JKS for Search Guard 6.3.0

I have installed Elasticsearch and
Search Guard 6.3.0 (community edition) in my laptop that runs Ubuntu 14.04. For
the Search Guard configuration I executed the demo installation script. I want to
push some data to elasticsearch from a spring boot application and I am facing some
certificate problems.

Is there a way to create the JKS certificates
(kirk.jks and truststore.jks) from the demo certificates provided with the demo
installation script?

Thanks in advance,

Vasileios

Usually, PEM certificates are the preferred way to configure Search Guard since JKS is a proprietary format. What kinds of problems do you have that forces you to use JKS over PEM?

You can use the keytool that ships with the JDK to import PEM to JKS. For an example you might want to refer to the sample PKI scripts that ship with Search Guard SSL:

We can also recommend the Keystore Explorer that comes with a GUI if you prefer that:

http://keystore-explorer.org/

···

On Tuesday, June 26, 2018 at 2:13:13 PM UTC+2, Vasileios Kokkinos wrote:

I have installed Elasticsearch and
Search Guard 6.3.0 (community edition) in my laptop that runs Ubuntu 14.04. For
the Search Guard configuration I executed the demo installation script. I want to
push some data to elasticsearch from a spring boot application and I am facing some
certificate problems.

Is there a way to create the JKS certificates
(kirk.jks and truststore.jks) from the demo certificates provided with the demo
installation script?

Thanks in advance,

Vasileios

Jochen thank you
for your reply,

Actually, I want to push some data to elasticsearch from
a spring boot application, using the TransportClient. After looking at https://search-guard.com/searchguard-elasicsearch-transport-clients/,
I saw that I have to include the “absolute/path/to/keystore” and the “absolute/path/to/truststore”,
i.e. the jks files are necessary.

In any case, I will take a look at the .sh file and the Keystore
Explorer that you mention and hopefully I will create a valid jks file
from the demo certificates.

Once again thank you,

Vasileios

···

On Wed, Jun 27, 2018 at 9:21 PM Jochen Kressin jkressin@floragunn.com wrote:

Usually, PEM certificates are the preferred way to configure Search Guard since JKS is a proprietary format. What kinds of problems do you have that forces you to use JKS over PEM?

You can use the keytool that ships with the JDK to import PEM to JKS. For an example you might want to refer to the sample PKI scripts that ship with Search Guard SSL:

https://github.com/floragunncom/search-guard-ssl/blob/es-6.3.0/example-pki-scripts/gen_node_cert.sh

We can also recommend the Keystore Explorer that comes with a GUI if you prefer that:

http://keystore-explorer.org/

On Tuesday, June 26, 2018 at 2:13:13 PM UTC+2, Vasileios Kokkinos wrote:

I have installed Elasticsearch and
Search Guard 6.3.0 (community edition) in my laptop that runs Ubuntu 14.04. For
the Search Guard configuration I executed the demo installation script. I want to
push some data to elasticsearch from a spring boot application and I am facing some
certificate problems.

Is there a way to create the JKS certificates
(kirk.jks and truststore.jks) from the demo certificates provided with the demo
installation script?

Thanks in advance,

Vasileios

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d92a03bf-6959-44b1-963f-8aa78dcbfc50%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Oh, I see. The blog post is a bit old, it was written for SG2 and SG5 when JKS was the preferred way of configuration. But you can also use PEM certificates for the Transport Client. Instead of using these constants here for JKS:

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,"<absolute/path/to/keystore>")

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, “<absolute/path/to/truststore>”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, “<keystore_pasword>”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, “<truststore_password>”)

You can just use their PEM counterparts:

SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH

SEARCHGUARD_SSL_TRANSPORT_PEMKEY_PASSWORD

SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH

SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH

···

On Thursday, June 28, 2018 at 11:14:56 AM UTC+2, Vasileios Kokkinos wrote:

Jochen thank you
for your reply,

Actually, I want to push some data to elasticsearch from
a spring boot application, using the TransportClient. After looking at https://search-guard.com/searchguard-elasicsearch-transport-clients/,
I saw that I have to include the “absolute/path/to/keystore” and the “absolute/path/to/truststore”,
i.e. the jks files are necessary.

In any case, I will take a look at the .sh file and the Keystore
Explorer that you mention and hopefully I will create a valid jks file
from the demo certificates.

Once again thank you,

Vasileios

On Wed, Jun 27, 2018 at 9:21 PM Jochen Kressin jkressin@floragunn.com wrote:

Usually, PEM certificates are the preferred way to configure Search Guard since JKS is a proprietary format. What kinds of problems do you have that forces you to use JKS over PEM?

You can use the keytool that ships with the JDK to import PEM to JKS. For an example you might want to refer to the sample PKI scripts that ship with Search Guard SSL:

https://github.com/floragunncom/search-guard-ssl/blob/es-6.3.0/example-pki-scripts/gen_node_cert.sh

We can also recommend the Keystore Explorer that comes with a GUI if you prefer that:

http://keystore-explorer.org/

On Tuesday, June 26, 2018 at 2:13:13 PM UTC+2, Vasileios Kokkinos wrote:

I have installed Elasticsearch and
Search Guard 6.3.0 (community edition) in my laptop that runs Ubuntu 14.04. For
the Search Guard configuration I executed the demo installation script. I want to
push some data to elasticsearch from a spring boot application and I am facing some
certificate problems.

Is there a way to create the JKS certificates
(kirk.jks and truststore.jks) from the demo certificates provided with the demo
installation script?

Thanks in advance,

Vasileios

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d92a03bf-6959-44b1-963f-8aa78dcbfc50%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Indeed that worked!

Thanks Jochen

···

On Fri, Jun 29, 2018 at 11:42 AM Jochen Kressin jkressin@floragunn.com wrote:

Oh, I see. The blog post is a bit old, it was written for SG2 and SG5 when JKS was the preferred way of configuration. But you can also use PEM certificates for the Transport Client. Instead of using these constants here for JKS:

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,"<absolute/path/to/keystore>")

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, “<absolute/path/to/truststore>”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, “<keystore_pasword>”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, “<truststore_password>”)

You can just use their PEM counterparts:

SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH

SEARCHGUARD_SSL_TRANSPORT_PEMKEY_PASSWORD

SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH

SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH

On Thursday, June 28, 2018 at 11:14:56 AM UTC+2, Vasileios Kokkinos wrote:

Jochen thank you
for your reply,

Actually, I want to push some data to elasticsearch from
a spring boot application, using the TransportClient. After looking at https://search-guard.com/searchguard-elasicsearch-transport-clients/,
I saw that I have to include the “absolute/path/to/keystore” and the “absolute/path/to/truststore”,
i.e. the jks files are necessary.

In any case, I will take a look at the .sh file and the Keystore
Explorer that you mention and hopefully I will create a valid jks file
from the demo certificates.

Once again thank you,

Vasileios

On Wed, Jun 27, 2018 at 9:21 PM Jochen Kressin jkressin@floragunn.com wrote:

Usually, PEM certificates are the preferred way to configure Search Guard since JKS is a proprietary format. What kinds of problems do you have that forces you to use JKS over PEM?

You can use the keytool that ships with the JDK to import PEM to JKS. For an example you might want to refer to the sample PKI scripts that ship with Search Guard SSL:

https://github.com/floragunncom/search-guard-ssl/blob/es-6.3.0/example-pki-scripts/gen_node_cert.sh

We can also recommend the Keystore Explorer that comes with a GUI if you prefer that:

http://keystore-explorer.org/

On Tuesday, June 26, 2018 at 2:13:13 PM UTC+2, Vasileios Kokkinos wrote:

I have installed Elasticsearch and
Search Guard 6.3.0 (community edition) in my laptop that runs Ubuntu 14.04. For
the Search Guard configuration I executed the demo installation script. I want to
push some data to elasticsearch from a spring boot application and I am facing some
certificate problems.

Is there a way to create the JKS certificates
(kirk.jks and truststore.jks) from the demo certificates provided with the demo
installation script?

Thanks in advance,

Vasileios

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d92a03bf-6959-44b1-963f-8aa78dcbfc50%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f42c6e0e-566c-4152-8ea1-023a80e9c227%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.