Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the “http_authenticator.type” as “clientcert”. There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.
Please provide the configuration details I need to follow in order to validate the client certificates.
Thanks
Abhinay.
see https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_config.yml
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
(order matters if you like to combine it with other authenticators)
Am 26.02.2017 um 04:28 schrieb Abhinay Thurlapati <abhinaythurlapati@gmail.com>:
Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the "http_authenticator.type" as "clientcert". There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.Please provide the configuration details I need to follow in order to validate the client certificates.
Thanks
Abhinay.--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4d226de6-b524-42cd-95bb-fbb85238a2ee%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Thanks for the early response.
I followed this approach. I am trying to connect to elastic search using python requests module. I am sending clients signed certificate and the corresponding key generated using example scripts provided by the elastic search.
However, iam receiving the response “Authentication finally failed”. Going through the source code, I think it’s not matching with any of authentication mechanism.
How do I fix this issue. Also I would like define roles for the client certificate. In that case, in internal users yaml file, what could be the password of the hash.
Thanks
Abhinay
On 26-Feb-2017 4:13 PM, “SG” info@search-guard.com wrote:
see https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_config.yml
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes usernamechallenge: false
authentication_backend:
type: noop
(order matters if you like to combine it with other authenticators)
Am 26.02.2017 um 04:28 schrieb Abhinay Thurlapati abhinaythurlapati@gmail.com:
Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the “http_authenticator.type” as “clientcert”. There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.
Please provide the configuration details I need to follow in order to validate the client certificates.
Thanks
Abhinay.
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4d226de6-b524-42cd-95bb-fbb85238a2ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/DCA5DF08-365B-4C41-92A3-A0EBB1AFA068%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.
Hi Abhinay,
I ran into the same problem. Not sure if my findings will help you since I am struggling at an other point right now.
When trying to setup es with searchguard all from scratch without using bundle and example scripts, I stumbled over something interesting in elasticsearch.yml.example
#searchguard.authcz.impersonation_dn:
“CN=spock,OU=client,O=client,L=Test,C=DE”:
``
On first glance I was no able to find any lines like the above in the yml files provided with the bundles I used.
best,
Meike
On Sunday, February 26, 2017 at 4:28:04 AM UTC+1, Abhinay Thurlapati wrote:
Hi,
I would like to validate the requests via client certificate. Following the documentation, I understood that I need to specify the “http_authenticator.type” as “clientcert”. There it is mentioned to click on TLS Client Certification for further details. However I could see, it is redirecting to HTTP Basic Authentication page.
Please provide the configuration details I need to follow in order to validate the client certificates.
Thanks
Abhinay.
ah… impersonation is something else…
but it seems searchguard is not able to validate the certificates
Forgot to add one point. This search guard is behind apache. Could it be the case that Apache is not forwarding client certificate to search guard.
Thanks
Abhinay
On 02-Mar-2017 8:13 PM, “Me He” google-work@kampfschnuffel.de wrote:
ah… impersonation is something else…
but it seems searchguard is not able to validate the certificates
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7d1a8edc-eae2-487a-8265-d24c0ee4fb56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi,
if it is behind apache the client certificate may not be forwarded that is true. I have no idea how to check/fix that.
I got mine test instance with the bundle finally working.
I tried the wrong certificate as it seems, or did not copy truststore.jks properly around.
best,
Meike
On Thursday, March 2, 2017 at 4:02:56 PM UTC+1, Abhinay Thurlapati wrote:
Forgot to add one point. This search guard is behind apache. Could it be the case that Apache is not forwarding client certificate to search guard.
Thanks
Abhinay
ah… impersonation is something else…
but it seems searchguard is not able to validate the certificates
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7d1a8edc-eae2-487a-8265-d24c0ee4fb56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
On 02-Mar-2017 8:13 PM, “Me He” googl...@kampfschnuffel.de wrote: