 2016 at 6:48:04 AM UTC-6, Ben Kaffani wrote:

The needs of setting “path.home” is bugging me, since I’m using transport client not node client, why is there a need to set the path.home?

Is there a way to disable the path.home validation?

On Wednesday, December 21, 2016 at 6:41:46 PM UTC+7, Andi B wrote:

Thank you.

So I had made it working with this steps:

  1. Add dependency to search-guard-ssl plugin on maven pom.xml:
    <dependency>
        <groupId>com.floragunn</groupId>
        <artifactId>search-guard-ssl</artifactId>
        <version>5.0.0-17</version>
    </dependency>

``

  1. I found CN=localhost-keystore.jks and truststore.jks on elasticsearch-5.0.0-localhost’s config folder so I use those keystore & truststore on the code. I also found their password from config/elasticsearch.yml.
    Settings settings = Settings.builder()
        .put("[cluster.name](http://cluster.name)", "elasticsearch")
        .put("path.home", "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/CN=localhost-keystore.jks")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/truststore.jks")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "7bf985c6005ec24dbe6f")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "5ad771e520d2e1e19225")
        .build();


     TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class)
        .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("localhost"), 9300));

     ClusterHealthStatus status = client.admin().cluster().prepareHealth().get().getStatus();
     System.out.println("Cluster health status: " + status);

``

It’s interesting that I have to put “path.home” setting, otherwise I would get error “java.lang.IllegalStateException: path.home is not configured”.

Let me know if there are something missing or things that can be improved.

On Wednesday, December 21, 2016 at 6:24:55 AM UTC+7, Search Guard wrote:

why you want do this?

It should be no problem to connect with the normal transport client,

see https://github.com/floragunncom/search-guard/blob/5.0.0/src/main/java/com/floragunn/searchguard/tools/SearchGuardAdmin.java#L289

Nevertheless you need a ssl certificate to make the connection, username/password alone is not sufficient cause ssl for transport layer is mandatory with Search Guard.

More on that: https://floragunn.com/searchguard-elasicsearch-transport-clients/ and https://floragunn.com/transport-client-authentication-authorization/ and https://floragunn.com/search-guard-ssl-tls/

On Wednesday, 21 December 2016 00:07:24 UTC+1, Andi B wrote:

Can I use X-Pack java client to create transport connection to search guard ssl?

I tried it with minimum configuration:

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
    .put("[cluster.name](http://cluster.name)", "elasticsearch")
    .put("xpack.security.user", "admin:admin")
    ...
    .build())
  .addTransportAddress(new InetSocketTransportAddress("localhost", 9300));

but it didn’t work.

I’m getting error when making a request:



Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{XeBoeAgsR_2kcJT9KTnQ6g}{127.0.0.1}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:314)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:228)

The version of ES and SG is 5.0 and I run it with default setting following this instruction: https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

There’s a two part article about transport clients on our blog:

https://floragunn.com/searchguard-elasicsearch-transport-clients/

https://floragunn.com/transport-client-authentication-authorization/

···

On Friday, April 21, 2017 at 1:11:12 AM UTC+2, kandyjava1@gmail.com wrote:

Hello Ben,
I’m trying to setup SSL using search guard in elastic search similar to what you have done. could you please help me in providing the documentation for this.

On Wednesday, December 21, 2016 at 6:48:04 AM UTC-6, Ben Kaffani wrote:

The needs of setting “path.home” is bugging me, since I’m using transport client not node client, why is there a need to set the path.home?

Is there a way to disable the path.home validation?

On Wednesday, December 21, 2016 at 6:41:46 PM UTC+7, Andi B wrote:

Thank you.

So I had made it working with this steps:

  1. Add dependency to search-guard-ssl plugin on maven pom.xml:
    <dependency>
        <groupId>com.floragunn</groupId>
        <artifactId>search-guard-ssl</artifactId>
        <version>5.0.0-17</version>
    </dependency>

``

  1. I found CN=localhost-keystore.jks and truststore.jks on elasticsearch-5.0.0-localhost’s config folder so I use those keystore & truststore on the code. I also found their password from config/elasticsearch.yml.
    Settings settings = Settings.builder()
        .put("[cluster.name](http://cluster.name)", "elasticsearch")
        .put("path.home", "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/CN=localhost-keystore.jks")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "/home/user/bin/elasticsearch-5.0.0-sg5/elasticsearch-5.0.0-localhost/config/truststore.jks")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "7bf985c6005ec24dbe6f")
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "5ad771e520d2e1e19225")
        .build();


     TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class)
        .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("localhost"), 9300));

     ClusterHealthStatus status = client.admin().cluster().prepareHealth().get().getStatus();
     System.out.println("Cluster health status: " + status);

``

It’s interesting that I have to put “path.home” setting, otherwise I would get error “java.lang.IllegalStateException: path.home is not configured”.

Let me know if there are something missing or things that can be improved.

On Wednesday, December 21, 2016 at 6:24:55 AM UTC+7, Search Guard wrote:

why you want do this?

It should be no problem to connect with the normal transport client,

see https://github.com/floragunncom/search-guard/blob/5.0.0/src/main/java/com/floragunn/searchguard/tools/SearchGuardAdmin.java#L289

Nevertheless you need a ssl certificate to make the connection, username/password alone is not sufficient cause ssl for transport layer is mandatory with Search Guard.

More on that: https://floragunn.com/searchguard-elasicsearch-transport-clients/ and https://floragunn.com/transport-client-authentication-authorization/ and https://floragunn.com/search-guard-ssl-tls/

On Wednesday, 21 December 2016 00:07:24 UTC+1, Andi B wrote:

Can I use X-Pack java client to create transport connection to search guard ssl?

I tried it with minimum configuration:

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
    .put("[cluster.name](http://cluster.name)", "elasticsearch")
    .put("xpack.security.user", "admin:admin")
    ...
    .build())
  .addTransportAddress(new InetSocketTransportAddress("localhost", 9300));

but it didn’t work.

I’m getting error when making a request:



Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{XeBoeAgsR_2kcJT9KTnQ6g}{127.0.0.1}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:314)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:228)

The version of ES and SG is 5.0 and I run it with default setting following this instruction: https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

Hi Jochen,

Would you mind adding an example e.g. the syslog-ng implementation?

Sure, can do, however, we will add a separate chapter to the docs about using transport clients, so I’d rather use the example there.

···

On Tuesday, May 9, 2017 at 10:35:57 AM UTC+2, Fabien Wernli wrote:

Hi Jochen,

Would you mind adding an example e.g. the syslog-ng implementation?