Issue in Searchgaurd LDAP Connectivity

Search Guard
1

Hi Team,

I am getting an Exception when i am going to run sgconfig.yml.

“java.lang.IOException:keystore was tampered with ,or password was incorrect”

caused by java.security.unrecoverablekeyException:Password verification Failed.

i am using

Search Guard version is 6.0.0 and Elasticsearch 6.0.0

JVM version is 1.7 and operating system is unix.

kibana version is 6.0.0.

Configuration file is:

sgconfig.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

ldap:

http_enabled: false

transport_enabled: false

order: 5

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-ajitC,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc1234

userbase: ‘dc=ad,dc=abc,dc=com’

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

roles_from_myldap:

http_enabled: false

transport_enabled: false

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-AkhilT,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc@1234

userbase: ‘dc=ad,dc=abc,dc=com’

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

usersearch: '(uid={0})

2

This does not seem related to sg_config or LDAP, since you are not using TLS here at all. I suspect that the TLS configuration in elasticsearch.yml is not correct. Can you please post it here?

Also - you are saying you are using ES 6.0.0. There is no official SG release for that ES version, so you probably run a beta that may contain bugs. For a list of version see here:

···

On Wednesday, September 5, 2018 at 2:30:36 AM UTC-4, Akhilesh Tiwari wrote:

Hi Team,

I am getting an Exception when i am going to run sgconfig.yml.

“java.lang.IOException:keystore was tampered with ,or password was incorrect”

caused by java.security.unrecoverablekeyException:Password verification Failed.

i am using

Search Guard version is 6.0.0 and Elasticsearch 6.0.0

JVM version is 1.7 and operating system is unix.

kibana version is 6.0.0.

Configuration file is:

sgconfig.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

ldap:

http_enabled: false

transport_enabled: false

order: 5

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=s-WalletA,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai crisil House,DC=ad,DC=crisil,DC=com

password: Pass@1234

userbase: ‘dc=ad,dc=crisil,dc=com’

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

roles_from_myldap:

http_enabled: false

transport_enabled: false

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=s-WalletA,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai crisil House,DC=ad,DC=crisil,DC=com

password: Pass@1234

userbase: ‘dc=ad,dc=crisil,dc=com’

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

usersearch: ‘(uid={0})’

3

Hi @Jochen kressin,

I am Using TLS but i don’t have much idea about searchgaurd because i am new in searchgaurd.

My elasticsearch.yml is:

http.port: 9400

transport.tcp.port: 9302

bootstrap.system_call_filter: false

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test,C=de

cluster.name: searchguard_demo

network.host: MUMCHELK01

node.max_local_storage_nodes: 1

searchguard.restapi.roles_enabled: [“sg_all_access”,“sg_kibana_user”]

searchguard.audit.type: internal_elasticsearch

···

On Wednesday, 5 September 2018 12:00:36 UTC+5:30, Akhilesh Tiwari wrote:

Hi Team,

I am getting an Exception when i am going to run sgconfig.yml.

“java.lang.IOException:keystore was tampered with ,or password was incorrect”

caused by java.security.unrecoverablekeyException:Password verification Failed.

i am using

Search Guard version is 6.0.0 and Elasticsearch 6.0.0

JVM version is 1.7 and operating system is unix.

kibana version is 6.0.0.

Configuration file is:

sgconfig.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

ldap:

http_enabled: false

transport_enabled: false

order: 5

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-ajitC,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc1234

userbase: ‘dc=ad,dc=abc,dc=com’

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

roles_from_myldap:

http_enabled: false

transport_enabled: false

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-AkhilT,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc@1234

userbase: ‘dc=ad,dc=abc,dc=com’

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

usersearch: ‘(uid={0})’

4

Your TLS configuration in elasticsearch.yml does not make sense. You would either use PEM certificates OR truststore files to configure TLS, but never both.

How do you want to provide the TLS certificates? As PEM or as truststore files? From your config I would assume you used the demo installer script? Is that correct?

If this is the case, just remove all keystore/truststore settings from the configuration and only use PEM certificates.

···

On Thursday, September 6, 2018 at 11:21:49 AM UTC-4, Akhilesh Tiwari wrote:

Hi @Jochen kressin,

I am Using TLS but i don’t have much idea about searchgaurd because i am new in searchgaurd.

My elasticsearch.yml is:

http.port: 9400

transport.tcp.port: 9302

bootstrap.system_call_filter: false

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test,C=de

cluster.name: searchguard_demo

network.host: MUMCHELK01

node.max_local_storage_nodes: 1

searchguard.restapi.roles_enabled: [“sg_all_access”,“sg_kibana_user”]

searchguard.audit.type: internal_elasticsearch

On Wednesday, 5 September 2018 12:00:36 UTC+5:30, Akhilesh Tiwari wrote:

Hi Team,

I am getting an Exception when i am going to run sgconfig.yml.

“java.lang.IOException:keystore was tampered with ,or password was incorrect”

caused by java.security.unrecoverablekeyException:Password verification Failed.

i am using

Search Guard version is 6.0.0 and Elasticsearch 6.0.0

JVM version is 1.7 and operating system is unix.

kibana version is 6.0.0.

Configuration file is:

sgconfig.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

ldap:

http_enabled: false

transport_enabled: false

order: 5

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-ajitC,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc1234

userbase: ‘dc=ad,dc=abc,dc=com’

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

roles_from_myldap:

http_enabled: false

transport_enabled: false

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-AkhilT,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc@1234

userbase: ‘dc=ad,dc=abc,dc=com’

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

usersearch: ‘(uid={0})’

5

HI jochen kressin,

i removed keystore/truststore then i am getting an Exception-

[2018-09-07T17:22:46,381][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] Unable to connect to ldapserver ad.example.com:389 due to java.io.IOException: Keystore was tampered with, or password was incorrect. Try next.

[2018-09-07T17:34:26,471][WARN ][c.f.d.a.l.b.LDAPAuthorizationBackend] Unable to connect to ldapserver ad.example.com:389 due to java.io.IOException: Keystore was tampered with, or password was incorrect. Try next.

[2018-09-07T17:34:26,473][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for s-WalletA

···

On Friday, 7 September 2018 09:13:24 UTC+5:30, Jochen Kressin wrote:

Your TLS configuration in elasticsearch.yml does not make sense. You would either use PEM certificates OR truststore files to configure TLS, but never both.

How do you want to provide the TLS certificates? As PEM or as truststore files? From your config I would assume you used the demo installer script? Is that correct?

If this is the case, just remove all keystore/truststore settings from the configuration and only use PEM certificates.

On Thursday, September 6, 2018 at 11:21:49 AM UTC-4, Akhilesh Tiwari wrote:

Hi @Jochen kressin,

I am Using TLS but i don’t have much idea about searchgaurd because i am new in searchgaurd.

My elasticsearch.yml is:

http.port: 9400

transport.tcp.port: 9302

bootstrap.system_call_filter: false

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.pemcert_filepath: esnode.pem

searchguard.ssl.transport.pemkey_filepath: esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test,C=de

cluster.name: searchguard_demo

network.host: MUMCHELK01

node.max_local_storage_nodes: 1

searchguard.restapi.roles_enabled: [“sg_all_access”,“sg_kibana_user”]

searchguard.audit.type: internal_elasticsearch

On Wednesday, 5 September 2018 12:00:36 UTC+5:30, Akhilesh Tiwari wrote:

Hi Team,

I am getting an Exception when i am going to run sgconfig.yml.

“java.lang.IOException:keystore was tampered with ,or password was incorrect”

caused by java.security.unrecoverablekeyException:Password verification Failed.

i am using

Search Guard version is 6.0.0 and Elasticsearch 6.0.0

JVM version is 1.7 and operating system is unix.

kibana version is 6.0.0.

Configuration file is:

sgconfig.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

ldap:

http_enabled: false

transport_enabled: false

order: 5

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-ajitC,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc1234

userbase: ‘dc=ad,dc=abc,dc=com’

usersearch: ‘(sAMAccountName={0})’

username_attribute: null

authz:

roles_from_myldap:

http_enabled: false

transport_enabled: false

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

bind_dn: CN=c-AkhilT,OU=Technology,OU=Corporate Technology,OU=Corporate Group,OU=Mumbai abc House,DC=ad,DC=abc,DC=com

password: Abc@1234

userbase: ‘dc=ad,dc=abc,dc=com’

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

resolve_nested_roles: true

usersearch: ‘(uid={0})’